Groupon International Limited - December 2020

Date16 December 2020
SectionDecisions made under data protection act 2018
An Coimisiún um Chosaint Sonraí, 21 Cearnóg Mhic Liam, Baile Átha Cliath 2.
Data Protection Commission, 21 Fitzwilliam Square, Dublin 2. | | | Tel: +353 (0)76 1104800
RE: XX v Groupon International Limited
Date: 16 December 2020
To: XX
To: Groupon International Limited
This document is a decision of the Data Protection Commission (“the DPC”) regarding the complaint received by XX
(“the complainant”) against Groupon International Limited (“Groupon”), and pursuant to the Data Protection Act
2018 (“the Act”) and the General Data Protection Regulation (“the GDPR”). Groupon International Limited is the
data controller for the Groupon service and it has its main establishment in the European Union in Ireland (with an
address at 1 Burlington Rd, Ballsbridge, Dublin 4, D04 N9W8). As such, the DPC acts as the Lead Supervisory
Authority (LSA) for Groupon International Limited and has the power to make this decision pursuant to section
113(2)(a) of the Act and Article 60 of the GDPR.
The right of the complainant to bring this complaint against Groupon arises from the fact that Groupon is the
controller of his personal data. The complainant held an account with Groupon, he made an erasure request to
Groupon in response to which Groupon engaged with the complainant on the basis that it was the controller of his
personal data in this instance.
1. Overview of Complaint dated 4 June 2018
1.1. The complainant alleges that Groupon infringed upon his rights under the GDPR by way of its requirements
in relation to the verification of his identity before his request for erasure of personal data could be carried
out. Specifically, he alleges that Groupon’s requirement that he provide a copy of a national identity
document in order for Groupon to verify his identity, before it could give effect to his erasure request,
constitutes a contravention of the GDPR.
1.2. The complainant initially brought this alleged infringement to the attention of Groupon directly, and
subsequently submitted a complaint, dated 4 June 2018, to his local data protection supervisory authority
in Poland, the Office for the Protection of Personal Data. The Polish Office for the Protection of Personal
Data uploaded the complaint onto the communication system on 29 June 2018 and the DPC accepted its
role as LSA on 5 July 2018. Accompanying the complaint, which was received by the DPC in Polish with
an English translation, the Office for the Protection of Personal Data provided a document containing links
to copies of Groupon’s terms of use of its website and its privacy policy. The IMI case file was also included.
A timeline of communications, with dates where available, between the complainant and Groupon in
respect of this complaint, and as taken from correspondence received from both parties to this complaint,
is provided in section 2 below.
2. Complaint Timeline
2.1. The complainant contacted Groupon by email to request erasure of his personal data, pursuant to Article
17 of the GDPR, on 26 May 2018. He received an email from Groupon acknowledging receipt of his request
on the same date.
2.2. On the same date, the complainant received an email from a representative of Groupon, advising him that,
in order to enable Groupon to give effect to his request, he would be required to submit a copy of a national
ID card in order to verify his identity. Correspondence provided to the DPC from Groupon also indicates
that the complainant received a phone call from a representative of Groupon on the same day, advising
him of this requirement.
2.3. The complainant replied to Groupon’s email on the same day, indicating that he was not prepared to submit
a copy of a national ID card as he believed the requirement for same was not compliant with the GDPR.
An Coimisiún um Chosaint Sonraí, 21 Cearnóg Mhic Liam, Baile Átha Cliath 2.
Data Protection Commission, 21 Fitzwilliam Square, Dublin 2. | | | Tel: +353 (0)76 1104800
2.4. On 29 May 2018, the complainant received further communication from a representative of Groupon,
directing him towards an online portal via which he could progress his request without the submission of a
copy of a national ID card. The complainant advises that he accessed the portal on the same date and
followed the instructions provided to him, attaching various pieces of information that he was happy to
provide to Groupon, but not including a copy of his ID card.
2.5. The complainant received a further response from Groupon on 4 June 2018, to the effect that his request
for erasure could not be progressed in the absence of a copy of a national ID card. He lodged a complaint
with the Office for the Protection of Personal Data on the same date.
2.6. According to correspondence received from Groupon, the complainant submitted a second request for
deletion of personal data pursuant to Article 17 on 17 July 2019, and his personal data was deleted in
completion of this request on 14 August 2019.
3. Fair Procedures and Complaint Handling Process
3.1. The complainant was informed by the DPC of his rights pursuant to section 108 of the Act.
3.2. The complainant was provided with the opportunity to be heard by being sent regular updates in relation to
the DPC’s investigation of the complaint.
3.3. Groupon was also provided with the opportunity to be heard by being notified of the complaint, and through
the DPC’s regular engagement with it throughout the process. Groupon was also given the opportunity to
provide submissions on a draft of this decision (see section 7 below). Groupon was also given the
opportunity to provide additional submissions on a revised draft of this decision (see section 10 below).
3.4. Under section 109(2) of the Act, the DPC may, where it considers that there is a reasonable likelihood of
the parties reaching, within a reasonable time, an amicable resolution of the subject matter of the complaint,
take such steps as it considers appropriate to arrange or facilitate such a resolution. The DPC engaged
with both parties to attempt to achieve an amicable resolution of the complaint. However, these attempts
were ultimately unsuccessful.
4. Investigation
4.1. The DPC commenced an examination of the subject matter of this complaint upon receipt of same.
4.2. The DPC engaged with Groupon on 1 February 2019 and, in a response to the DPC received on 11
February 2019, Groupon confirmed that the complainant had submitted a request through the Groupon
Privacy Portal at for deletion of his personal data on 29 May 2018. Groupon further
confirmed that there was no ID attached to the request, and that on the same day it had requested that he
provide a valid ID, in accordance with the requirements that Groupon had in place at the time. Groupon
further confirmed that the complainant rejected this request by email dated 4 June 2018.
4.3. In its response to the DPC, Groupon further advised that it had changed its requirements in respect of
identity documents in October 2018. It stated: “We now to seek to authenticate an email a ddress in order
to ensure that the request is valid in accordance with GDPR requirements. This has replaced the
requirement for photo ID” (correspondence from Groupon to the DPC, 11 February 2019).
4.4. Following the failure of the DPC’s attempts to bring this matter to an amicable resolution (see paragraph
3.3 above), the DPC advised the complainant that it would revert to him in due course to inform him of the
outcome of the complaint. The DPC also advised Groupon, by way of email dated 29 March 2019, of the
failure of the amicable resolution procedure.
4.5. In this correspondence of 29 March 2019, the DPC reiterated the parameters of the complaint and set out
further items of information it required from Groupon in order to assist it in progressing the matter. In
particular, the DPC requested details, inter alia, of how Groupon considered it was in compliance with
Article 5 of the GDPR and how it considered it was in compliance with Articles 12 and 17 of the GDPR.
4.6. By way of email dated 11 April 2019, Groupon responded to the DPC’s requests in this regard, stating that
it had processed the complainant’s personal data in compliance with Article 5 of the GDPR. In particular,
with reference to the principle of Data Minimisation under Article 5(1)(c), it stated that the personal data
processed was adequate, relevant and limited to the purposes for which it was processed, ie. opening and
operating his account.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT