IMY (Sweden) - DI-2020-10538: Difference between revisions
From GDPRhub
(LogoSE.png) |
m (Ar moved page IMY - DI-2020-10538 to IMY (Sweden) - DI-2020-10538) |
||
| (4 intermediate revisions by one other user not shown) | |||
| Line 3: | Line 3: | ||
|Jurisdiction=Sweden | |Jurisdiction=Sweden | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo= | |DPAlogo=LogoSEnew.png | ||
|DPA_Abbrevation= | |DPA_Abbrevation=IMY | ||
|DPA_With_Country= | |DPA_With_Country=IMY (Sweden) | ||
|Case_Number_Name=DI-2020-10538 | |Case_Number_Name=DI-2020-10538 | ||
| Line 48: | Line 48: | ||
}} | }} | ||
The Swedish DPA held that | The Swedish DPA held that a controller has violated article 12(3) GDPR, because, although they complied with an erasure request, they did not subsequently notify the data subject. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
A data subject made an erasure request at MAG Interactive AB on the 29th of November 2018. Since the request came from an email address that wasn't linked with the data subject's account, the controller asked for proof of identity. The data subject provided proof of identity on the 29th of May 2019. MAG Interactive AB complied with the request and deleted the personal data concerned 16 days upon the reception of the request, but out of negligence, they did not informed the data subject regarding the action taken. The reason why the data subject wasn't notified was that the second request with the proof of identity came by regular post and MAG Interactive AB normally handles requests in a system where notifications of actions taken are sent automatically. | A data subject made an erasure request at MAG Interactive AB on the 29th of November 2018. Since the request came from an email address that wasn't linked with the data subject's account, the controller asked for proof of identity. The data subject provided proof of identity on the 29th of May 2019. MAG Interactive AB complied with the request and deleted the personal data concerned 16 days upon the reception of the request, but out of negligence, they did not informed the data subject regarding the action taken. The reason why the data subject wasn't notified was that the second request with the proof of identity came by regular post and MAG Interactive AB normally handles requests in a system where notifications of actions taken are sent automatically. | ||
=== Dispute === | ===Dispute=== | ||
=== Holding === | ===Holding=== | ||
The Swedish DPA held that MAG Interactive AB in first place, had the right to verify the identity of the data subject. Upon the reception of the proof of the data subject's identity, MAG Interactive AB deleted the personal data concerned in compliance with article 17 GDPR. Despite that, they did not notify the data subject about the action taken (deletion of his personal data) and therefore they violated article 12.3. | The Swedish DPA held that MAG Interactive AB in first place, had the right to verify the identity of the data subject. Upon the reception of the proof of the data subject's identity, MAG Interactive AB deleted the personal data concerned in compliance with article 17 GDPR. Despite that, they did not notify the data subject about the action taken (deletion of his personal data) and therefore they violated article 12.3. | ||
As MAG Interactive AB reassured the DPA that they will take appropriate organisational measures to ensure that this will not occur again, the DPA closed the case and no fine was issued. | As MAG Interactive AB reassured the DPA that they will take appropriate organisational measures to ensure that this will not occur again, the DPA closed the case and no fine was issued. | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. | The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. | ||
Latest revision as of 15:22, 6 December 2023
| IMY - DI-2020-10538 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(3) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 22.01.2021 |
| Published: | 22.01.2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | DI-2020-10538 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | Integritetsskyddsmyndigheten (in SV) |
| Initial Contributor: | Elisavet Dravalou |
The Swedish DPA held that a controller has violated article 12(3) GDPR, because, although they complied with an erasure request, they did not subsequently notify the data subject.
English Summary
Facts
A data subject made an erasure request at MAG Interactive AB on the 29th of November 2018. Since the request came from an email address that wasn't linked with the data subject's account, the controller asked for proof of identity. The data subject provided proof of identity on the 29th of May 2019. MAG Interactive AB complied with the request and deleted the personal data concerned 16 days upon the reception of the request, but out of negligence, they did not informed the data subject regarding the action taken. The reason why the data subject wasn't notified was that the second request with the proof of identity came by regular post and MAG Interactive AB normally handles requests in a system where notifications of actions taken are sent automatically.
Dispute
Holding
The Swedish DPA held that MAG Interactive AB in first place, had the right to verify the identity of the data subject. Upon the reception of the proof of the data subject's identity, MAG Interactive AB deleted the personal data concerned in compliance with article 17 GDPR. Despite that, they did not notify the data subject about the action taken (deletion of his personal data) and therefore they violated article 12.3. As MAG Interactive AB reassured the DPA that they will take appropriate organisational measures to ensure that this will not occur again, the DPA closed the case and no fine was issued.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (3)
MAG Interactive AB
Org.nr: 556804-3524
Drottninggatan 95A
113 60 Stockholm
Record number:
DI-2020-10538 Decision after supervision according to
Date: Data Protection Regulation - MAG
2021-01-22
Interactive AB
The decision of the Integrity Protection Authority
The Privacy Protection Authority states that MAG Interactive AB has processed
personal data in breach of Article 12 (3) of the Data Protection Regulation by not without
unnecessary delay informed the complainant of the outcome of the complainant's request for
deletion pursuant to Article 17 of 29 May 2019 until 6 November 2020.
The case is closed without action.
Report on the supervisory matter
The Privacy Protection Authority (IMY) has initiated supervision regarding MAG Interactive AB
(the company) in connection with a complaint. The complaint has been submitted to IMY, i
as the supervisory authority responsible for the company's activities in accordance with Article 56
the Data Protection Regulation, from the supervisory authority of the country where the complainant has left
lodged its complaint in accordance with the provisions of the Regulation on cooperation in
cross-border cases.
The complaint alleges that the company has not handled the complainant's request
deletion of the complainant's personal data in accordance with Article 17 of the Data Protection Regulation.
MAG Interactive AB has mainly stated the following. The company first received a request
on deletion of the complainant's account on the company's services on 29 November 2018 (on
first request). Because the request came from a different email address than the one that
linked to the account, the company requested that the complainant return with evidence to
proof of his identity, which the complainant did not do. On May 29, 2019, a new one was added
request for deletion of the complainant's account, but then by post and with the required
evidence to prove the identity of the complainant (the second request). The company deleted
Postal address: the complainant's information manually on 15 June 2019 in accordance with the request, except those
Box 8114
information needed to show that the request has been processed. Due to oversight
104 20 Stockholm, however, the complainant was not informed of the outcome of the request in connection with that
Website:
www.imy.se
E-mail:
imy@imy.se REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on
08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation). Integrity Protection Authority Record number: DI-2020-10538 2 (3)
Date: 2021-01-22
request was processed. Instead, it took place only in connection with a review before answers in
this supervisory matter, ie on 6 November 2020.
The processing has taken place through correspondence. Given that it applies to one
cross-border complaints, the IMY has used the mechanisms of cooperation
and uniformity contained in Chapter VII of the Data Protection Regulation. Affected
regulators have been the data protection authorities in Norway, Ireland, France,
Austria, Denmark, Poland and Germany.
Justification of decision
Applicable regulations
According to Article 12 (3) of the Data Protection Regulation, the controller shall:
request without undue delay and in any case no later than one month after
to have received the request to provide the data subject with information on the measures taken
taken in accordance with Article 17. This period may, if necessary, be extended by a further two
months, taking into account the complexity of the request and the number received
requests. The personal data controller shall notify the data subject of a
such extension within one month of receipt of the request and state the reasons
to the delay.
According to Article 12 (6), the controller may, if he has reasonable grounds for:
question the identity of the natural person submitting a request under Article 17;
request additional information necessary to confirm the data subject's
identity is provided.
According to Article 17 (1) (a), the data subject shall have the right to be informed by the controller
without undue delay have their personal data deleted and it
the person responsible for personal data shall be obliged to delete without undue delay
personal data if the personal data are no longer necessary for the purposes for which
which they have collected or otherwise treated. According to Article 17 (3) (b), this shall not be the case
apply to the extent that the processing is necessary to comply with a legal
obligation requiring treatment under Union law.
Pursuant to Article 57 (1) (f), each supervisory authority in its territory shall be responsible for:
process complaints from a data subject and, where appropriate, investigate the matter
to which the complaint relates.
The Integrity Protection Authority's assessment
Regarding the first request, IMY states that MAG Interactive AB was reasonable
reasons to doubt the identity of the appellant and thus justifiable to request that the appellant
provided additional evidence, which the appellant did not do. IMY considers against this
background that the company has not been obliged to take any further measures
due to that request.
With regard to the second request, IMY notes that the company deleted the complainant's
information, in addition to the information required to demonstrate that the request has been processed, within
16 days from the company receiving the request on May 29, 2019. IMY believes that the company has
deleted the complainant's information without undue delay within the meaning of Article
17 Data Protection Regulation. Furthermore, the company has been justified in retaining the information. The Privacy Protection Agency Record number: DI-2020-10538 3 (3)
Date: 2021-01-22
needed to demonstrate that the request has been processed in accordance with
the Data Protection Regulation.
However, the company first informed the complainant of the outcome of the second request
6 November 2020. Since the data controller pursuant to Article 12 (3) without
unnecessary delay and in any case no later than one month after receipt
request, with no exception here, shall inform the data subject of the
measures taken pursuant to Article 17, MAG Interactive AB has violated Article 12 (3)
the Data Protection Regulation.
The company has stated that the reason why the complainant was not informed of the result
of the request was due to an oversight. According to the company, this was mainly caused by
that the request was handled manually because it was received by mail and that the company normally
handles requests in a system where notifications of actions taken are sent
automatically. Due to what happened, the company has stated that it will see
over their routines so that what happened is not repeated. The company will, among other things, put
set up a separate log for manual cases to ensure that all steps are followed, including
that the user is notified in the manner he has requested.
IMY states that it is of course important that the person responsible for personal data notifies
the data subject on what measures have been taken in connection with his
request, even in cases where the request is fully complied with to the extent that may be required.
In light of the circumstances regarding the infringement that the company has highlighted
- and the measures that the company has stated that it has taken and will take - considers
however, IMY that the substance of the complaint has been investigated to the extent appropriate
Article 57 (1) (f) of the Data Protection Regulation.
Against this background, the case is closed without action.
This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by
lawyer Olle Pettersson.
Catharina Fernquist, 2021-01-22 (This is an electronic signature)
