IMY (Sweden) - IMY-2023-4559: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=IMY-2023-4559 |ECLI= |Original_Source_Name_1=Integritetsskydds myndigheten |Original_Source_Link_1=https://www.imy.se/contentassets/882af6d7f09b4412872ba754618fbaf1/beslut-tillsyn-nordea.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sourc...") |
mNo edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 61: | Line 61: | ||
}} | }} | ||
The DPA held that a | The DPA held that the right to a copy of personal data does not include the recording of a phone call with an employee of the controller, if the data subject was provided with a transcript of said call. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject requested access from the controller, the | The data subject requested access from the controller, the Swedish branch of the Nordea Bank. The data subject requested a recording of a conversation between one of the controller’s employees and the data subject himself. The data subject only received a copy of the conversation without the voice of the controller’s employee. | ||
The data subject filed a complaint at the Swedish DPA ( | The data subject filed a complaint at the Swedish DPA (''Integritetsskydds myndigheten, IMY'') for a violation of the right of access under [[Article 15 GDPR|Article 15 GDPR]] as the data subject did not receive a copy of the conversation that included the voice of the controller’s employee. | ||
The controller argued that it had complied with the request by allowing the data subject to listen to the recording on site at the controller’s branch. The data subject had also been offered a transcript of the phone conversation and a copy of the audio file with the recording in which the controller’s employee’s voice had been edited out. | The controller argued that it had complied with the request by allowing the data subject to listen to the recording on site at the controller’s branch. The data subject had also been offered a transcript of the phone conversation and a copy of the audio file with the recording in which the controller’s employee’s voice had been edited out. | ||
=== Holding === | === Holding === | ||
According to the DPA, the right of access implies that the controller is obliged to provide a data subject with the requested copy of the processed personal data | According to the DPA, the right of access under Article 15 GDPR implies that the controller is obliged to provide a data subject with the requested copy of the processed personal data. However, the DPA notes that this right to a copy must not adversely affect the rights and freedoms of others. The DPA explains that the purpose of the right of access is to ensure that the data subject is aware that the processing is taking place and can verify its lawfulness. The right to obtain a copy of personal data includes a right for the data subject to obtain an accurate and intelligible reproduction of all personal data that the controller processes about them. | ||
The DPA held that the data subject’s voice in the telephone conversation is personal data of the data subject and thus the data subject is entitled to receive a copy of this telephone conversation. However, the DPA also held that the voice of the controller's employee does not constitute personal data concerning the data subject. Therefore, | The DPA held that the data subject’s voice in the telephone conversation is personal data of the data subject and thus the data subject is entitled to receive a copy of this telephone conversation. However, the DPA also held that the voice of the controller's employee does not constitute personal data concerning the data subject. Therefore, a transcript of the telephone conversation is sufficient according to the DPA. | ||
The DPA | The DPA concluded that the controller satisfied the data subject’s request for access and therefore rejected the complaint. | ||
== Comment == | == Comment == | ||
Latest revision as of 13:28, 10 April 2024
| IMY - IMY-2023-4559 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 06.12.2023 |
| Published: | 03.04.2024 |
| Fine: | n/a |
| Parties: | Nordea Bank |
| National Case Number/Name: | IMY-2023-4559 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | Integritetsskydds myndigheten (in SV) |
| Initial Contributor: | ec |
The DPA held that the right to a copy of personal data does not include the recording of a phone call with an employee of the controller, if the data subject was provided with a transcript of said call.
English Summary
Facts
The data subject requested access from the controller, the Swedish branch of the Nordea Bank. The data subject requested a recording of a conversation between one of the controller’s employees and the data subject himself. The data subject only received a copy of the conversation without the voice of the controller’s employee.
The data subject filed a complaint at the Swedish DPA (Integritetsskydds myndigheten, IMY) for a violation of the right of access under Article 15 GDPR as the data subject did not receive a copy of the conversation that included the voice of the controller’s employee.
The controller argued that it had complied with the request by allowing the data subject to listen to the recording on site at the controller’s branch. The data subject had also been offered a transcript of the phone conversation and a copy of the audio file with the recording in which the controller’s employee’s voice had been edited out.
Holding
According to the DPA, the right of access under Article 15 GDPR implies that the controller is obliged to provide a data subject with the requested copy of the processed personal data. However, the DPA notes that this right to a copy must not adversely affect the rights and freedoms of others. The DPA explains that the purpose of the right of access is to ensure that the data subject is aware that the processing is taking place and can verify its lawfulness. The right to obtain a copy of personal data includes a right for the data subject to obtain an accurate and intelligible reproduction of all personal data that the controller processes about them.
The DPA held that the data subject’s voice in the telephone conversation is personal data of the data subject and thus the data subject is entitled to receive a copy of this telephone conversation. However, the DPA also held that the voice of the controller's employee does not constitute personal data concerning the data subject. Therefore, a transcript of the telephone conversation is sufficient according to the DPA.
The DPA concluded that the controller satisfied the data subject’s request for access and therefore rejected the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(3)
Nordea Bank Abp, branch in Sweden
Sent via e-mail
Diary number:
IMY-2023-4559 Decision after supervision according to
Date: data protection regulation – Nordea
2023-06-12
Bank Abp, branch in Sweden
The Privacy Protection Authority's decision
The Swedish Data Protection Authority states that Nordea Bank Plc, branch in Sweden has
granted the appellant's request for access. Against this background finds
The Privacy Protection Authority has no reason to take any further action in the case.
The case is closed.
Account of the supervisory matter
The Swedish Privacy Protection Agency (IMY) has started supervision regarding Nordea Bank Abp,
branch in Sweden (hereinafter Nordea or the bank) for the purpose of investigating a complaint about the right to
access according to Article 15 of the Data Protection Regulation.
The appellant has essentially stated the following. The complainant has requested access from Nordea
regarding a recording of a conversation between the complainant and one of Nordeas
coworker. The complainant has not received a copy of the conversation between Nordea's employees
vote appears, which the appellant has requested.
Nordea has essentially stated the following. The appellant has requested to be informed of
the recording of the current call. Nordea has complied with the request by the appellant
have been able to listen to the recording on site at Nordea. The appellant has further been offered
transcription of the conversation as well as a copy of the audio file with recording there Nordeas
employee's voice is edited out, as it has been judged to have a negative impact on
the employee's rights to disclose his vote.
Justification of the decision
Postal address: Applicable regulations, etc.
Box 8114
104 20 Stockholm The right to access is regulated in Article 15 of the data protection regulation. Of the right of access
Website: follows i.a. that the person in charge of personal data is obliged to a registered person, i.e. one
www.imy.se identified or identifiable natural person, who requests it to provide confirmation of
E-mail:
imy@imy.se
1 Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC. The Swedish Privacy Agency Diary number: IMY-2023-4559 2(3)
Date: 2023-06-12
personal data relating to the registered person is processed or not. Treated as such
data, the personal data controller must e.g. provide the data subject with a copy
on the personal data that is being processed. This right to a copy shall not, however
4
adversely affect the rights and freedoms of others.
The purpose of the right of access is for the data subject to become aware that
the processing takes place and be able to check that it is legal. The right to receive a copy of
personal data includes a right for the data subject to receive an accurate and comprehensible
reproduction of all personal data processed by the personal data controller
5
about him or her.
IMY's assessment
The complainant's voice, appearing in a telephone conversation, constitutes personal data about him
the appellant, which the appellant is thus entitled to receive a copy of in an audio file. Nordeas
however, the employee's voice does not constitute personal data about the complainant. As for that part
of the current telephone conversation which consists of statements from Nordea's employees is
therefore sufficient that the data, to the extent that they constitute personal information about
the appellant, provided by a transcript of the conversation.
In the case, it has emerged that Nordea has provided access by offering the audio file
containing the complainant's voice and transcription of the conversation. IMY states
thus that Nordea has satisfied the complainant's request for access. Against this one
background, the Swedish Privacy Authority finds no reason to take any further action
action in the matter.
The case must therefore be closed.
------------------------------
This decision has been made by the acting head of unit Nidia Nordenström after
presentation by lawyer Fredrik Löfgren.
Nidia Nordenström, 2023-06-12 (This is an electronic signature)
Copy to
The appellant
2
3Article 15.1 of the data protection regulation.
4Article 15.3 of the data protection regulation.
Article 15.4 of the data protection regulation.
5 The judgment of the EU Court of Justice of 4 May 2023 in case C-487/21. Data Protection Agency Diary number: IMY-2023-4559 3(3)
Date: 2023-06-12
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time, send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
