Groupon Ireland – Complaint Upheld (Ireland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Groupon Ireland faced a complaint for making it hard for a user to access and delete their personal data. The Data Protection Commission found that requiring ID verification was against the rules, but did not impose a fine. This case is important because it shows that companies must make it easy for users to exercise their data rights.
What happened
Groupon Ireland asked a user to provide ID to verify their identity before allowing them to access or delete their personal data.
Who was affected
A user who wanted to access and delete their personal data held by Groupon Ireland.
What the authority found
The Data Protection Commission ruled that Groupon's ID verification request was not compliant with GDPR, but issued only a reprimand.
Why this matters
This ruling emphasizes that companies should not create unnecessary barriers for users trying to access or delete their data. Simplicity and transparency are key.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 11 June 2018, a data subject made an access request and an erasure request to Groupon (the controller) via email. The controller directed the data subject to its online portal, which required the complainant to upload a photo of their ID to verify their identity. The data subject considered this an obstacle to exercising their GDPR rights and submitted a complaint to the [https://www.landtag-bw.de/home.html Baden-Württemberg DPA] on 19 June 2018. The BW DPA transferred it to the Irish Data Protection Commission (DPC), which it considered to be the leading supervisory authority in this case. The controller subsequently facilitated the complainant’s requests without requiring verification of identity. Still, the data subject was concerned that their data had not been fully deleted. The DPC considered two main issues: # Was the controller’s request for ID to verify the data subject’s identity compliant with the GDPR? # Did the controller appropriately demonstrate that the complainant’s personal data was fully deleted in response to the erasure request? The DPC found that the controller infringed Articles 5(1)(c), 6(1),12(2), 15(1) and (3) and 17(1) GDPR with regard to its request for an ID to verify the data subject’s identity. It issued a reprimand with no monetary penalty. The DPC found that the controller infringed Article 12(2) GDPR when it requested additional information as to the data subject’s identity. Under Article 12(6) GDPR, a controller may only request additional information where it has reasonable doubts concerning the identity of a person making the request. The controller did not demonstrate such doubts here. Furthermore, requiring the complainant to provide a copy of their ID to verify their identity for access and erasure requests was a violation of Article 5(1)(c) GDPR. Data minimisation obligations require any requests for additional information to be necessary, proportionate and consistent. In this case, no such verification was requi
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Groupon Ireland in IE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Groupon Ireland - Ireland (2024). Retrieved from cookiefines.eu
Last updated: