IMY (Sweden) - IMY-2022-9109: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=IMY-2022-9109 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn-mag-interactive-ab.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sou...") |
No edit summary |
||
| Line 84: | Line 84: | ||
The data subject lodged a complaint against the controller at the French DPA. Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The data subject asked to investigate whether the controller handled the data subject’s request for erasure correctly, whether the information that the controller requested was necessary to confirm the data subject’s identity and whether the controller sufficiently facilitated the exercise of the data subject’s rights in the GDPR. | The data subject lodged a complaint against the controller at the French DPA. Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The data subject asked to investigate whether the controller handled the data subject’s request for erasure correctly, whether the information that the controller requested was necessary to confirm the data subject’s identity and whether the controller sufficiently facilitated the exercise of the data subject’s rights in the GDPR. | ||
The controller argued that it was difficult to locate the personal data of the data subject, as the account of the data subject was closed for a long time and neither the email address from which the request came and the Facebook ID was linked to any account with the controller. Moreover, since Facebook changed the way Facebook ID works for privacy reasons, the number that the controller received from Facebook is only linked to the controller and not linked to an individual’s Facebook account. The controller further argued that as the case turned into an access request, the controller asked that the request is made from within the data subject’s account for privacy reasons, as user data may contain chat logs. | The controller argued that it was difficult to locate the personal data of the data subject, as the account of the data subject was closed for a long time and neither the email address from which the request came and the Facebook ID was linked to any account with the controller. Moreover, since Facebook changed the way Facebook ID works for privacy reasons, the number that the controller received from Facebook is only linked to the controller and not linked to an individual’s Facebook account. The controller further argued that as the case turned into an access request, the controller asked that the request is made from within the data subject’s account for privacy reasons, as user data may contain chat logs. To protect data subjects' privacy of their chat logs, accounts are password-protected with password recovery via a provided email address. The controller argued that it is difficult to take action on requests when data subjects have forgotten their login details and cannot recover their account via email. Therefore, the controller asked to re-install the game, so that information on the phone and operating system could help the data subject recover their account. When the data subject refused to do this, the controller asked as a last resort for additional information (see the 4 points above) that the data subject should know and should be easy for the data subject to remember but is difficult for others to know to verify the identification of the data subject. The controller argued that this information they request also is not personally identifiable information and already in the controller’s register. | ||
The controller also explained that it will soon release a new process to handle such requests in case of missing account information in an easier way by requesting less information from the data subject. | The controller also explained that it will soon release a new process to handle such requests in case of missing account information in an easier way by requesting less information from the data subject. | ||
| Line 95: | Line 93: | ||
The DPA then continued and stated that even if the controller had reasonable grounds, it should carry out a proportionality assessment to justify the verification method used to not unnecessarily collect more personal data. The DPA found that at the time of the data subject’s erasure request, the controller only processed an email address linked to the data subject, the advertising ID of the data subject’s phone and the data subject’s username and password. The DPA therefore held that an erroneous deletion of the said data would not result in any major disadvantages or consequences for the data subject, and thus the requirements for identification could therefore be set relatively low. The DPA also stated that in the end, the controller was able to comply with the erasure request with only the email address linked to the user account. Thus, the DPA considered that asking for additional data in the form of the usernames of three friends and three opponents were neither necessary nor proportionate to confirm the identity of the data subject under [[Article 12 GDPR#6|Article 12(6) GDPR]]. | The DPA then continued and stated that even if the controller had reasonable grounds, it should carry out a proportionality assessment to justify the verification method used to not unnecessarily collect more personal data. The DPA found that at the time of the data subject’s erasure request, the controller only processed an email address linked to the data subject, the advertising ID of the data subject’s phone and the data subject’s username and password. The DPA therefore held that an erroneous deletion of the said data would not result in any major disadvantages or consequences for the data subject, and thus the requirements for identification could therefore be set relatively low. The DPA also stated that in the end, the controller was able to comply with the erasure request with only the email address linked to the user account. Thus, the DPA considered that asking for additional data in the form of the usernames of three friends and three opponents were neither necessary nor proportionate to confirm the identity of the data subject under [[Article 12 GDPR#6|Article 12(6) GDPR]]. | ||
The DPA then examined whether requiring the data subject to log into their account and make their erasure request from within the game was compatible with [[Article 12 GDPR#2|Article 12(2) GDPR]]. The EDPB guidelines on right of access (01/2022) state that the controller may encourage the data subject to use a self-service tool, but that the controller must also deal with access requests that are not sent through the established communication channel. By requiring the data subject to log in to a game to send their requests, the controller did not facilitate in the data subject’s exercise of their right to erasure. | The DPA then examined whether requiring the data subject to log into their account and make their erasure request from within the game was compatible with [[Article 12 GDPR#2|Article 12(2) GDPR]]. The [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf EDPB guidelines on right of access (01/2022)] state that the controller may encourage the data subject to use a self-service tool, but that the controller must also deal with access requests that are not sent through the established communication channel. By requiring the data subject to log in to a game to send their requests, the controller did not facilitate in the data subject’s exercise of their right to erasure. | ||
The DPA therefore held that the controller was in breach of [[Article 12 GDPR#2|Article 12(2) GDPR]]. | The DPA therefore held that the controller was in breach of [[Article 12 GDPR#2|Article 12(2) GDPR]]. | ||
The DPA found that the infringements were minor pursuant to Recital 148, because (1) the infringements found date back relatively far in time and (2) the controller did fully comply with the data subject’s request for erasure. Thus, the DPA issued a reprimand to the controller for breaching [[Article 12 GDPR#2|Article 12(2) GDPR]] and [[Article 12 GDPR#6|Article 12(6) GDPR]]. | The DPA found that the infringements were minor pursuant to [https://gdpr-text.com/read/recital-148/ Recital 148], because (1) the infringements found date back relatively far in time and (2) the controller did fully comply with the data subject’s request for erasure. Thus, the DPA issued a reprimand to the controller for breaching [[Article 12 GDPR#2|Article 12(2) GDPR]] and [[Article 12 GDPR#6|Article 12(6) GDPR]]. | ||
== Comment == | == Comment == | ||
Revision as of 13:30, 29 April 2024
| IMY - IMY-2022-9109 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(2) GDPR Article 12(6) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 22.05.2023 |
| Published: | 14.04.2024 |
| Fine: | n/a |
| Parties: | MAG Interactive AB |
| National Case Number/Name: | IMY-2022-9109 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | ec |
The DPA issued a reprimand against a controller for requiring data subjects to log in to their game to request erasure and if they could not log in, asking data subjects to provide the usernames of three friends and three opponents in the game, which was unnecessary and disproportionate.
English Summary
Facts
A data subject in France requested the erasure of their personal data in the game QuizDuel by MAG Interactive AB (“controller”), a mobile gaming company based in Sweden. The data subject logged into the game via their Facebook account.
The controller replied with requesting additional information from the data subject for identification purposes, even though the data subject had provided their Facebook ID and email addresses in their request for erasure. The controller explained that neither the Facebook ID and the three email addresses the data subject provided in their erasure request resulted in any hits on a direct search in the controller’s system. The controller furthermore explained that the easiest way for the data subject to request erasure was by downloading the game again and request for erasure within the game.
The data subject responded that they longer have an account.
The controller then requested the following information to restore the data subject’s account and to enable the data subject to request the erasure of his personal data: (1) the username, (2) names of three friends, (3) names of three opponents and (4) an email address to link the account with.
The data subject replied and requested access to the information the controller had about them. The controller again informed the data subject it could not find the data subject’s account with the data subject’s Facebook ID and stated that the data subject could request access to personal data from within a game of the controller.
The data subject replied that they had played the game “QuizDual” on Facebook and did not have an account with the controller and therefore cannot request access from the account. The controller argued that the game never existed on Facebook but that the data subject may have logged in via a Facebook on a mobile application. However, as the data subject for the first time mentioned the game, the controller could use the game information to locate an account linked to one of the email addresses the data subject provided.
The data subject then received an email to confirm they wanted their account to be erased. The data subject replied and confirmed they owned the account and they wanted it erased. The controller then erased the account and informed the data subject of the erasure.
The data subject lodged a complaint against the controller at the French DPA. Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The data subject asked to investigate whether the controller handled the data subject’s request for erasure correctly, whether the information that the controller requested was necessary to confirm the data subject’s identity and whether the controller sufficiently facilitated the exercise of the data subject’s rights in the GDPR.
The controller argued that it was difficult to locate the personal data of the data subject, as the account of the data subject was closed for a long time and neither the email address from which the request came and the Facebook ID was linked to any account with the controller. Moreover, since Facebook changed the way Facebook ID works for privacy reasons, the number that the controller received from Facebook is only linked to the controller and not linked to an individual’s Facebook account. The controller further argued that as the case turned into an access request, the controller asked that the request is made from within the data subject’s account for privacy reasons, as user data may contain chat logs. To protect data subjects' privacy of their chat logs, accounts are password-protected with password recovery via a provided email address. The controller argued that it is difficult to take action on requests when data subjects have forgotten their login details and cannot recover their account via email. Therefore, the controller asked to re-install the game, so that information on the phone and operating system could help the data subject recover their account. When the data subject refused to do this, the controller asked as a last resort for additional information (see the 4 points above) that the data subject should know and should be easy for the data subject to remember but is difficult for others to know to verify the identification of the data subject. The controller argued that this information they request also is not personally identifiable information and already in the controller’s register.
The controller also explained that it will soon release a new process to handle such requests in case of missing account information in an easier way by requesting less information from the data subject.
Holding
Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA, in light of the controller’s argumentation, held that the controller had reasonable grounds to doubt the identity of the data subject. The DPA also took into account that the controller had an obligation to ensure the identity of the data subject making a request to protect the data subject against someone else wrongly making requests in their name, leading to negative consequences for the data subject.
The DPA then continued and stated that even if the controller had reasonable grounds, it should carry out a proportionality assessment to justify the verification method used to not unnecessarily collect more personal data. The DPA found that at the time of the data subject’s erasure request, the controller only processed an email address linked to the data subject, the advertising ID of the data subject’s phone and the data subject’s username and password. The DPA therefore held that an erroneous deletion of the said data would not result in any major disadvantages or consequences for the data subject, and thus the requirements for identification could therefore be set relatively low. The DPA also stated that in the end, the controller was able to comply with the erasure request with only the email address linked to the user account. Thus, the DPA considered that asking for additional data in the form of the usernames of three friends and three opponents were neither necessary nor proportionate to confirm the identity of the data subject under Article 12(6) GDPR.
The DPA then examined whether requiring the data subject to log into their account and make their erasure request from within the game was compatible with Article 12(2) GDPR. The EDPB guidelines on right of access (01/2022) state that the controller may encourage the data subject to use a self-service tool, but that the controller must also deal with access requests that are not sent through the established communication channel. By requiring the data subject to log in to a game to send their requests, the controller did not facilitate in the data subject’s exercise of their right to erasure.
The DPA therefore held that the controller was in breach of Article 12(2) GDPR.
The DPA found that the infringements were minor pursuant to Recital 148, because (1) the infringements found date back relatively far in time and (2) the controller did fully comply with the data subject’s request for erasure. Thus, the DPA issued a reprimand to the controller for breaching Article 12(2) GDPR and Article 12(6) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(12)
MAG Interactive AB
Diary number:
IMY-2022-9109 Decision after supervision according to Article 60 i
Date: data protection regulation - MAG
2023-05-22
Interactive AB
The Privacy Protection Authority's decision
The Swedish Privacy Protection Authority notes that MAG Interactive AB (556804-3524) at
handling of the request for erasure made by the complainant on January 31, 2021 has
processed personal data in violation of:
1
- Article 12.6 of the Data Protection Regulation by requesting information in the form of
usernames of three friends and three opponents in the game QuizDuel when this
not been necessary to confirm that appellant's identity as well
- Article 12.2 of the Data Protection Regulation by, after the complainant requested
deletion by email, also require the complainant to log into the game in order to
send their request from within the game which has not facilitated the complainant
exercising their right to erasure.
The Swedish Privacy Protection Authority gives MAG Interactive AB a reprimand according to article 58.2
b the data protection regulation for the established violation.
Account of the supervisory matter
Handling
The Swedish Privacy Protection Authority (IMY) has started supervision of MAG Interactive AB
(the company) due to a complaint, mainly to investigate whether the company has taken
received and handled the complainant's request for deletion in a correct manner, i.a. if
the company had reasonable grounds to doubt the identity of the complainant and in such cases whether they
information requested by the complainant has been necessary to confirm the complainant
identity and whether the company has facilitated the exercise of the complainant's rights i
sufficient extent (Articles 11, 12 and 17 of the Data Protection Regulation).
Mailing address:
Box 8114 The complaints have been handed over to IMY, in its capacity as the responsible supervisory authority according to
104 20 Stockholm article 56 of the data protection regulation. The handover has taken place from the supervisory authority
Website:
www.imy.se
E-mail:
imy@imy.se 1
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free flow of such data and on
08-657 61 00 repeal of Directive 95/46/EC (General Data Protection Regulation). The Swedish Privacy Agency Diary number: IMY-2022-9109 2(12)
Date: 2023-05-22
in the country where the complainant has filed his complaint (France) in accordance with
the regulation's provisions on cooperation in cross-border processing.
The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies
cross-border treatment, IMY has used the mechanisms for cooperation
and uniformity found in Chapter VII of the Data Protection Regulation. Affected
supervisory authorities have been the data protection authorities of Denmark, France, Ireland,
Norway, Poland, Germany and Austria.
The complaint
The complaint essentially states the following.
On January 31, 2021, the complainant requested the deletion of his personal data in the game
QuizDuel, a game the appellant used through his Facebook account. The company then has
requested additional information from the appellant for identification purposes despite the fact that the appellant in his
request for deletion stated their Facebook ID and email addresses. To the complaint
the appellant has attached email correspondence between the appellant and the company of which
the following i.a. appears. On February 28, 2021, the company replied to the complainant that they have not
ability to locate the complainant's account using the complainant's Facebook ID and
that the appellant needs to open any of the MAG Interactive games to make one
request. The complainant has replied to this that he no longer has a MAG Interactive
account. On 11 March 2021, the company has i.a. requested the following information from the appellant i
purpose of restoring the complainant's account and thus enabling the complainant to request
deletion of their personal data: username, name of three friends, name of three
opponent and an email address to which he wants to connect the account.
What the company has stated
In statements from November 4 and 7, 2022, the company essentially stated the following.
Description of the course of events surrounding the handling of the complainant's request for
deletion
On January 31, 2021, the complainant contacted one of the company's support email addresses and
provided a Facebook ID and three email addresses and requested to be deleted. At this one
time, given the information the support received, the company did not receive any direct hits
typing in the company's system, neither on Facebook ID nor on any of the specified
the email addresses. The company's support responded on February 1, 2021 with instructions for
how the complainant can request deletion from the game. The appellant contacted us again on the 8th
February 2021 and said that he does not have the game left but wants to delete his data. The
On February 9, the company's support replied that the easiest way is to download the game again
and request deletion from within the game. On February 12, 2021, the appellant responded and
announced that she instead wanted to know what information the company has about her. From this
time the case was handled by the company as a request for access.
On February 13, 2021, the company's support responded that the complainant can request access from
the game. The complainant contacted again on 20 February 2021 and had problems to
use their Facebook account. The complainant asked again if the company can find him
account with his Facebook ID. On February 23, 2021, support replied that they did not
find any account with the Facebook ID the complainant specified but that he should be able to
start any of the company's games and request the personal data from within a game.
On February 27, 2021, the complainant asked if the company had really tried to search for him
Facebook ID. Support replied again on February 28, 2021 that they cannot find him
account on the Facebook ID she entered, but that she should be able to start any
Date: 2023-05-22
of their game and request access from within the game. On March 4, 2021, the appellant responded
that he played "QuizDuel" on Facebook and does not have an account with MAG Interactive.
She cannot therefore request access from there. This was probably a misunderstanding then
the game was never on Facebook but he may have logged in via a Facebook button
originally which was possible several years ago. It was the first time the appellant
mentioned which game it was for which made it much easier to look for them
tasks.
On March 11, 2021, support replied that they cannot find the complainant's account through his
Facebook ID but that they will try to help him get into his account so that he can
request access or delete their account. The support had then probably managed to locate one
account linked to one of the complainant's provided email addresses using the information
about the game. Support then sent the standard questions the company asks when they are supposed to
help users log into their account if they have forgotten their credentials.
The complainant never responded to that email and when enough time passed the company closed
the case.
On October 30, 2022, after the company's CTO received the case, the CTO located an account
who could be connected to the complainant and emailed the complainant for confirmation
that the account should be deleted. On November 6, 2022, the appellant responded and confirmed that
he owns the account and that the account should be deleted. November 7, 2022 was deleted
the complainant's account and the complainant was informed about it.
The company's processing of the complainant's personal data at the time of the complainant's
request
At the time of the complainant's request for deletion, the company was processing an email address
which is linked to the complainant and probably the advertisingId/vendorId from their phone,
the complainant's username and password. Otherwise, the company did not process any others of
the complainant's personal data as any chat history and ip number are
deleted long ago due to the company's retention policy.
Why the company claims to have had reasonable grounds to doubt the identity of the complainant
The complainant provided in his deletion request a Facebook ID and three email addresses and
wrote that he used one of the company's apps on Facebook.
The company's games are played on not on Facebook but on mobile phones and he did not specify
nor any surrounding information such as username, which game it was
or even that it was a game. The game which the appellant, according to later information, had played
is so old that you didn't get any hits on the other email addresses either.
Because the game to which the complainant's user account has been linked for a long time is also
closed makes it difficult to find with email address alone. Email addresses are public and one
providing an email address is therefore not proof of ownership. The email address that
the request came from was also not linked to any account with the company and neither
the Facebook ID entered. Regarding the other two email addresses, there was nothing
proof that it is the complainant's email addresses.
The Facebook ID the complainant provided is not registered with the company. Facebook has since
many years stopped using global user numbers for privacy reasons. In the service of
the company shut down many years ago where you could log in via your Facebook account
the company does not see the same number as the complainant indicates. The customer number the company received from the Swedish Data Protection Agency Diary number: IMY-2022-9109 4(12)
Date: 2023-05-22
Facebook is only connected to the company and cannot be linked to a person by the company
Facebook account.
Given the knowledge of which game it was about that the company eventually got, had
managed to find the account to which one email address was linked. The company then had
was able to send an email to that email address in order to confirm the complainant's identity. The
however, had played no role in this case when the case was changed on 13 February 2021
to an access request.
How the complainant would go about requesting erasure and subsequent access
Support initially suggested that the complainant request deletion directly from the game
because it is the easiest and safest way. It is normal for users to have
the game remains on the phone. In addition, the company's game helps with a reinstallation
the user to get back to the correct account. When support has difficulty finding an account
with the user's data it is therefore reasonable that they suggest a reinstallation to
get to the right account. Support can also delete information directly about ownership
the information can be substantiated. In the current case, the case turned to a request for
access and then the company normally wants the user to be logged into their account.
The company has stated that, just as for requests for deletion, proof is required
ownership of the account to request access, this for privacy reasons and in accordance
with the data protection regulation. Since user data may contain chat logs is
the handling of access requests a little more strict than when handling a request for
deletion of user data. The company therefore requires that the request be made from within
player's account.
Information that has been requested for the purpose of confirming identity
The game the appellant had played was a game with user accounts. In game with
user accounts often have chats for players to talk to each other. Of
for privacy reasons, it is important that anyone cannot read anyone else's chats.
The accounts are therefore password protected. Users can enter an email address for
password reset but not all users do it or they have changed their email address.
One issue all online services grapple with is how to handle the cases where users
forgot the login details and it is not possible to restore the account via email. A part
uses security questions, where users are allowed to fill in the name of their first pet or
similar. In the company's case, it is a bit more complicated, as the company partly does not want to ask
the users about more information than absolutely necessary, partly the game has that
the current case was about a user base built up since 2012 with 100 million
users who have not entered any such information. When users have forgotten
If the login details and the account cannot be restored via email, the company resolves it
in that the games make use of information on the phone and the operating system for
to help users back to the account which is why the support sometimes
asking users to install the game, which also appears to have been done by support in this case.
When it doesn't work or as in this case when the user doesn't want the support asks as
a last resort about information the player should know and should be easy
for one user to remember but difficult for others to know. This one
information is requested so that the company can ensure that it is the account holder
to whom they grant access to the account. The information that support requests in such cases
is as follows: The Swedish Privacy Agency Diary number: IMY-2022-9109 5(12)
Date: 2023-05-22
- The registrant's username.
A task that is assumed to be easy for most people to answer. However, it is also
a task that is relatively easy for others to figure out.
- Usernames of three of the registrant's in-game friends.
Most people who play this game have some friends they have played with for years. The
the task should also be easy to answer.
- Usernames of three of the registrant's opponents in the game.
This task is often a bit more difficult to provide but for users who
mostly playing against random players and not adding friends is one
required task.
Support also asked which email address the user wanted to link the account to.
This is so that the complainant can log in and request their user data from within
the game.
The data must normally be provided by email in the ongoing support dialogue. The
is not a requirement that one is right on all questions, but an assessment is made based on
how right/wrong the answer is. The company also does not ask for personally identifiable information
but only about usernames which are normally anonymous/pseudonymous and which already
can be found in the company's register. The only data that is personally identifiable information
is the email address the user wants to connect to the account. If the user can answer that well
that the company deems that the user actually owns the account, the support sets
the email address for recovery. The user can then set a new password and log in.
The company is continuously working on improving its support tools and will be coming soon
release a new version where this particular scenario can be handled and which should make it easier
for support to find users even with very limited information. The support
have instructions to delete the user's account directly about the email address on the account
matches the user's email address and otherwise help the user take
delete the account through the game. In this case, you can think of a third solution, that the company sends an email
out a link to the linked account and that the user confirms deletion via the link
to verify their identity. The company intends to add such an option.
The complainant's account has been deleted
The appellant's request for erasure has now been granted. The company has emailed
the complainant on 30 October 2022 both at the email address he used in the support matter
and the email address they found when searching. The company's CTO has asked the appellant to
reply from that email address. Answer received from the appellant on November 6, 2022 with
a confirmation that the appellant owns the account. The company's CTO has subsequently deleted
the complainant's account and informed the complainant of this.
Justification of the decision
Applicable regulations, etc.
According to Article 17.1, the data subject shall have the right to the personal data controller without
unnecessary delay have their personal data deleted and the personal data controller
shall be obliged to delete personal data about any of them without undue delay
prerequisites listed in the article exist, for example if the information is not
Date: 2023-05-22
are no longer necessary for the purposes for which they have been collected or consented to
treatment is withdrawn.
Article 11.1 states that if the purposes for which the personal data controller
processes personal data does not require or no longer requires that the data subject
is identified by the personal data controller, the personal data controller shall not
be required to retain, acquire or process additional information in order to
identify the data subject only for the purpose of complying with this regulation.
According to Article 11.2, if the personal data controller, in the cases referred to in
paragraph 1 of this article, can show that he is not in a position to identify it
registered, the person in charge of personal data shall, if possible, inform the registered
about this. In such cases, Articles 15–20 shall not apply, except when the registered for
exercise of its rights in accordance with these Articles provides further
information that makes identification possible.
Article 12.6 states that, without prejudice to the application of Article 11, it may
personal data controller, if he has reasonable grounds to doubt its identity
natural person who submits a request under Articles 15-21, request that additional
information necessary to confirm the identity of the data subject is provided.
According to Article 12.2, the personal data controller must facilitate its exercise
data subject's rights in accordance with Articles 15–22. In the cases referred to in article
11.2 the personal data controller may not refuse to accommodate the data subject
the request to exercise its rights under Articles 15-22, unless it
personal data controller shows that he or she is not in a position to identify it
registered.
2
In the European Data Protection Board's (EDPB) Guidelines 01/2022 on access is stated among
other following.
53. The European Data Protection Board calls on the data controllers to
provide the most appropriate and user-friendly communication channels,
in accordance with articles 12.2 and 25 of the data protection regulation, so that it
Data subjects can make an effective request. If the data subject makes a request
using a communication channel provided by it
personal data controller, which is different from the one indicated as the one who
is preferred, such request shall generally be deemed effective and it
the personal data controller should process such a request accordingly (see
examples below). The personal data controllers should take all reasonable steps to
ensure that the exercise of data subjects' rights is facilitated (if the data subject
for example, sending a request to an employee who is on leave can be done automatically
notification of an alternative communication channel for the request to it
3
registered be a reasonable effort).
2EPPB, Guidelines 01/2022 on data subject rights – Right of access, Version 2.0 (EDPB's Guidelines 01/2022 on the right
to access), finally adopted on 28 March 2023.
3IMY's translation, original: The EDPB encourages controllers to provide the most appropriate and user-friendly
communication channels, in line with Art. 12(2) and Art. 25 GDPR, to enable the data subject to make an effective
request. Nevertheless, if a data subject makes a request using a communication channel provided by
the controller28, which is different from the one indicated as the preferable one, such request shall be,
in general, considered effective and the controller should handle such a request accordingly (see the
examples below). The controllers should undertake all reasonable efforts to make sure that the Privacy Protection Agency Diary number: IMY-2022-9109 7(12)
Date: 2023-05-22
[…]
67. In cases where the person in charge of personal data requests or receives from the registered person
additional information necessary to confirm the identity of the data subject
the personal data controller must each time assess which information
will enable it to confirm the identity of the data subject and
possibly ask the requesting person additional questions or request that it
data subjects provide additional identification data, if it is proportionate
(see section 3.3). 4
68. To allow the data subject to provide the additional information required to
identify his or her personal data, the personal data controller shall
inform the data subject of the type of additional information required to
enable identification. Such additional information should not be more than that
information originally needed for the authentication of the data subject. IN
generally, the fact that the controller may request additional
information to assess the identity of the data subject does not lead to excessive demands
and to the collection of personal data that is not relevant or necessary to
strengthen the connection between the individual and the personal data requested. 5
[…]
70. If the personal data controller has reasonable grounds to doubt the requester
the person's identity, it may, as stated above, request additional information for
to confirm the identity of the data subject. However, the personal data controller must
at the same time ensure that it does not collect more personal data than is necessary
to enable authentication of the requesting person. Therefore it should
personal data controller make a proportionality assessment, which must take
consideration of the type of personal data being processed (e.g. special categories of
information or not), the nature of the request, the context in which the request is made as well as
any damage that may occur as a result of improper disclosure. At
the assessment of proportionality should be remembered to avoid excessive
data collection at the same time as an appropriate level of security during processing
is ensured. 6
exercise of data subject rights is facilitated (for example, when a data subject sends an access request
to an employee who is on leave, an automatic message informing the data subject about an alternative
communication channel for this request could be a reasonable effort).
4IMY's translation, original: In cases where the controller requests or is provided by the data subject with additional
information necessary to confirm the identity of the data subject, the controller shall, each time, assess what
information will allow it to confirm the data subject's identity and possibly ask additional questions to the requester
person or request the data subject to present some additional identification elements, if it is proportionate (see section
3.3).
5IMY's translation, original: In order to allow the data subject to provide the additional information required to
identify his or her data, the controller should inform the data subject of the nature of the additional information
required to allow identification. Such additional information should not be more than the information initially
needed for the authentication of the data subject. In general, the fact that the controller may request
additional information to assess the data subject's identity cannot lead to excessive demands and to
the collection of personal data which are not relevant or necessary to strengthen the link between the
6ndividual and the personal data requested.
IMY's translation, original: As indicated above, if the controller has reasonable grounds for doubting the identity of
the requesting person, it may request additional information to confirm the data subject's identity. However, the
controller must at the same time ensure that it does not collect more personal data than is necessary to enable
authentication of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which
must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of
the request, the context within which the request is being made, as well as any damage that could result from
improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection
while ensuring an adequate level of processing security. Data Protection Agency Diary number: IMY-2022-9109 8(12)
Date: 2023-05-22
[…]
138. The use of self-service tools should never limit the scope of
personal data received. If it is not possible to provide all information according to
Article 15 through the self-service tool, the remaining information must
provided in another way. The controller may encourage it
registered to use a self-service tool like that
data controller has set up to handle requests for access. The
however, it should be noted that the personal data controller must also manage
access requests that are not sent through the established
the communication channel. 7
The Swedish Privacy Authority's assessment
Based on the current complaint in the case, IMY has reviewed the company's
action in this individual case.
Has the company been able to identify the complainant?
The company has stated that based on the information in the complainant's request for deletion on 31
January 2021, the company was unable to identify the data subject. The information that
provided by the appellant in the request did not, according to the company's data, yield any hits at a
direct punching in the company's system, neither on that Facebook ID nor on any of them
email addresses provided by the complainant. The company's opinion further states that when the company
on March 4, 2021 received information about which game the complainant's request referred to they could
find an account that one of the complainant's provided email addresses was associated with. Against
background of this, IMY notes that the company could at least connect on March 4, 2021
the appellant's request for a user account and identification of the appellant was thereby
Possible. IMY therefore assesses that the appellant in accordance with what is prescribed in article
11.2 of the data protection regulation provided such additional information as does
the identification possible. The company has thus not shown that it was unable to
identify the data subject, and therefore could not refuse to accommodate it either
registered the request to exercise their rights under Article 12.2 i
data protection regulation.
Has the company acted in accordance with 12.6 of the data protection regulation when the company
requested current information from the complainant?
Has the company had reasonable grounds to doubt the identity of the complainant
It is only when the personal data controller has reasonable grounds to doubt the identity
with the person who made the request who receives additional information to confirm the identity
is requested. What constitutes "reasonable grounds" in Article 12.6 of the Data Protection Regulation should
assessed based on the circumstances of the individual case. The assessment of whether there is
reasonable grounds to doubt in an individual case the identity of the person making the request is made
normally in light of the information provided in connection with the request. The
applies especially in situations where the person in charge of personal data lacks further knowledge
about this person. However, the fact that an individual assessment is required does not preclude that
7IMY's translation, original: The use of self-service tools should never limit the scope of personal data received. If
not possible to give all the information under Art. 15 through the self-service tool, the remaining information needs
to be provided in a different manner. The controller may indeed encourage the data subject to use a
self-service tool that the controller has set in place for handling access requests. However, it should be
noted that the controller must also handle access requests that are not sent through the established
channel of communication. The Swedish Privacy Agency Diary number: IMY-2022-9109 9(12)
Date: 2023-05-22
routines are established for how the person in charge of personal data normally verifies it
data subject's identity.
From the appendix to the complaint, it appears that the complainant provided the following information when he
Requested deletion on January 31, 2021: Facebook ID and three email addresses and one
email address from which the email with the request was sent.
The company has stated that at the time of the complainant's request for deletion
did they process an email address associated with the complainant and probably also
advertisingId/vendorId from the complainant's phone, the complainant's username and
password.
The company has been given the opportunity to justify the individual assessment based on which it was made
the appellant's situation if they considered that they had reasonable grounds to doubt the appellant
identity when he made his request. The company has essentially stated the following.
The company's games are not played on Facebook but on mobile phones, why not Facebook IDs
contributed to the verification of the appellant's identity. Email addresses are public and an indication
of such is no evidence of ownership. The email address the request came from
nor linked to any account with the company nor the Facebook ID which
was specified. The appellant did not provide any surrounding information, such as
username, which game it applies to or even that it is a game. The game that
the appellant, according to later information, had played was so old that the company did not get either
any hits on the other email addresses provided in the request. Using
the information the company received on 4 March 2021 from the complainant about the game in question
the company found a user account linked to one of the complainant's provided email addresses.
In light of what the company stated and the information the complainant provided in his request
regarding deletion, IMY states that the company had reasonable grounds to doubt the identity of
the appellant. In the assessment, IMY also considers the fact that the obligation to
ensuring the identity of the person making the request also aims to protect
data subjects against someone else falsely making requests on their behalf, which may
lead to negative consequences for the data subject.
Has the information the company requested from the complainant been necessary to confirm
his identity?
Even if the personal data controller has reasonable grounds to doubt the identity of it
registered, the personal data controller shall not collect more personal data than what
which is necessary to enable identification of the requesting data subject. The
personal data controller must carry out a proportionality assessment and be able to
justify the verification method used.
The company has stated that the request was changed to an access request on March 4, 2021
and the company then demanded that the request be made from within the player's account. Then
user data may contain chat logs, the handling of the request for access is little
more strict than when handling a request for the deletion of user data has
the company stated. Regarding the necessity of the information they requested from it
complainant in order to confirm his identity, the company has essentially stated the following.
Usernames are requested as the task is assumed to be easy for most people to answer. The
is, however, a task that is relatively easy for others to figure out. Username of three
friends in the game are requested as most people who play this game have some friends
played for years with. That task should therefore be easy to answer. Username on
three opponents in the game is more difficult to provide but for people who play the most
Date: 2023-05-22
against random players and not adding friends it is a necessary task to
request in. It is not a requirement that the requester is right on all questions, but it is done
a judgment based on how right or wrong the answer is.
IMY notes that from the basis the company has submitted, consisting of
email correspondence between the appellant and the company, it appears that the appellant has not
waived its request for erasure. Of the email correspondence, especially the email that
was sent by the MAG Support Team on March 11, 2021, it is further stated that the current
the information was requested by the company in order for the complainant to gain access to the account i
purpose of requesting deletion. The company's claim that the complainant's request for deletion
had been changed to instead refer to a request for access, and that they requested
the data intended to identify the appellant only in the event of a request for access can
therefore be disregarded. The company has indeed requested more information from
the appellant in order to confirm the appellant's identity, but IMY assesses that it is clear
that it is still a request for erasure as the appellant wants it to be
accommodated. It also appears that the company has requested the relevant information in
in connection with the complainant's request for erasure.
Regarding the information requested by the company from the complainant, states IMY
following. Of the EDPB's guidelines on the right of access, i.a. that it
personal data controller must take that type into account in the proportionality assessment
of personal data processed (e.g. special categories of data or not),
the nature of the request, the context in which the request is made and any damage that may occur
arise as a result of improper disclosure. At the time of appellant's request
the company only processed an email address that is linked to the complainant as well
advertisingId/vendorId from their phone, the complainant's username and password. One
According to IMY, incorrect deletion of said data would not involve any major problems
disadvantages or consequences for the appellant. The requirements for identification could therefore
set relatively low. It has also been shown that correct answers to all questions are not
was required and that the complainant's identity could later be confirmed by another
identification method that required significantly fewer data. Confirmation that it is
the complainant's user account sent from the email address linked to the user account
was deemed sufficient to confirm the appellant's identity and accommodate the request
on November 7, 2022.
IMY therefore assesses that, taking into account the nature of the request, the type of personal data
that was processed and the identification method that was later used, that the data in
form of username of three friends and three opponents neither can be considered to have been
necessary or proportionate to confirm the identity of the complainant accordingly
with article 12.6 of the data protection regulation.
Has the company made it easier for the complainant to exercise his right to erasure according to article
12.2 of the data protection regulation?
The next question is whether it has been consistent with Article 12.2 of the Data Protection Regulation to
require the complainant to log into their account and make their request from within the game.
The company has essentially stated the following. If the user can answer so well that the company
assesses that the user owns the account, the support sets the email address for recovery.
The player can then set a new password and log in. Because the case in it
the current case had turned into a request for access, the company normally wants to
the user must be logged in to their account to exercise their request. The Swedish Privacy Protection Agency Diary number: IMY-2022-9109 11(12)
Date: 2023-05-22
As IMY noted in the section above, it is clear from the company's documentation
submitted that the appellant has not waived his request for deletion and that the company
has requested the relevant information in order for the complainant to access the account i
purpose of requesting deletion from within the game.
The EDPB's guidelines on access include, among other things, that the personal data controller can
encourage the data subject to use a self-service tool but that it
Data controllers also have to deal with requests for access that do not
sent via the established communication channel. By demanding from the appellant
whose request for deletion has been received by the company after answering questions
whose purpose was to confirm his identity, must log into a game to exit the game
send his request, the company has not made it easier for the complainant to exercise his right to
deletion. IMY thereby assesses that the company thereby acted in violation of Article 12.2 i
data protection regulation.
Has the complainant's request for erasure pursuant to Article 17 of the Data Protection Regulation
accommodated?
The complaint states that the complainant requested deletion on January 31, 2021 and that
it has not been satisfied at the time of the complaint. The company has stated that
the company on 7 November 2022, after email correspondence with the complainant on 30
October and November 6, 2022, have deleted the complainant's data and the complainant
have been informed of this. Since the appellant's request for erasure has now been granted
there is no reason to investigate the matter further in that part.
Choice of intervention
From articles 58.2 i and 83.2 of the data protection regulation, it appears that IMY has the authority
to impose administrative penalty fees in accordance with Article 83. Subject to
the circumstances of the individual case, administrative penalty fees must be imposed
in addition to or instead of the other measures referred to in Article 58.2, such as
injunctions and prohibitions. Furthermore, Article 83.2 states which factors must
taken into account when deciding whether administrative penalty charges are to be imposed and at
determining the size of the fee. If it is a question of a minor violation, IMY gets
as set out in recital 148 instead of imposing a penalty charge issue one
reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating circumstances
circumstances of the case, such as the nature, severity and duration of the infringement
as well as previous violations of relevance.
IMY notes the following relevant circumstances. The current supervision includes
MAG Interactive AB's handling of an individual complainant's request for deletion and the
the violations found are relatively far back in time (2021). MAG
Interactive AB has now also satisfied the complainant's request for deletion in full. Against
against this background, IMY finds that it is a question of such minor violations in it
meaning referred to in recital 148 which means that MAG Interactive AB must be given a
reprimand according to article 58.2 b of the data protection regulation for those found
the violations.
________________________________________________
This decision has been taken by the special decision maker lawyer Evelin Palmér after
presentation by the lawyer Anna Mlynska.
Evelin Palmér, 2023-05-22 (This is an electronic signature) The Swedish Privacy Agency Diary number: IMY-2022-9109 12(12)
Date: 2023-05-22
How to appeal
If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
appeals and the change you request. The appeal must have been received by IMY
no later than three weeks from the day you received the decision. If the appeal has been received
In due course, IMY forwards it to the Administrative Court in Stockholm for consideration.
You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
personal data or information that may be subject to confidentiality. The authority's
contact details appear on the first page of the decision.
