IMY (Sweden) - DI-2021-10448,: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 63: Line 63:
}}
}}


In this [[Article 60 GDPR]] procedure, Klarna Bank AB, a Swedish payment provider, had wrongfully used the data subject's first name in an e-mail send to the data subject's parter, after which the data subject filed rectification - and access requests. The Swedish DPA only determined a violation of Article 15 GDPR because the controller only answered the request 1 year and 3 months after it was submitted.  
In this [[Article 60 GDPR]] procedure, a data subject filed two rectification requests and an access request at Klarna Bank AB, a Swedish payment provider. Klarna had used incorrect first names in invoices for online purchases made by the data subject and their partner. The Swedish DPA only determined a violation of [[Article 15 GDPR]] because the controller answered to an access request 1 year and 3 months after it was originally submitted.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject had used the services of the controller, a Swedish payment provider for online services, to shop online. The partner of the data subject received the bills for these internet pruchases. In some instances, these wrongly delivered bills were in some instances addressed to the data subject. According to the data subject, he/she had requested the controller to correct the names in the e-mail in December 2018.
The data subject and partner had each used a Swedish payment provider (controller) multiple times over the span of a few years for online shopping. However, the controller had made the mistake of addressing the wrong person in the invoice more than once. The controller would use the first name of the data subject, while the partner had made the purchase.


In 2020, the partner of the data subject used the controller's services again to shop online. The partner of the data subject again received an e-mail which was addressed to the data subject. On 15 October 2022, the data subject made a second request for rectification.  
According to the data subject, in December 2018, ''the first rectification request'' was filed to request the controller to correct the names in the e-mails, because the partner had received invoices with the name of the data subject. The controller's services were then not used for some time by the data subject and partner. When the data subject's partner started using the controller's service again sometime in 2020, he received another e-mail, which was addressed to the data subject (first name only). After this, the data subject filed ''the second rectification request'' to request the controller to change the first names in the e-mails.  


On 10 October 2020, the data subject had also submitted a request for access, but received no reply from the controller.  
On 15 October 2020, the data subject also submitted an access request, to which the controller never responded.  


The data subject filed a complaint at a German DPA (not clear which DPA and not clear at what date the complaint was filed), which transferred the complaint to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Finland, Germany, France, Norway and the Netherlands. The Swedish DPA started an investiagtion into the controller.  
The data subject filed a complaint at a German DPA (not clear which German DPA and not clear when the complaint was filed), which transferred the complaint to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Finland, Germany, France, Norway and the Netherlands. The Swedish DPA started an investigation into the controller.


During the subsequent investigation of the DPA, the controller stated that it had a system for automatic generation of first names in the initial greeting of an e-mail. According to the controller, both the data subject and their partner used the same e-mail address (email address "y"), to place orders using the controller's service, which was one of the reasons why it put the wrong name in the email.  
During the investigation of the DPA, the controller informed the DPA that it had an automatic system in place which would generate the first name in the initial greetings of an email, which was apparently based on previous information provided by its clients.


The controller had also stated that it had rectified the information according to both requests of the data subject. It is not clear at what date the controller did this.  
In this context, the controller also provided the DPA with the information that the data subject and partner had both separately used the same email address ('e-mail address Y'), which contained the partner's name, to use the controller's services for their individual purchases. They also lived on the same postal address. According to the controller, 5 purchases in 2018 were made using first name, surname, address and postal address of the data subject, while the data subject claimed that it was the partner who made these purchases. These purchases were made using a certain email address ('e-mail address Y'). Because the personal data of the data subject was provided in combination with this e-mail address, the first e-mail sent to this email address included the first name of the data subject, after which the data subject sent the ''first rectification'' ''request'' (according to the controller, this request was sent on 5 November 2018). A similar "mistake" happened again on 22 September 2022, after which the data subject sent the ''second rectification request'' (according to the controller, this request was sent on 10 October 2020).


The controller also informed the DPA during its investigation that it had not "''recognised''" the access request of the data subject. The controller answered and complied with the access request on 21 January 2022, almost 1 year and 3 months after the request was submitted  
The controller stated that no other personal data than the first name of the data subject were sent out. It also stated that it had complied with both rectification requests of the data subject, without specifying when it had done so. It also determined that the other personal data of the data subject and partner were not subject to the rectification request of the data subject. However, the controller updated the 'name' category for certain purchases made in the past on its own.
 
The controller also informed the DPA during its investigation that it had not "''recognised''" the access request of the data subject as such. The controller complied with the access request on 21 January 2022, almost 1 year and 3 months after the request was submitted.


=== Holding ===
=== Holding ===
''First'', the DPA determined that the controller did <u>not</u> violate [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] by regulary confusing the personal data of both the data subject and their partner by adressing the wrong person in the e-mails. The DPA reitereated that both the data subject and their partner had used 'e-mail address Y' to place online orders using the controller's service. The DPA noted that no other personal data than the first name of the data subject had been disclosed to the wrongly addressed partner. It also stated that the first name of the data subject was quite common. Therefore, this name did not constitute an identifier specific to the data subject.  
''First'', the DPA determined that the controller did <u>not</u> violate [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] by regularly confusing the personal data of both the data subject and their partner by addressing the wrong person in the e-mails. The DPA did not have reason to doubt the controller's statement that both the data subject and their partner had used 'e-mail address Y' to place online orders using the controller's service. The DPA also did not question the notion that no other personal data than the first name of the data subject had been disclosed to the wrongly addressed partner. It also stated that the first name of the data subject was quite common. Therefore, this name did not constitute an identifier specific to the data subject.  


''Second'', The DPA held that the controller did <u>not</u> violate [[Article 16 GDPR]] for the way it handled the two erasure requests of the data subject. The DPA stated that the data subject had not claimed that their requests for rectification were not met to any extent. It also could not determine ant reason to question the information provided by the controller, which had stated that it complied with the requests of the data subject, although without providing a specific date when the controller did this.  
''Second'', The DPA held that the controller did <u>not</u> violate [[Article 16 GDPR]] for the way it handled the two erasure requests of the data subject. The DPA stated that the data subject had not claimed that their requests for rectification were not met to any extent. It also could not determine any reason to question the information provided by the controller, which had stated that it complied with the requests of the data subject, although without providing a specific date when the controller did this. Despite this, the DPA held that the controller did not violate [[Article 16 GDPR]]. 


''Third'', the DPA held that the controller had violated [[Article 15 GDPR]] because it only provided a reply to the data subject 1 year and 3 months after the request was submitted. The DPA noted that the time elapsed was 'relatively long'. Therefore, the controller had not handled the access request without undue delay pursuant of [[Article 12 GDPR|Article 12(3) GDPR]]. Therefore, the controller violated [[Article 15 GDPR]].  
''Third'', the DPA held that the controller had violated [[Article 15 GDPR]] because it only provided a reply to the data subject 1 year and 3 months after the request was submitted. The DPA noted that the time elapsed was 'relatively long'. Therefore, the controller had not handled the access request without undue delay pursuant to [[Article 12 GDPR|Article 12(3) GDPR]]. Therefore, the controller violated [[Article 15 GDPR]].  


The DPA considered this a minor infringement and reprimanded the controller pursuant of [[Article 58 GDPR|Article 58(2)(b) GDPR]].  
The DPA considered this a minor infringement and reprimanded the controller pursuant to [[Article 58 GDPR|Article 58(2)(b) GDPR]].  


== Comment ==
== Comment ==
The data subject stated that in the orginal complaint that she requested the controller to adjust the names in the controller's e-mails in December 2018. However, the controller stated that it received the data subject's first request for rectification on 5 November 2018. Although there is only a difference of around a month between these dates and this difference is inconsequential for the non-violation of Article 16 GDPR, the difference is still there, without any clarification from the parties or the DPA when the first request was submitted.
The data subject stated that in the original complaint that she requested the controller to adjust the names in the controller's e-mails in December 2018. However, the controller stated that it received the data subject's first request for rectification on 5 November 2018. Although there is only a difference of around a month between these dates and this difference is inconsequential for the assessment of the violation of [[Article 16 GDPR]], the difference is still there, without any clarification from the parties or the DPA when the first request was submitted.  
 
A similair difference is present for the supossed date when the data subject filed the access request. The data subject stated that the access request was filed on 10 October 2022. According to the controller, the data subject had submitted the request on 15 October 2020.  


Also, it is not clear from the decision at what date the original complaint was submitted. It also not clear from the decision which German DPA transferred the complaint to the Swedish DPA, although looking at the German case number ('83.41/20.039'), it is most likely that this was the Berlin DPA, although this is not 100% certain.  
Also, it is not clear from the decision at what date the original complaint was submitted. It also not clear from the decision which German DPA transferred the complaint to the Swedish DPA, although looking at the German case number (83.41/20.039), it is most likely that this was the Berlin DPA, although this is not 100% certain.  


== Further Resources ==
== Further Resources ==

Latest revision as of 15:07, 7 February 2023

IMY - DI-2021-10448,
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 15 GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.06.2022
Published:
Fine: n/a
Parties: Klarna Bank
National Case Number/Name: DI-2021-10448,
European Case Law Identifier: EDPBI:SE:OSS:D:2022:381
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In this Article 60 GDPR procedure, a data subject filed two rectification requests and an access request at Klarna Bank AB, a Swedish payment provider. Klarna had used incorrect first names in invoices for online purchases made by the data subject and their partner. The Swedish DPA only determined a violation of Article 15 GDPR because the controller answered to an access request 1 year and 3 months after it was originally submitted.

English Summary

Facts

The data subject and partner had each used a Swedish payment provider (controller) multiple times over the span of a few years for online shopping. However, the controller had made the mistake of addressing the wrong person in the invoice more than once. The controller would use the first name of the data subject, while the partner had made the purchase.

According to the data subject, in December 2018, the first rectification request was filed to request the controller to correct the names in the e-mails, because the partner had received invoices with the name of the data subject. The controller's services were then not used for some time by the data subject and partner. When the data subject's partner started using the controller's service again sometime in 2020, he received another e-mail, which was addressed to the data subject (first name only). After this, the data subject filed the second rectification request to request the controller to change the first names in the e-mails.

On 15 October 2020, the data subject also submitted an access request, to which the controller never responded.

The data subject filed a complaint at a German DPA (not clear which German DPA and not clear when the complaint was filed), which transferred the complaint to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Finland, Germany, France, Norway and the Netherlands. The Swedish DPA started an investigation into the controller.

During the investigation of the DPA, the controller informed the DPA that it had an automatic system in place which would generate the first name in the initial greetings of an email, which was apparently based on previous information provided by its clients.

In this context, the controller also provided the DPA with the information that the data subject and partner had both separately used the same email address ('e-mail address Y'), which contained the partner's name, to use the controller's services for their individual purchases. They also lived on the same postal address. According to the controller, 5 purchases in 2018 were made using first name, surname, address and postal address of the data subject, while the data subject claimed that it was the partner who made these purchases. These purchases were made using a certain email address ('e-mail address Y'). Because the personal data of the data subject was provided in combination with this e-mail address, the first e-mail sent to this email address included the first name of the data subject, after which the data subject sent the first rectification request (according to the controller, this request was sent on 5 November 2018). A similar "mistake" happened again on 22 September 2022, after which the data subject sent the second rectification request (according to the controller, this request was sent on 10 October 2020).

The controller stated that no other personal data than the first name of the data subject were sent out. It also stated that it had complied with both rectification requests of the data subject, without specifying when it had done so. It also determined that the other personal data of the data subject and partner were not subject to the rectification request of the data subject. However, the controller updated the 'name' category for certain purchases made in the past on its own.

The controller also informed the DPA during its investigation that it had not "recognised" the access request of the data subject as such. The controller complied with the access request on 21 January 2022, almost 1 year and 3 months after the request was submitted.

Holding

First, the DPA determined that the controller did not violate Article 5(1)(d) GDPR by regularly confusing the personal data of both the data subject and their partner by addressing the wrong person in the e-mails. The DPA did not have reason to doubt the controller's statement that both the data subject and their partner had used 'e-mail address Y' to place online orders using the controller's service. The DPA also did not question the notion that no other personal data than the first name of the data subject had been disclosed to the wrongly addressed partner. It also stated that the first name of the data subject was quite common. Therefore, this name did not constitute an identifier specific to the data subject.

Second, The DPA held that the controller did not violate Article 16 GDPR for the way it handled the two erasure requests of the data subject. The DPA stated that the data subject had not claimed that their requests for rectification were not met to any extent. It also could not determine any reason to question the information provided by the controller, which had stated that it complied with the requests of the data subject, although without providing a specific date when the controller did this. Despite this, the DPA held that the controller did not violate Article 16 GDPR.

Third, the DPA held that the controller had violated Article 15 GDPR because it only provided a reply to the data subject 1 year and 3 months after the request was submitted. The DPA noted that the time elapsed was 'relatively long'. Therefore, the controller had not handled the access request without undue delay pursuant to Article 12(3) GDPR. Therefore, the controller violated Article 15 GDPR.

The DPA considered this a minor infringement and reprimanded the controller pursuant to Article 58(2)(b) GDPR.

Comment

The data subject stated that in the original complaint that she requested the controller to adjust the names in the controller's e-mails in December 2018. However, the controller stated that it received the data subject's first request for rectification on 5 November 2018. Although there is only a difference of around a month between these dates and this difference is inconsequential for the assessment of the violation of Article 16 GDPR, the difference is still there, without any clarification from the parties or the DPA when the first request was submitted.

Also, it is not clear from the decision at what date the original complaint was submitted. It also not clear from the decision which German DPA transferred the complaint to the Swedish DPA, although looking at the German case number (83.41/20.039), it is most likely that this was the Berlin DPA, although this is not 100% certain.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

One-Stop-Shop Leaflet
Art. 60 final decisions
Due to national legal restrictions, none or only some of the decisions from the following Supervisory Authorities will be available on this register: DE (Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia), LT, NL and ES SAs.
The decisions from the following Supervisory Authorities will not include personal data of physical persons: BG, DE, CY (Baden-Wurttemberg, Berlin, German Federal, Rhineland - Palatinate, Saxony-Anhalt), DK, EL, ES, HR, LV, NO, RO, SK, SI and SE SAs.
The decisions from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria (Private Sector), Brandenburg, Hesse, Mecklenburg - Western Pomerania, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LU, LV, MT, NL, PL, PT and UK SAs.
The decisions from the following Supervisory Authorities will not be anonymised: HR
Summaries of Art. 60 final decisions
The summaries of Article 60 final decisions were made under the responsibility of the EDPB Secretariat for sole informative purpose and do not intend to create any legal effect or interpretation. Please note that only the national decisions in the official language of the SA are the authentic legal source of information relating to the relevant national decisions.
The summaries from the following Supervisory Authorities will not include personal data of physical persons: BG, CY, DK, DE [Baden - Wuerttemberg, Berlin, Germany Federal, Rhineland-Palatinate, Saxony- Anhalt], EL, ES, NO, RO, SK, SI and SE SAs.
The summaries from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria Private Sector, Brandenburg, Hesse, Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LI, LT, LU, LV, MT, NL, PL, PT and UK SAs.
The summaries from the following Supervisory Authorities will not be anonymised: HR SA.
Privacy Notice
For more information on how we process your personal data in this, please consult the following page: EDPB Specific Privacy Statements