Groupon International Limited - December 2020

• Year: 2020
• Date: 16 December 2020
• Section: Decisions made under data protection act 2018

An Coimisiún um Chosaint Sonraí, 21 Cearnóg Mhic Liam, Baile Átha Cliath 2.

Data Protection Commission, 21 Fitzwilliam Square, Dublin 2.

www.cosantasonrai.ie | www.dataprotection.ie | eolas@cosantasonrai.ie | info@dataprotection.ie Tel: +353 (0)76 1104800

RE: XX v Groupon International Limited

DPC Ref: C-XX-X-XX

Date: 16 December 2020

To: XX

To: Groupon International Limited

This document is a decision of the Data Protection Commission (“the DPC”) regarding the complaint received by XX

(“the complainant”) against Groupon International Limited (“Groupon”), and pursuant to the Data Protection Act

2018 (“the Act”) and the General Data Protection Regulation (“the GDPR”). Groupon International Limited is the

data controller for the Groupon service and it has its main establishment in the European Union in Ireland (with an

address at 1 Burlington Rd, Ballsbridge, Dublin 4, D04 N9W8). As such, the DPC acts as the Lead Supervisory

Authority (LSA) for Groupon International Limited and has the power to make this decision pursuant to section

113(2)(a) of the Act and Article 60 of the GDPR.

The right of the complainant to bring this complaint against Groupon arises from the fact that Groupon is the

controller of his personal data. The complainant held an account with Groupon, he made an erasure request to

Groupon in response to which Groupon engaged with the complainant on the basis that it was the controller of his

personal data in this instance.

1. Overview of Complaint dated 4 June 2018

1.1. The complainant alleges that Groupon infringed upon his rights under the GDPR by way of its requirements

in relation to the verification of his identity before his request for erasure of personal data could be carried

out. Specifically, he alleges that Groupon’s requirement that he provide a copy of a national identity

document in order for Groupon to verify his identity, before it could give effect to his erasure request,

constitutes a contravention of the GDPR.

1.2. The complainant initially brought this alleged infringement to the attention of Groupon directly, and

subsequently submitted a complaint, dated 4 June 2018, to his local data protection supervisory authority

in Poland, the Office for the Protection of Personal Data. The Polish Office for the Protection of Personal

Data uploaded the complaint onto the communication system on 29 June 2018 and the DPC accepted its

role as LSA on 5 July 2018. Accompanying the complaint, which was received by the DPC in Polish with

an English translation, the Office for the Protection of Personal Data provided a document containing links

to copies of Groupon’s terms of use of its website and its privacy policy. The IMI case file was also included.

A timeline of communications, with dates where available, between the complainant and Groupon in

respect of this complaint, and as taken from correspondence received from both parties to this complaint,

is provided in section 2 below.

2. Complaint Timeline

2.1. The complainant contacted Groupon by email to request erasure of his personal data, pursuant to Article

17 of the GDPR, on 26 May 2018. He received an email from Groupon acknowledging receipt of his request

on the same date.

2.2. On the same date, the complainant received an email from a representative of Groupon, advising him that,

in order to enable Groupon to give effect to his request, he would be required to submit a copy of a national

ID card in order to verify his identity. Correspondence provided to the DPC from Groupon also indicates

that the complainant received a phone call from a representative of Groupon on the same day, advising

him of this requirement.

2.3. The complainant replied to Groupon’s email on the same day, indicating that he was not prepared to submit

a copy of a national ID card as he believed the requirement for same was not compliant with the GDPR.

An Coimisiún um Chosaint Sonraí, 21 Cearnóg Mhic Liam, Baile Átha Cliath 2.

Data Protection Commission, 21 Fitzwilliam Square, Dublin 2.

www.cosantasonrai.ie | www.dataprotection.ie | eolas@cosantasonrai.ie | info@dataprotection.ie Tel: +353 (0)76 1104800

2.4. On 29 May 2018, the complainant received further communication from a representative of Groupon,

directing him towards an online portal via which he could progress his request without the submission of a

copy of a national ID card. The complainant advises that he accessed the portal on the same date and

followed the instructions provided to him, attaching various pieces of information that he was happy to

provide to Groupon, but not including a copy of his ID card.

2.5. The complainant received a further response from Groupon on 4 June 2018, to the effect that his request

for erasure could not be progressed in the absence of a copy of a national ID card. He lodged a complaint

with the Office for the Protection of Personal Data on the same date.

2.6. According to correspondence received from Groupon, the complainant submitted a second request for

deletion of personal data pursuant to Article 17 on 17 July 2019, and his personal data was deleted in

completion of this request on 14 August 2019.

3. Fair Procedures and Complaint Handling Process

3.1. The complainant was informed by the DPC of his rights pursuant to section 108 of the Act.

3.2. The complainant was provided with the opportunity to be heard by being sent regular updates in relation to

the DPC’s investigation of the complaint.

3.3. Groupon was also provided with the opportunity to be heard by being notified of the complaint, and through

the DPC’s regular engagement with it throughout the process. Groupon was also given the opportunity to

provide submissions on a draft of this decision (see section 7 below). Groupon was also given the

opportunity to provide additional submissions on a revised draft of this decision (see section 10 below).

3.4. Under section 109(2) of the Act, the DPC may, where it considers that there is a reasonable likelihood of

the parties reaching, within a reasonable time, an amicable resolution of the subject matter of the complaint,

take such steps as it considers appropriate to arrange or facilitate such a resolution. The DPC engaged

with both parties to attempt to achieve an amicable resolution of the complaint. However, these attempts

were ultimately unsuccessful.

4. Investigation

4.1. The DPC commenced an examination of the subject matter of this complaint upon receipt of same.

4.2. The DPC engaged with Groupon on 1 February 2019 and, in a response to the DPC received on 11

February 2019, Groupon confirmed that the complainant had submitted a request through the Groupon

Privacy Portal at http://gr.pn/privacy for deletion of his personal data on 29 May 2018. Groupon further

confirmed that there was no ID attached to the request, and that on the same day it had requested that he

provide a valid ID, in accordance with the requirements that Groupon had in place at the time. Groupon

further confirmed that the complainant rejected this request by email dated 4 June 2018.

4.3. In its response to the DPC, Groupon further advised that it had changed its requirements in respect of

identity documents in October 2018. It stated: “We now to seek to authenticate an email a ddress in order

to ensure that the request is valid in accordance with GDPR requirements. This has replaced the

requirement for photo ID” (correspondence from Groupon to the DPC, 11 February 2019).

4.4. Following the failure of the DPC’s attempts to bring this matter to an amicable resolution (see paragraph

3.3 above), the DPC advised the complainant that it would revert to him in due course to inform him of the

outcome of the complaint. The DPC also advised Groupon, by way of email dated 29 March 2019, of the

failure of the amicable resolution procedure.

4.5. In this correspondence of 29 March 2019, the DPC reiterated the parameters of the complaint and set out

further items of information it required from Groupon in order to assist it in progressing the matter. In

particular, the DPC requested details, inter alia, of how Groupon considered it was in compliance with

Article 5 of the GDPR and how it considered it was in compliance with Articles 12 and 17 of the GDPR.

4.6. By way of email dated 11 April 2019, Groupon responded to the DPC’s requests in this regard, stating that

it had processed the complainant’s personal data in compliance with Article 5 of the GDPR. In particular,

with reference to the principle of Data Minimisation under Article 5(1)(c), it stated that the personal data

processed was adequate, relevant and limited to the purposes for which it was processed, ie. opening and

operating his account.