Lensway – Complaint Upheld (Sweden, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Lensway required customers to send copies of their IDs and social security numbers by mail to delete their data. The Swedish DPA found this practice excessive and upheld complaints from customers in Finland and Denmark. This case shows the need for businesses to simplify data deletion processes.
What happened
Lensway demanded customers provide ID copies and social security numbers by mail to process data deletion requests.
Who was affected
Customers in Finland and Denmark who wanted Lensway to erase their personal data.
What the authority found
The Swedish DPA found Lensway's requirement for additional personal data excessive and not in line with GDPR's facilitation of data rights.
Why this matters
The ruling highlights that businesses should not impose unnecessary hurdles for customers seeking to exercise their data rights. Companies should ensure their data deletion processes are straightforward and GDPR-compliant.
GDPR Articles Cited
Two data subjects had customer relationship with Lensway (controller). In february and June 2020 they requested erasure of their data. To comply with the request, the controller required the data subjects to provide, by regular mail, a copy of an identity document and a written and signed form. In one case, also the data subject's social security number. The data subjects respectively filed complaints with the supervisory authorities of Finland and Denmark which handed them over to the Swedish DPA (IMY) according to Article 56 GDPR in its quality of lead supervisory authority. In its defense, the controller stated that it could not identify the data subjects with other means. Requesting identity documents was therefore necessary to comply with the erasure requests. It added that the use of regular mail was necessary to ensure that they received the original written documentation. Since the complaints were against the same controller, the IMY joined them. It started by reminding that under Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights and that under Article 12(6), the controller can request additional information to confirm the identity of the data subject if it has reasonable doubts. First, the IMY assessed if, in these two cases, the controller had reasonable grounds to doubt the identity of the data subjects. It held that was not entirely clear what information the data subjects provided with their request. The company's doubts about the identity of the data subjects were therefore reasonable. Second, the IMY then examined the necessity of the "additional information" requested by the controller to overcome such doubts. Taking into account the customer relationship between the data subjects and the controller, the IMY considered that the controller could not, in this occasion, require more personal data than were asked when establishing the customer relationship. The IMY also referred to the [https://edpb.europa.eu/
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Lensway in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Lensway - Sweden (2023). Retrieved from cookiefines.eu
Last updated: