FiS - 6034-24
| FiS - 6034-24 | |
|---|---|
 | |
| Court: | FiS (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 58 GDPR |
| Decided: | 17.07.2024 |
| Published: | 17.07.2024 |
| Parties: | Region Uppsala |
| National Case Number/Name: | 6034-24 |
| European Case Law Identifier: | |
| Appeal from: | IMY (Sweden) |
| Appeal to: | |
| Original Language(s): | English |
| Original Source: | noyb (in English) |
| Initial Contributor: | ec |
A court held that the DPA has the discretion to assess the extent to which a complaint should be investigated and that only sending an information letter to a controller was a sufficient measure.
English Summary
Facts
The data subject lodged a complaint against the controller, the Region Uppsala, at the Swedish DPA (“IMY”) for recording telephone conversations without a legal basis for the processing.
The DPA sent an information letter to the controller, informing them of the complaint, the applicable law and closed the case without taking any further action. The DPA held that the purpose of the letter was to give the controller the opportunity to review its processing and to correct any shortcomings themselves. The DPA therefore did not see any grounds to investigate the complaint further.
The data subject appealed this decision at the Administrative Court of Stockholm (“Förvaltningsrätten I Stockholm”), arguing that the DPA has the obligation to take effective measures to limit violations. As the letter stated that the DPA did not intend to take further action, there was no incentive for the controller to remedy its violations. Therefore, the data subject argued that the DPA failed to investigate the matter with due diligence, even though it was clear from the complaint that the controller did not have a legal basis for its processing.
The data subject further argued that information letters are not a corrective measure under Article 58 GDPR and can therefore not constitute as an effective measure. The data subject argued that this was also not in line with the EDPB internal document on Supervisory Authorities’ duties in relation to alleged GDPR infringements.
The IMY held that the appeal should be rejected as the measure was sufficient. The IMY held that if the letter did not result in the controller correcting any shortcomings, the data subject was free to submit a new complaint at a later stage.
Holding
The court assessed whether IMY had grounds for not investigating the data subject’s complaint further, beyond sending an information letter to the controller.
The court took into account the CJEU judgement in the Case C-311/18 Schrems II and the Joined Cases C-26/22 and C‑64/22 SCHUFA which concerns corrective measures under the GDPR and held that it supports the conclusion that IMY as a supervisory authority has considerable discretion to assess the extent to which a complaint should be investigated and that investigative measures are appropriate, necessary and proportionate in the individual case.
The court also took into account the Swedish preparatory works on the GDPR (2017/18:105), which stated that the IMY has no obligation to take supervisory measures or even to always investigate the facts more closely. The court thus held that IMY has a clear discretion to decide for itself which supervisory cases are to be pursued and how this is to be done.
The court further found that the IMY was uncertain whether the controller had complied with its obligations under Article 6 GDPR, and therefore was justified to send an information letter. The court found that there was no reason to question IMY's view that no further investigative measure was necessary.
The court thus dismissed the data subject’s arguments and held that the IMY has the possibility to decide not to investigate a complaint further and to close a case by sending an information letter to the controller.
Regarding the data subject's argument that the IMY's information letter was not in line the EDPB's internal documents, the court held that these documents were not binding and therefore did not lay down any obligations for the IMY as regards to the content of the information letter.
Therefore the court held that the IMY investigated the matter in question to the extent that was appropriate and that the information letter sent was a sufficient measure. Thus, the court dismissed the appeal.
Comment
First of all, the Schufa case indicates the following:
Para 57: "In order to deal with complaints received, Article 58(1) of the GDPR grants each supervisory authority significant investigative powers. Where such an authority, after completing its investigation, finds that the provisions of this regulation have been infringed, it is obliged to take appropriate measures to remedy the deficiency found."
Para 68: "However, it should be added that, although, as stated in paragraph 56 above, the supplementary authority is obliged to treat a complaint with all due diligence, it has, as regards the remedies listed in Article 58(2) of the GDPR, a discretion as to the choice of appropriate and necessary measures."
This in no way supports the court's finding that DPA's have the discretion to assess the extent to which a complaint should be investigated. It only confirms that DPA's maintain a margin of discretion as to the choice of the appropriate means under Article 58(2) GDPR.
Secondly, even if the Swedish preparatory works states that the Swedish DPA has no obligation to take supervisory measures or even to always investigate the facts more closely, such a practice would evidently be contrary to the GDPR and CJEU case-law.
Thirdly, the court's view that EDPB's internal documents are not binding and therefore do not lay down any obligations for the IMY seems rather odd as the IMY as member of the EDPB co-wrote this document. These internal documents are also written to have a uniform application of the GDPR. By not following these internal documents, would go against the aim of the EDPB.
Lastly, it seems odd that the responsibility of monitoring compliance with the GDPR is put on the data subject. Instead of the IMY monitoring and enforcing compliance with the GDPR, the IMY closed the case and held that the data subject is free to submit a new complaint at a later stage if the controller did not comply after the information letter.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation.
