IMY (Sweden) - 2022-1032: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=2022-1032 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https://www.imy.se/contentassets/4a448ecb94804740b8e4389d771d1732/beslut-tillsyn-lensway-group-ab.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Origi...") |
mNo edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 74: | Line 74: | ||
These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR. | These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR. | ||
Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent. The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller. | Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent. | ||
The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller. Indeed, the customer relationship could be established on two ways: either by making a purchase, or by creating an account. | |||
=== Holding === | === Holding === | ||
Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under [[Article 12 GDPR#6|Article 12(6) GDPR]] additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA considered that in the present case, the controller had not demonstrated that there were reasonable grounds to doubt the data subjects’ identity. | Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under [[Article 12 GDPR#6|Article 12(6) GDPR]] additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA considered that in the present case, the controller had not demonstrated that there were reasonable grounds to doubt the data subjects’ identity. | ||
The DPA also examined if the information requested was necessary to confirm the data subjects’ identity. The IMY considered that providing a copy of an ID is an intrusive measure and is only appropriate when alternative less intrusive verification methods are inappropriate. The DPA found that in the present case, the controller did not demonstrate that a copy of an ID or a signature were absolutely necessary or appropriate. | The DPA also examined if the information requested was necessary to confirm the data subjects’ identity. The IMY considered that providing a copy of an ID is an intrusive measure and is only appropriate when alternative less intrusive verification methods are inappropriate. In the present case for example, data subjects could have logged into their accounts. The DPA found that in the present case, the controller did not demonstrate that a copy of an ID or a signature were absolutely necessary or appropriate. | ||
Therefore, the DPA concluded that the controller breached [[Article 12 GDPR#6|Article 12(6) GDPR]]. | Therefore, the DPA concluded that the controller breached [[Article 12 GDPR#6|Article 12(6) GDPR]]. | ||
Line 85: | Line 87: | ||
Secondly, regarding the sending of the documents by mail, under [[Article 12 GDPR#2|Article 12(2) GDPR]], the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]]. | Secondly, regarding the sending of the documents by mail, under [[Article 12 GDPR#2|Article 12(2) GDPR]], the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]]. | ||
Thus, the DPA issued a reprimand to the controller for breaching Articles 12(2) and 12(6) GDPR. | Thus, the DPA issued a reprimand to the controller for breaching [[Article 12 GDPR#2|Articles 12(2)]] and [[Article 12 GDPR#6|12(6) GDPR.]] | ||
== Comment == | == Comment == |
Latest revision as of 08:16, 24 April 2024
IMY - 2022-1032 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(2) GDPR Article 12(6) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 19.01.2023 |
Published: | 09.04.2024 |
Fine: | n/a |
Parties: | Lensway Group AB |
National Case Number/Name: | 2022-1032 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | nzm |
The DPA issued a reprimand against a controller for asking data subjects to provide a copy of their ID as well as signed documents by post, when there were no reasonable grounds to doubt the identity of the data subjects.
English Summary
Facts
A data subject in Finland contacted Lensway Group AB (“controller”) and made an erasure request. The controller replied that the data subject needed to send them his postal address so that they could send him documents related to the request, which should be signed and returned by him. The controller also asked the data subject to verify his identity by sending a copy of his ID by email. The data subject refused to provide this information. The data subject therefore lodged a complaint with the Finnish DPA.
Another data subject, in Denmark, contacted the same controller, also for an erasure request. To comply with the request, the controller asked the data subject to provide his social security number and a copy of his ID. The data subject questioned the need for the controller to collect personal data in order to delete his personal data and suggested that it could confirm his identity by sending an email to the address it had registered for him. The controller refused.
These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR.
Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent.
The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller. Indeed, the customer relationship could be established on two ways: either by making a purchase, or by creating an account.
Holding
Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA considered that in the present case, the controller had not demonstrated that there were reasonable grounds to doubt the data subjects’ identity.
The DPA also examined if the information requested was necessary to confirm the data subjects’ identity. The IMY considered that providing a copy of an ID is an intrusive measure and is only appropriate when alternative less intrusive verification methods are inappropriate. In the present case for example, data subjects could have logged into their accounts. The DPA found that in the present case, the controller did not demonstrate that a copy of an ID or a signature were absolutely necessary or appropriate.
Therefore, the DPA concluded that the controller breached Article 12(6) GDPR.
Secondly, regarding the sending of the documents by mail, under Article 12(2) GDPR, the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated Article 12(2) GDPR.
Thus, the DPA issued a reprimand to the controller for breaching Articles 12(2) and 12(6) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(8) Lensway Group AB Diary number: IMY-2022-1032 Decision after supervision according to data protection regulation - Lensway Date: 2023-01-19 Group AB The Privacy Protection Authority's decision The Privacy Protection Authority states that Lensway Group AB when handling the deletion request made on February 20, 2020 by the complainant in complaint 1, and on June 25, 2020 by the complainant in complaint 2, has processed personal data in violation with: • article 12.6 of the data protection regulation by requesting a copy of identity document and signature when this was not necessary to confirm the identities of the complainants as well • Article 12.2 of the Data Protection Regulation by requiring the complainants at requests for deletion must submit data to confirm their identities via post, which did not facilitate the appellants' exercise of their right to deletion. The Privacy Protection Authority gives Lensway Group AB a reprimand according to article 58.2 b of the data protection regulation for violation of articles 12.2 and 12.6 of data protection regulation. Account of the supervisory matter Handling The Swedish Privacy Protection Agency (IMY) has started supervision of Lensway Group AB (the company) due to two complaints, mainly to investigate the Lensway Group AB has received and handled the complainant's request for deletion in a correct manner according to articles 12 and 17 of the data protection regulation. The complaints have been handed over to IMY, in its capacity as responsible supervisory authority pursuant to Article 56 i Postal address: data protection regulation. The handover has taken place from the supervisory authorities in that country Box 8114 where the complainants have filed their complaints (Finland and Denmark) pursuant to 104 20 Stockholm Regulation's provisions on cooperation in cross-border processing. Website: www.imy.se E-mail: imy@imy.se 1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of Telephone: natural persons with regard to the processing of personal data and on the free flow of such data and on 08-657 61 00 repeal of directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2022-1032 2(8) Date: 2023-01-19 The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies cross-border treatment, IMY has used the mechanisms for cooperation and uniformity found in Chapter VII of the Data Protection Regulation. Affected supervisory authorities have been the data protection authorities in Denmark, Norway and Finland. The complaints The complaints essentially state the following. Complaint 1 (Complaint from Finland with national diary number 1576/153/2020) The complainant has been in contact with the company on 20 February 2020 and requested deletion. The company has replied to the complainant that he needs to send his postal address to them so that they may send documents relating to his request to him. These actions would appellant sign and return. Furthermore, the company has requested that the complainant should verify their identity by sending a copy of their identity document via e-mail. Of for security reasons, the appellant has not been willing to submit what was requested of him. Complaint 2 (Complaint from Denmark with national diary number 2020-31-3616) The complainant has requested deletion of his information on lensway.dk. To accommodate request, the company has requested that he provide his social security number and submit a copy of their identity document. However, the company cannot tell the appellant why they need this information other than they need it to able to confirm his identity. The appellant disputes that the company needs to collect personal data to delete personal data. The complainant suggested that the company instead could confirm his identity by sending an email to the address that was registered to him but they refused. What the company has stated The company has in its opinion from 20 April, 12 May and 11 August 2022 in essentially stated the following. The company is responsible for the processing of personal data to which the complaints relate. Complaint 1 The company has received the complainant's request for deletion, but the complainant has not followed through the company's verification process applicable at the time. The company has requested that the complainant should send in a copy of your identity document. It is the only way that the company so far have been able to ensure the customer's identity on The copy would be sent via ordinary mail aisle. The company has also requested that the complainant submit a signed request for deletion. The company has so far not been able to receive this data digitally. To ensure that they have received original documents, they have asked the complainant to send them in this via regular mail. Complaint 2 The company has received the request for deletion on June 25, 2020, but the complainant has not completed the company's verification process applicable at the time. It is true that the company requested the appellant's social security number in the written record but it has was voluntary in providing this information. As an addition to the information in the written basis, the company has requested that the complainant submit a copy of his identity document. The company has so far not been able to identify the complainant in any other way. Date: 2023-01-19 way. The appellant has been asked to submit the information via ordinary post in order to ensure that the company has received documents in original. Regarding both complaints, the company has stated the following As regards the written request that both appellants would submit, states the company follows regarding which personal data was mandatory to provide and why the information was necessary. • Name is a mandatory information that is requested in order to confirm it data subject's identity. • E-mail address is a mandatory information requested to be used as a unique identifier of customers in the company's system. • Signature is a mandatory task for the company to ensure that the registrant has read the information and given his consent. The company states that they should always ensure that it is the right person who contacts them then it concerns requests to exercise a right under the Data Protection Regulation. Then the company was previously unable to identify the customer in a good and safe way when they contacted the company via customer service has the manual process via regular mail been the one they used. In this way, they have achieved a two-step verification. Functionality to enable confirmation of the customer's identity via customer service has not been in place. The customer relationship with the company can be established in two ways, either the customer implements one buy or the customer logs in to My Pages. When the customer creates an account on Mina Pages provide the customer with their email address and a confirmation email sent to the customer. The customer can then access one via the link in the email web page where he links a password to the e-mail address. The customer account is then created and the company thus receives a two-step verification. The appellants have used of the other means by which the customer relationship can be established. The complainants have made purchases with the company and they have then been identified via the company's payment service provided by Klarna. For most payment options, Klarna requires that the customer verifies himself via bankID. For certain payment methods, for example payment with credit card, the customer can choose not to have to verify themselves via bankID through Klarna's app. The company's existing digital contact route is Mina Sidor. However, there has been none functionality to handle requests to exercise a right under the data protection regulation on My Pages. Since April 2022, the company's customers can now request to be deleted or receive a copy of their personal data directly via My Pages. The customer's identity is then verified via regular login. Justification of the decision Applicable regulations, etc. According to Article 17.1, the data subject shall have the right to the personal data controller without unnecessary delay have their personal data deleted and the personal data controller shall be obliged to delete personal data about any of them without undue delay prerequisites listed in the article exist, for example if the information is not Date: 2023-01-19 are no longer necessary for the purposes for which they have been collected or consented to treatment is withdrawn. According to Article 12.2, the personal data controller must facilitate its exercise data subject's rights in accordance with Articles 15–22. Article 12.6 states that, without prejudice to the application of Article 11, it may personal data controller, if he has reasonable grounds to doubt its identity natural person who submits a request under Articles 15-21, request that additional information necessary to confirm the identity of the data subject is provided. 2 In the European Data Protection Board's (EDPB) Guidelines 01/2022 on access is stated among other following. 65. If the data controller requests additional information that is necessary to confirm the identity of the data subject it shall personal data controller each time assess which information will enable the personal data controller to confirm the data subject identity and possibly ask additional questions of the requesting person or request the data subject to provide additional identifying information, if any proportionately (see section 3.3). Such additional information should not be more than the information originally needed to control it was recorded identity (authentication). In general, the fact that the the controller may request additional information to assess it data subject's identity does not lead to excessive demands and to the collection of personal data that is not relevant or necessary to strengthen the connection between the individual and the personal data requested. 3 […] 73. It should be emphasized that the use of a copy of an identity document as a part of the authentication process poses a risk to the security of personal data and may lead to unauthorized or illegal processing, and therefore should be considered inappropriate, unless absolutely necessary, appropriate and in accordance with national legislation. In such cases, the personal data controllers should have systems that ensures a level of security suitable to reduce the higher risks of the freedom and rights of the data subject to receive such data. It is also important to note that identification using an identity card not necessarily helps in an online context (e.g. when using pseudonyms) about it the person concerned cannot provide any other evidence, e.g. further 4 properties that match the user account. 2EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 1.0 (EDPB's Guidelines 01/2022 on the right of access). The guidelines have been out for public consultation and are awaiting final adoption. 3IMY's translation, original: In cases where the controller requests the provision of additional information necessary to confirm the identity of the data subject, the controller shall each time assess what information will allow it to confirm the data subject's identity and possibly ask additional questions to the requesting person or request the data subject to present some additional identification elements, if it is proportionate (see section 3.3). Such additional information should not be more than the information initially needed for the verification of the data subject's identity (authentication). In general, the fact that the controller may request additional information to assess the data subject's identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary 4o strengthen the link between the individual and the personal data requested. IMY's translation, original: It should be emphasized that using a copy of an identity document as a part of the authentication process creates a risk for the security of personal data and may lead to unauthorized or unlawful processing, and as such it should be considered inappropriate, unless it is strictly necessary, suitable, and in line with national law. In such cases the controllers should have systems in place that ensure a level of security appropriate to Date: 2023-01-19 The Swedish Privacy Protection Authority's assessment Based on the current complaints in the case, IMY has reviewed the company's action in these two individual cases. Has the company acted in accordance with 12.6 of the data protection regulation when the company requested current information from the complainants? Did Lensway Group have reasonable grounds to doubt the identity of the complainants? It is only when the personal data controller has reasonable grounds to doubt the identity with the person who made the request who receives additional information to confirm the identity is requested. What constitutes "reasonable grounds" in Article 12.6 of the Data Protection Regulation should assessed based on the circumstances of the individual case. The assessment of whether there is reasonable grounds to doubt in an individual case the identity of the person making the request is made normally in light of the information provided in connection with the request. The applies especially in situations where the person in charge of personal data lacks further knowledge about this person. However, the fact that an individual assessment is required does not preclude that routines are established for how the person in charge of personal data normally verifies it data subject's identity. The company has been given the opportunity to justify the individual assessment based on which it was made the appellants' situation if they considered that they had reasonable grounds to doubt the identity of the appellants when they presented their requests. Regarding both appellants, the company has i mainly stated the following. The company should always ensure that it is the right person who contacts them regarding requests to exercise a right under data protection regulation. The customer has not previously been able to be identified in a good and secure way when they contacted the company via Customer Service. Functionality for management of requests to exercise a right under the Data Protection Regulation have never existed at Customer Service or on My Pages. IMY states that it is not clear from the investigation in the case which data are the appellants submitted in connection with their request and if based on these there were any reason for the company to doubt their identity. However, IMY considers that against the background from what has emerged in the case, there is no reason to question the company's statement that the company had reason to doubt the identity of the complainants. In the assessment does the IMY consider the fact that the obligation to ensure the identity of the person making a the request also has the purpose of protecting data subjects against someone else doing it incorrectly requests in their name, which may lead to negative consequences for it registered. The risks of these negative consequences in case of false requests are particularly evident when it comes to more intrusive measures, such as the exercise of the right to erasure. IMY therefore finds that it has not been shown other than that the company in the relevant the cases had reasonable grounds to doubt the identity of the appellants. Has the information requested by Lensway Group been necessary to confirm the identity of the complainants? Even if the personal data controller has reasonable grounds to doubt the identity of those complainant, the personal data controller shall not collect more personal data than what which is necessary to enable identification of the requesting data subject. mitigate the higher risks for the rights and freedoms of the data subject to receive such data. It is also important to note that identification by means of an identity card does not necessarily help in the online context (e.g. with the use of pseudonyms) if the person concerned cannot contribute any other evidence, e.g. further characteristics matching to the user account. The Swedish Data Protection Agency Diary number: IMY-2022-1032 6(8) Date: 2023-01-19 The company has essentially stated the following regarding the necessity of that information those requested by both appellants. A copy of the identity document has been requested when it was the only way the company has so far been able to ensure the customer's identity. In addition to copy of identity document, the appellants should submit a written document. The information that has been requested in the written documentation and why it was necessary, is reported by the company essentially as follows. The name has been requested to confirm it data subject's identity. The email address has been requested to be used as a unique identifier of customers in the company's system. The signature has also been requested and is as per the company a necessary information in order for the company to be able to ensure that it registrant has read through the information and given his consent to the handling of request. Regarding whether the identity of the complainants has been verified, the company has stated that both the complainant has made purchases where they have been identified via the company's payment service as provided by Klarna. It appears from the company's opinion that it was not required that the company itself verified the true identity of the appellants when the customer relationship was established, i.e. upon purchase. IMY notes that the company cannot demand more personal data when the complainant wants to use it their rights than what was required when establishing the customer relationship. Copy of identity document and signature are information that the company has not requested the establishment of the customer relationship in these two current cases. Furthermore, IMY considers that according to The EDPB's guidelines on the right of access should the use of a copy of an identity document as part of the authentication process is considered inappropriate, unless it is absolute necessary, appropriate and in accordance with national legislation. IMY considers that the requirement to providing the personal data controller with a copy of their identity document is one interventional measure, which is only appropriate when the personal data controller previously has ensured the actual identity of the registered and then alternative less intrusive verification methods are inappropriate. IMY assesses that it has not emerged some circumstances that speak against other, less intrusive, verification methods could have been used in the current cases, for example login via My Pages or control questions. IMY notes that in the case it therefore does not emerged that the request for the copy of the identity document or the signature would have been absolutely necessary or appropriate. In light of this, IMY assesses that the copy of the identity document and the signature thus cannot be considered to have been necessary to confirm the identity of the appellants in accordance with Article 12.6 of the Data Protection Regulation. Has the company acted in accordance with 12.2 of the data protection regulation when the company requested that the complainants send the information by post? The next question is whether it has been permissible to require the appellants to send them the requested information to the company via ordinary post. In light of the requirements to facilitate the exercise of the data subject's rights i article 12.2 of the data protection regulation, it can only be accepted in exceptional cases that a personal data controller as the only contact means refers individuals to regular mail they must submit information to ensure their identities, for example if it is justifiable with regard to security reasons. The starting point should be that alternative ways of submitting requested information must be offered. The company has the Swedish Data Protection Agency Diary number: IMY-2022-1032 7(8) Date: 2023-01-19 this part essentially stated that they have demanded that the data be sent via ordinary post office to ensure that they have received the original written documentation. IMY assesses that sending a copy of an identity document can indeed involve special risks which may justify requiring that the act sent by post. This is provided that it is a necessary task in order to confirm the identity of the data subject. In the current cases, IMY assesses above that there was no copy of the identity document necessary to confirm the identity of the complainants. By demanding of the complainants that the information must also be sent via regular mail, IMY considers that the company has not made it easier for the complainants to exercise their right to erasure. IMY assesses thereby that the company thereby acted in violation of Article 12.2 of the data protection regulation. Choice of intervention From articles 58.2 i and 83.2 of the data protection regulation, it appears that IMY has the authority to impose administrative penalty fees in accordance with Article 83. Subject to the circumstances of the individual case, administrative penalty fees must be imposed in addition to or instead of the other measures referred to in Article 58.2, such as injunctions and prohibitions. Furthermore, Article 83.2 states which factors must taken into account when deciding whether administrative penalty charges are to be imposed and at determining the size of the fee. If it is a question of a minor violation, IMY gets as set out in recital 148 instead of imposing a penalty charge issue one reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors circumstances of the case, such as the nature, severity and duration of the infringement as well as previous violations of relevance. IMY notes the following relevant circumstances. It has of the investigation in the matter found that a copy of the identity document and signature are no longer requested by Lensway Group AB in the event of requests from registered users to exercise their right to deletion according to the data protection regulation. Furthermore, the established violations have occurred relatively far back in time (2020) and has affected two registrants. Against this one background, IMY finds that it is a question of such minor violations in that sense as referred to in reason 148 which means that Lensway Group AB must be given a reprimand according to Article 58.2 b of the Data Protection Regulation for the identified violations. __________________________________________________ This decision has been taken by the special decision-maker lawyer Evelin Palmér after presentation by the lawyer Anna Mlynska. Evelin Palmér, 2023-01-19 (This is an electronic signature) The Swedish Privacy Agency Diary number: IMY-2022-1032 8(8) Date: 2023-01-19 How to appeal If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received it part of the decision. If the appeal has been received in time send The Privacy Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or information that may be covered by secrecy. The authority's contact details appear on the first page of the decision.