CDON AB – Complaint Upheld (Sweden, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Sweden's data protection authority found that CDON AB's process for verifying identity in data erasure requests was too demanding. The company asked for excessive information, making it hard for users to complete their requests. This decision underscores the need for businesses to simplify user verification processes in line with GDPR.
What happened
CDON AB required excessive information for identity verification in data erasure requests.
Who was affected
Customers who struggled to provide all the requested information for data erasure requests.
What the authority found
The Swedish DPA found that CDON AB's identity verification process was too burdensome and not compliant with GDPR.
Why this matters
This case highlights the importance of balancing security with user accessibility in data protection processes. Businesses should ensure their verification methods are user-friendly and GDPR-compliant.
GDPR Articles Cited
7 data subjects separately contacted CDON AB (“controller”), a Swedish company, and made an erasure request. The controller replied that in order to process the request, it needed information on date of birth, address, customer number information on recent purchases such as order number and information on payment method including the last four digits of the credit card number in case of card payment. Several data subjects argued they could not retrieve all the requested information as their purchases were so far back in time. The data subjects lodged separate complaints against the controller in Finland (6) and Denmark (1). Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The controller argued that the names and email addresses of the data subjects were not sufficient to ensure the data subject’s identity. It therefore requested additional information from the data subjects pursuant to Article 12(6) GDPR. The controller also stated it took the complaints very seriously and has since reviewed and clarified the identification process so that data subjects only need to answer one of the two security questions, and offers data subject to contact customer service for investigation of alternative security questions to verify the customer’s identity in the case of the data subject being unwilling or unable to answer the questions. Moreover, the controller stated that it deleted customer profiles automatically depending on the consumer law obligations in various countries, for example after three years in Sweden. The controller thereby confirmed that all of the data subjects’ personal data were deleted. The DPA did not investigate two out of seven complaints. The controller could not verify the receiving or processing date of those erasure requests as several years had passed since the complaints were submit
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (1)
Other enforcement actions involving CDON AB in SE
Details
About this data
Cite as: Cookie Fines. CDON AB - Sweden (2023). Retrieved from cookiefines.eu
Last updated: