IMY (Sweden) - DI-2019-6523: Difference between revisions
From GDPRhub
(→Facts) |
m (→Facts) |
||
| Line 66: | Line 66: | ||
=== Facts === | === Facts === | ||
IMY initiated an investigation against the controller on 2019 to check whether consent was obtained in compliance with Article 6(1) | IMY initiated an investigation against the controller on 2019 to check whether consent was obtained in compliance with [[Article 6 GDPR|Article 6 (1).]] Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity on [[Article 6 GDPR|Article 6(1)(b) GDPR]] or legitimate interest on [[Article 6 GDPR|Article 6(1)(f) GDPR]] instead of consent. However, the controller accidentally missed updating the registration flow of one of the company's webshop, Magasinshoppen, accordingly. It had a checkbox on this webpage along with the text "I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group." | ||
Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity on [[Article 6 | |||
After the IMY's inspection began, the controller took immediate action to correct the information provided in Magasinshoppen's registration process. | After the IMY's inspection began, the controller took immediate action to correct the information provided in Magasinshoppen's registration process. | ||
=== Holding === | === Holding === | ||
IMY concluded that the controller has processed personal data in contravention of [[Article 13(1)(c) GDPR]] by indicating an incorrect legal basis. | IMY concluded that the controller has processed personal data in contravention of [[Article 13 GDPR|Article 13(1)(c) GDPR]] by indicating an incorrect legal basis. IMY assessed that it was a minor deficiency that did not resulted in serious consequences to the data subjects, leading to a reprimand. For this, IMY considered that the controller took immediate action to update the registration of its webshop after IMY initiated supervision. Additionally, IMY noted the limited use of the page for subscriptions during the relevant time period, and recognized that it was a mistake that the website was not updated in connection with the controller's review of its routines. | ||
IMY assessed that it was a minor deficiency that did not resulted in serious consequences to the data subjects, leading to a reprimand. For this, IMY considered that the controller took immediate action to update the registration of its webshop after IMY initiated supervision. Additionally, IMY noted the limited use of the page for subscriptions during the relevant time period, and recognized that it was a mistake that the website was not updated in connection with the controller's review of its routines. | |||
== Comment == | == Comment == | ||
Revision as of 18:44, 2 May 2024
| IMY - DI-2019-6523 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 13(1)(c) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 04.06.2019 |
| Decided: | 26.06.2023 |
| Published: | 26.06.2023 |
| Fine: | n/a |
| Parties: | Expressen Lifestyle AB |
| National Case Number/Name: | DI-2019-6523 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | IMY (Sweden) (in SV) |
| Initial Contributor: | izel |
IMY issued a reprimand against the controller for violating Article 13(1)(c) due to stating an incorrect legal basis for the processing of personal data.
English Summary
Facts
IMY initiated an investigation against the controller on 2019 to check whether consent was obtained in compliance with Article 6 (1). Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity on Article 6(1)(b) GDPR or legitimate interest on Article 6(1)(f) GDPR instead of consent. However, the controller accidentally missed updating the registration flow of one of the company's webshop, Magasinshoppen, accordingly. It had a checkbox on this webpage along with the text "I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group." After the IMY's inspection began, the controller took immediate action to correct the information provided in Magasinshoppen's registration process.
Holding
IMY concluded that the controller has processed personal data in contravention of Article 13(1)(c) GDPR by indicating an incorrect legal basis. IMY assessed that it was a minor deficiency that did not resulted in serious consequences to the data subjects, leading to a reprimand. For this, IMY considered that the controller took immediate action to update the registration of its webshop after IMY initiated supervision. Additionally, IMY noted the limited use of the page for subscriptions during the relevant time period, and recognized that it was a mistake that the website was not updated in connection with the controller's review of its routines.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(3)
Expressen Lifestyle AB
105 44 Stockholm
Diary number:
DI-2019-6523
Supervision according to the data protection regulation
Date:
2023-06-26
– Expressen Lifestyle AB
The Privacy Protection Authority's decision
The Privacy Protection Authority states that Expressen Lifestyle AB (556025-4525),
has processed personal data in violation of Article 13.1 c of the data protection regulation
by stating an incorrect legal basis for the processing of the data subject
personal data during May 2018 until 4 June 2019.
The Privacy Protection Authority gives Expressen Lifestyle AB a reprimand according to article
58.2 b of the data protection regulation for violation of 13.1 c of the data protection regulation.
Account of the supervisory matter
On June 4, 2019, the Swedish Privacy Protection Authority (IMY) began an investigation against Bonnier
Magazine and Brands AB. The supervision was not prompted by any complaint but aimed at
to review the consents obtained to fulfill the obligation to have one
legal basis according to Article 6.1 of the data protection regulation met the requirements of
the data protection regulation on voluntariness, information and clarity and that the legal
the basis clearly appears. Bonnier Magazine and Brands AB was in charge
introducing a checkbox on their web page along with the text. "I approve
the subscription terms. I hereby consent to the processing of personal data within
The Bonnier Group.”
In its statement to IMY, Bonnier Magazines and Brands has stated that the information in
the registration flow in the company's webshop, Magasinshoppen, was accidentally not updated
in the same way as on other web pages. In accordance with the data protection regulation
coming into force in 2018, Bonnier Magazine and Brands AB carried out an extensive
work which meant, among other things, that the company reassessed its legal basis for
Processing of personal data. Instead of consent, Bonnier Magazine founded and
Brands AB's processing of customers' personal data mainly on legal grounds
Postal address: the grounds in Article 6.1 b of the Data Protection Regulation, agreement, or in Article 6.1 f i
Box 8114 data protection regulation, legitimate interest. In the normal registration flow that
104 20 Stockholm is used on Bonnier Magazine and Brands AB's web pages, the customer is asked to
Website: agree to the subscription terms and confirm that he has taken part in Bonnier
www.imy.se Magazine and Brands AB's data protection policy. Bonnier Magazines and Brands AB has
E-mail: stated that immediately when IMY started the supervision measures were taken to
imy@imy.se update the Magasinshoppen with correct information in the registration flow.
Phone:
08-657 61 00 The Swedish Privacy Agency Diary number: DI-2019-6523 2(3)
Date: 2023-06-26
Bonnier Magazines and Brands AB has been dissolved by merger on June 1, 2022 and
joined Expressen Lifestyle AB (556025-4525).
Justification of the decision
Of ch. 23 Section 1 of the Companies Act (2005:551) follows that the effects of a merger mean that
all assets and liabilities are taken over by another company at the time of the merger. The
The acquiring company is therefore responsible for the obligations that existed in the company that
taken over. In light of this, IMY makes the assessment that the acquiring company
after the time of the merger is a party to IMY's supervision matter and this supervision is therefore aimed at
against Expressen Lifestyle AB.
When a personal data controller collects personal data from a registered person shall
information regarding the legal basis for the processing appears, according to Article 13.1
c in the data protection regulation. The person in charge of personal data must, according to Article 12.1 i
data protection regulation take measures to provide this to the data subject
information in a concise, clear and clear, comprehensible and easily accessible form, with
the use of clear and unambiguous language. IMY considers that the text next to the checkbox on
the company's website "I accept the subscription terms. I hereby agree
personal data processing within the Bonnier Group", gives the registered impression that
the company's legal basis for processing personal data is consent according to article
6.1. a in the data protection regulation. The information text that was under the link with
the text of the subscription terms further reinforces this through wording
"When ordering, you agree that your personal data including email address,
mobile number for calls and text messages and any other digital
addresses, may be stored and used within Bonnier for digital services, marketing,
as well as for statistical and analysis purposes.”. Furthermore, information is provided in the same place
about the terms of consent including the right to withdraw consent.
The company has stated that the company does not base its processing on customers' personal data
on consent but mainly on the legal grounds agreement or justified
interest according to Article 6.1 b and f of the data protection regulation.
Against this background, IMY notes that the company has processed personal data in violation of
Article 13.1 c of the Data Protection Regulation by stating the wrong legal basis for
the processing of data subjects' personal data.
Choice of intervention
From article 58.2 and article 83.2 of the data protection regulation, it appears that IMY has
power to impose administrative penalty charges in accordance with Article 83.
Depending on the circumstances of the individual case, the administrative sanction
fees are imposed in addition to or instead of the other measures referred to in Article 58(2), which
for example injunctions and prohibitions. Furthermore, Article 83.2 states which factors
which must be taken into account when deciding whether administrative penalty charges must be imposed and at
determining the size of the fee. If it is a question of a minor violation, IMY gets
as set out in recital 148 instead of imposing a penalty charge issue one
reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors
circumstances of the case, such as the nature, severity and duration of the infringement
as well as previous violations of relevance.
IMY notes the following relevant circumstances. Bonnier Magazines and Brands
AB immediately took measures when IMY began its supervision to update the Privacy Protection Agency Diary number: DI-2019-6523 3(3)
Date: 2023-06-26
the information in the registration flow on its website so that it registered accordingly
neither met with a consent request nor informational text about consent. Instead
the data subject is asked to accept the subscription terms (ie the terms of purchase)
and confirm that he has read the company's data protection policy. The website has not been
the page through which most of the company's customers signed their subscriptions.
The use of the web shop has therefore been limited, which is why only 1372 customers
signed their subscriptions via this website during the current time period. Further where
it was a mistake that the website was not updated in connection with the company's review
its routines in connection with the entry into force of the data protection association. IMY assesses that
the shortcoming in question did not have serious consequences for the data subjects. Against this one
background, IMY assesses that it is a question of such a minor violation in that sense
which is referred to in reason 148 which results in Expressen Lifestyle AB being given a reprimand
according to article 58.2 b of the data protection regulation for the identified deficiency.
This decision has been taken by the unit manager Catharina Fernquist after a presentation by
lawyer Ulrika Bergström.
Catharina Fernquist, 2023-06-26 (This is an electronic signature)
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
