Persónuvernd received a complaint regarding a request to register a customer’s identification number or date of birth information when purchasing tickets for an event. The supervisory authority found that the information requested by the controller went beyond what was necessary to ensure secure identification in connection with the purchase of a ticket. In addition, the controller did not inform the complainant that the registration of identification number information was optional. The controller’s notice gave the impression that the provision of identification information was mandatory, which meant that the data was not processed in a lawful, fair and transparent manner.
Persónuvernd found that secure identification could have been ensured when providing tickets sold by means other than using ID or date of birth information, e.g., using an email address or telephone number. The collection of detailed identification data was not necessary for the process.
The supervisory authority decided to impose a fine of ISK 1 million (approx. EUR 6 990) and ordered Harpa Concert Hall and Conference Centre to stop collecting information on ID numbers and dates of birth in connection with the purchase of tickets by individuals. The controller must also delete the redundantly collected data and inform the supervisory authority of the organisational and technical measures implemented by 8 April 2022.