IMY (Sweden) - DI-2021-10263: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 53: | Line 53: | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
|Party_Name_1= | |Party_Name_1=Klarna Bank AB | ||
|Party_Link_1= | |Party_Link_1= | ||
|Party_Name_2= | |Party_Name_2= |
Revision as of 09:21, 2 November 2022
IMY - DI-2021-10263 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(a) GDPR Article 15 GDPR Article 15(1)(c) GDPR Article 19 GDPR Article 56 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 11.05.2022 |
Published: | |
Fine: | n/a |
Parties: | Klarna Bank AB |
National Case Number/Name: | DI-2021-10263 |
European Case Law Identifier: | EDPBI:SE:OSS:D:2022:366 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
Pursuant of Article 60 GDPR, The Swedish DPA reprimanded a bank (controller) (Article 58(2)(b) GDPR). The data subject submitted an access request (Article 15 GDPR), but the controller did not provide information regarding the recipients to which personal data had been disclosed.
English Summary
Facts
The data subject complained that a bank (controller) violated Article 15 GDPR, because it did not provide all information he initially requested. The controller did not provide information regarding recipients to whom personal data of the data subject had been disclosed. The controller did not provide this additional information even after the data subjects specifically asked for it in a follow-up request.
The data subject filed his complaint at the DPA in Germany. The German DPA transferred the complaint to the Swedish DPA, which was the Lead Supervisory Authority (Article 56 GDPR) in this case. The Swedish DPA used the mechanisms for cooperation and consistency (Chapter VII GDPR), because this complaint regarded cross-border processing. The CSA’s (Concerned Supervisory Authorities) were located in Germany, Denmark, Austria, Italy, Poland and Finland.
The controller stated that it did not have the obligation to provide access in the way the data subject requested and that it had acted in a GDPR compliant way. To support this argument, the controller also stated that the EDPB Guidelines 01/2022 on Access were adopted on 18 January 2022, two years after the data subject's case regarding access was closed. These Guidelines state that the controller should provide the actual recipients unless it would only be possible to indicate the category of recipients. It already followed from Articles 13 and 14 GDPR that the recipients or categories of recipients of personal data should be as concrete as possible in respect of the principles of transparency and fairness. These Guidelines also state that storing information about the actual recipients is also necessary to comply with Article 5(2) GDPR.
Holding
The DPA determined that the controller violated Article 15 GDPR. The DPA stated that Article 15(1)(c) GDPR must be interpreted as a right to obtain information from the controller about the actual recipients to whom the personal data have been - or will be disclosed, unless this proves impossible or involves disproportionate effort. The controller should especially provide this data when the data subject is specifically asking for it. The DPA reached this conclusion by interpreting Article 15(1)(c) GDPR together with Articles 19 and Article 5(1)(a) GDPR, the principles of fairness and transparency.
The DPA held that in the present case, the data subject had explicitly requested information about recipients of his personal data. The controller did not prove that providing this information was impossible or would involve disproportionate effort.
The DPA also clarified that it did not claim that the controller had an obligation to comply with the EDPB Guidelines, which were not yet available at the time of the violation. The DPA stated that its reason for citing the Guidelines was to prove that there was wide support for the DPA's opinion, which also followed from the wording of Article 19 GDPR.
The DPA held that the violation constituted a minor infringement (Recital 148). The violation only affected one data subject. Also, no sensitive data was involved. Furthermore, the controller otherwise complied with the access request. Therefore, the DPA only reprimanded the controller (Article 58(2)(b) GDPR).
Comment
The document from the EDPB website is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) decision 2022-05-11, no. DI-2021-10263. Only the Swedish version of the decision is deemed authentic.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(4) Notice: This document is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) decision 2022-05-11, no. DI-2021-10263. Only the Swedish version of the decision is deemed authentic. Registration number: Decision under the General Data DI-2021-10263, IMI case no. 185203, LDA-1085.1-1399/20-F Protection Regulation — Klarna Bank Date of decision: AB 2022-05-11 Decision of the Swedish Authority for Privacy Protection (IMY) The Authority for Privacy Protection (IMY) finds that Klarna Bank AB is processing personal data in breach of Article 15 of the General Data Protection Regulation 1 (GDPR) by not complying with the complainant’s request of 22 December 2019 for information about the recipients to whom his personal data have been disclosed. The Authority for Privacy Protection issues Klarna Bank AB a reprimand pursuant to Article 58(2)(b) of the GDPR for the infringement of Article 15 of the GDPR. Report on the supervisory case The case handling The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna Bank AB (Klarna) due to a complaint. The complaint has been submitted to IMY, in its capacity as lead supervisory authority under Article 56 of the General Data Protection Regulation (GDPR). The handover has been made by the supervisory authority of the country where the complainant has lodged his complaint (Germany) in accordance with the Regulation’s provisions on cooperation concerning cross-border processing. The investigation in the case has been carried out through correspondence. Since the complaint regards cross-border processing, IMY has used the mechanisms for cooperation and consistency contained in Chapter VII of the GDPR. The supervisory authorities concerned have been the data protection authorities in Germany, Denmark, Austria, Italy, Poland, and Finland. The complaint Postal address: The complainant mainly states the following. Box 8114 104 20 Stockholm Website: He has requested access to his personal data under Article 15 of the GDPR. The www.imy.se information he obtained from Klarna did not include all the information that he had E-mail: imy@imy.se 1 Telephone: Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the and repealing Directive 95/46/EC (General Data Protection Regulation).nd on the free movement of such data, 08-657 61 00Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 2(4) Datum: 2022-05-11 asked for since it lacked information about the recipients to whom his personal data had been disclosed. Even though the complainant came back with a request to know exactly which recipients his data had sent to, Klarna has not complied with this request. Due to the complaint, IMY has initiated supervision in order to examine if the complainant’s request has been complied with in accordance with Article 15 of the GDPR. What Klarna has stated Klarna states that it is the controller for the processing to which the complaint relates. th The information sent to the complainant on the 24 of January 2020 is in accordance with the obligations of the GDPR. Klarna has no duty to reply to the complainant’s access request in any other way that it did. The EDPB Guidelines 01/2022 on access th was adopted on the 18 of January 2022, i.e. two years after the complainant’s case regarding access request was closed. Justification of the decision Applicable provisions, etc. Article 15 of the GDPR provides that he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The data subject shall also have the right to information about the recipients or categories of recipient to whom the personal data have been or will be disclosed (Article 15(1)(c)). Article 19 of the GDPR requires the controller to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it. According to Article 5 the controller shall be responsible for, and be able to demonstrate compliance with, inter alia the obligation to processes personal data fairly and in a transparent manner in relation to the data subject. EDPB Guidelines 01/2022 on access state that concerning the question, if the controller is free to choose between information on recipients or on categories of recipients, it has to be recalled, that, already under Art. 13 and 14 GDPR information on the recipients or categories of recipients should be as concrete as possible in respect of the principles of transparency and fairness. The controller should therefore generally name the actual recipients unless it would only be possible to indicate the category of recipients. Nevertheless, sometimes naming the actual recipients is not yet possible at the time of the information under Art. 13 and 14 GDPR but only in a later stage, for example when an access request is made. The EDPB recalls in this regard,Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 3(4) Datum: 2022-05-11 that storing information relating to the actual recipients is necessary inter alia to be able to comply with the controller’s obligations under Art. 5(2) and 19 GDPR. 2 Assessment of the Authority for Privacy Protection The wording of Article 15(1)(c) of the GDPR does clarify if the controller is free to choose between information on actual recipients or on only categories of recipients. However, IMY concludes that Article 15(1)(c), read together with Article 19 and in light of the principles of fairness and transparency (Article 5(1)(a)) cannot be interpreted any other way than as a right of the data subject to, especially when explicitly requested, obtain from the controller information about the actual recipients to whom the personal data have been or will be disclosed, unless this proves impossible or involves disproportionate effort. IMY notes that the complainant has explicitly requested information about actual recipients. Klarna has not proved that this has proven impossible or to involve disproportionate effort. Klarna has thus processed the complainant’s personal data in violation of Article 15 of the GDPR. What Klarna has stated about that the EDPB Guidelines on access was adopted after the access request was complied with, does not lead to any other conclusion. IMY does not claim that Klarna has an obligation to comply with guidelines that was not available to Klarna at the time of the violation. IMY’s reason for citing the guidelines is to prove that there is wide support for IMY’s opinion, which follows from the wording of Article 19. Choice of corrective measure It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the power to impose administrative fines in accordance with Article 83. Depending on the circumstances of the case, administrative fines shall be imposed in addition to or in place of the other measures referred to in Article 58(2), such as injunctions and prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into account when deciding on administrative fines and in determining the amount of the fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is the aggravating and mitigating circumstances of the case, such as the nature, gravity and duration of the infringement and past relevant infringements. IMY notes that the violation has affected one person and has not involved sensitive data. Furthermore, Klarna has otherwise complied with the complainant’s request for access. Against this background IMY considers that it is a minor infringement within the meaning of recital 148 and that Klarna Bank AB must be given a reprimand pursuant to Article 58(2)(b) of the GDPR for the established infringement. 2EDPB Guidelines 01/2022 on data subject rights -access, Version 1.0, adopted for public consultation on 18 January 2022, paragraph 115.Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 4(4) Datum: 2022-05-11 This decision has been approved by the specially appointed decision-maker after presentation by legal advisor How to appeal If you want to appeal the decision, you should write to the Authority for Privacy Protection. Indicate in the letter which decision you appeal and the change you request. The appeal must have been received by the Authority for Privacy Protection no later than three weeks from the day you received the decision. If the appeal has been received at the right time, the Authority for Privacy Protection will forward it to the Administrative Court in Stockholm for review. You can e-mail the appeal to the Authority for Privacy Protection if it does not contain any privacy-sensitive personal data or information that may be covered by confidentiality. The authority’s contact information is shown in the first page of the decision.