Groupon Ireland – Complaint Upheld (Ireland, 2024)

On 11 June 2018, a data subject made an access request and an erasure request to Groupon (the controller) via email. The controller directed the data subject to its online portal, which required the complainant to upload a photo of their ID to verify their identity. The data subject considered this an obstacle to exercising their GDPR rights and submitted a complaint to the [https://www.landtag-bw.de/home.html Baden-Württemberg DPA] on 19 June 2018. The BW DPA transferred it to the Irish Data Protection Commission (DPC), which it considered to be the leading supervisory authority in this case. The controller subsequently facilitated the complainant’s requests without requiring verification of identity. Still, the data subject was concerned that their data had not been fully deleted. The DPC considered two main issues: # Was the controller’s request for ID to verify the data subject’s identity compliant with the GDPR? # Did the controller appropriately demonstrate that the complainant’s personal data was fully deleted in response to the erasure request? The DPC found that the controller infringed Articles 5(1)(c), 6(1),12(2), 15(1) and (3) and 17(1) GDPR with regard to its request for an ID to verify the data subject’s identity. It issued a reprimand with no monetary penalty. The DPC found that the controller infringed Article 12(2) GDPR when it requested additional information as to the data subject’s identity. Under Article 12(6) GDPR, a controller may only request additional information where it has reasonable doubts concerning the identity of a person making the request. The controller did not demonstrate such doubts here. Furthermore, requiring the complainant to provide a copy of their ID to verify their identity for access and erasure requests was a violation of Article 5(1)(c) GDPR. Data minimisation obligations require any requests for additional information to be necessary, proportionate and consistent. In this case, no such verification was requi