Lensway Group AB – Complaint Upheld (Sweden, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Lensway Group AB required customers to provide excessive personal information to delete their data, such as ID copies and social security numbers. The Swedish DPA found this practice unreasonable and upheld complaints from customers in Finland and Denmark. This case highlights the importance of making data deletion requests easy for customers.
What happened
Lensway Group AB asked customers for unnecessary personal information, like ID copies, to process data deletion requests.
Who was affected
Customers in Finland and Denmark who wanted their personal data erased by Lensway Group AB.
What the authority found
The Swedish DPA ruled that Lensway Group AB's demand for extra personal information was unreasonable and did not facilitate the exercise of data rights as required by GDPR.
Why this matters
This decision emphasizes that companies must not overburden customers with excessive identity verification demands when they request data deletion. Businesses should streamline their processes to ensure compliance with GDPR and maintain customer trust.
GDPR Articles Cited
A data subject in Finland contacted Lensway Group AB (“controller”) and made an erasure request. The controller replied that the data subject needed to send them his postal address so that they could send him documents related to the request, which should be signed and returned by him. The controller also asked the data subject to verify his identity by sending a copy of his ID by email. The data subject refused to provide this information. The data subject therefore lodged a complaint with the Finnish DPA. Another data subject, in Denmark, contacted the same controller, also for an erasure request. To comply with the request, the controller asked the data subject to provide his social security number and a copy of his ID. The data subject questioned the need for the controller to collect personal data in order to delete his personal data and suggested that it could confirm his identity by sending an email to the address it had registered for him. The controller refused. These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR. Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent. The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller. Indeed, the customer relationship could be established on two ways: either by making a purchase, or by creating an account. Firstly, regarding the information requested, the DPA assessed if the controll
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Lensway Group AB in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Lensway Group AB - Sweden (2023). Retrieved from cookiefines.eu
Last updated: