In its decision of 8.11.2019, GZ: DSBD122.970/0004-DSB/2019 (RIS), DSB had to deal with the processing of pseudonymised data (Art. 4 (5) GDPR). The complainant had created a user profile with the provider of an Internet small ad portal. The user profile used only a (freely choosable) username and an e-mail address as a “unique identifier”. He now wanted to have this user profile deleted. A self-service option was not offered. The responsible company responded to the request for deletion sent by e-mail address by
requesting that a comprehensive cancellation request be completed, including the full (real) name and residential address. The data protection authority accepted the complaint, determined that there had been a breach of the right of cancellation and ordered the respondent to delete the profile. This was justified by, among others, a breach of the obligation under Article 12 (2) GDPR to facilitate the exercise of the data subject’s rights
and the lack of possibility to compare the additional data collected in the requested request for deletion with the data already processed
for the purpose of establishing identity. In the case of a pseudonymous user profile, it is sufficient for the user to be able to identify himself, for example,
by knowledge of the login data (user ID, password), by providing information on the stored data content of the profile or by proven control of the mailbox whose e-mail address was provided during registration.
The decision is final.