Resources

Groupon Ireland Operations Limited – March 2024

Date of decision: 8 March 2024

On 8 March 2024, the Data Protection Commission (DPC) adopted a decision following its examination of a complaint received against Groupon Ireland Operations Limited (Groupon).

The complaint concerned an access request and an erasure request made to Groupon. In response to the requests, Groupon initially required the complainant to provide a copy of an ID document in order to verify their identity, which the complainant objected to. Groupon later facilitated the complainant’s requests without imposing such a requirement. However, having been provided with their personal data, the complainant was not satisfied that all of their personal data had subsequently been fully deleted in accordance with their erasure request.

The issues under examination in the DPC’s decision were the following:

  • Whether Groupon’s request for ID in order to verify the identity of the complainant for the purposes of their original access and erasure requests was compliant with Groupon’s relevant obligations under the GDPR.
  • Whether Groupon had appropriately demonstrated that the complainant’s personal data had been fully deleted in response to the erasure request

As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.

As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.

The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. In relation to whether Groupon had appropriately demonstrated that the complainant’s personal data had been fully deleted in response to the erasure request, the DPC’s decision finds no infringement. In relation to whether Groupon’s request for ID in order to verify the identity of the complainant for the purposes of their original access and erasure requests was compliant with Groupon’s relevant obligations under the GDPR, the DPC’s decision records findings of infringement as follows:

  • Article 5(1)(c) of the GDPR

The DPC finds that Groupon infringed Article 5(1)(c) GDPR by having initially required the complainant to provide a copy of their ID in order to verify their identity for the purposes of their access and erasure requests, in circumstances where no such verification appeared to have been obtained or required in order to initially open an account and a less data-driven means of verification (namely, by way of the email address associated with the account) was available to Groupon.

  • Article 12(2) of the GDPR

The DPC finds that Groupon infringed Article 12(2) GDPR by initially requesting additional information as to the complainant’s identity at the time they made their access and erasure requests, in circumstances where it has not demonstrated that reasonable doubts existed concerning the complainant’s identity that would have necessitated that application of Article 12(6) of the GDPR.

  • Articles 15(1), 15(3) and 17(1) of the GDPR

The DPC finds that Groupon infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to comply with the complainant’s initial access and erasure requests at the time they were made without a lawful basis for not complying, in circumstances where Groupon’s request (as a prerequisite to responding to the initial access and erasure requests) for photographic ID has been found to be an infringement of Article 5(1)(c) GDPR.

  • Article 6(1) of the GDPR

The DPC finds that Groupon infringed Article 6(1) GDPR by continuing to process the complainant’s personal data following receipt of their initial request for erasure.

Corrective Powers Exercised:

In light of the infringements found, the DPC issued a reprimand to Groupon pursuant to Article 58(2)(b) of the GDPR.

For more information, you can download a copy of the full decision at this link: Groupon Ireland Operations Limited – March 2024 (PDF, 599 KB).