IMY (Sweden) - DI-2019-6523: Difference between revisions
(Hi Inzel, thank you so much for the summary! I just edited a few minor spelling mistakes, made the short summary a bit more exciting for the NL and just gave the holding a bit more information and streamlined it with the last DPA cases that also issued reprimands.) |
mNo edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The DPA | The DPA reprimanded a controller for not appropriately clarifying whether its processing operations were based on consent or a contract. | ||
== English Summary == | == English Summary == | ||
Line 68: | Line 68: | ||
The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with [[Article 6 GDPR#1|Article 6(1) GDPR.]] | The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with [[Article 6 GDPR#1|Article 6(1) GDPR.]] | ||
Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity | Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity under [[Article 6 GDPR|Article 6(1)(b) GDPR]] or legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] instead of consent when subscribing for the controller's magazine. However, the controller accidentally missed updating the registration form of one of the company's webshop, Magasinshoppen. The webshop had a checkbox on its webpage along with the text "''I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group.''" The controller also did not update the subscription terms which stated: “''When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes.''" Furthermore, information was provided on the the right to withdraw consent. | ||
After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy. | After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy. | ||
=== Holding === | === Holding === | ||
When collecting personal data from a data subject, the controller is | When collecting personal data from a data subject, the controller is obliged under [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] to provide information regarding the legal bases of the processing. [[Article 12 GDPR#1|Article 12(1) GDPR]] requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain language. The DPA held that the text next to the tick box of the controller’s website gave the data subject the impression that the controller’s legal basis for processing personal data was consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. This was reinforced by the text on the subscription terms and the provided information on the right to withdraw consent. As the controller did not base its processing on consent but on the legal grounds of contract ([[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]) and legitimate interests ([[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]), the DPA found that the controller violated [[Article 13 GDPR|Article 13(1)(c) GDPR]] by indicating an incorrect legal basis. | ||
The DPA found that the violations were a minor infringement pursuant to [https://gdpr-text.com/read/recital-148/ Recital 148], because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] against the controller for violating [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | The DPA found that the violations were a minor infringement pursuant to [https://gdpr-text.com/read/recital-148/ Recital 148], because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] against the controller for violating [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. |
Latest revision as of 09:02, 8 May 2024
IMY - DI-2019-6523 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 13(1)(c) GDPR [[Article 58 GDPR#2b|]] [[Category:]] |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 04.06.2019 |
Decided: | 26.06.2023 |
Published: | 29.04.2024 |
Fine: | n/a |
Parties: | Expressen Lifestyle AB |
National Case Number/Name: | DI-2019-6523 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | IMY (Sweden) (in SV) |
Initial Contributor: | inkg |
The DPA reprimanded a controller for not appropriately clarifying whether its processing operations were based on consent or a contract.
English Summary
Facts
The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with Article 6(1) GDPR.
Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity under Article 6(1)(b) GDPR or legitimate interest under Article 6(1)(f) GDPR instead of consent when subscribing for the controller's magazine. However, the controller accidentally missed updating the registration form of one of the company's webshop, Magasinshoppen. The webshop had a checkbox on its webpage along with the text "I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group." The controller also did not update the subscription terms which stated: “When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes." Furthermore, information was provided on the the right to withdraw consent.
After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy.
Holding
When collecting personal data from a data subject, the controller is obliged under Article 13(1)(c) GDPR to provide information regarding the legal bases of the processing. Article 12(1) GDPR requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain language. The DPA held that the text next to the tick box of the controller’s website gave the data subject the impression that the controller’s legal basis for processing personal data was consent under Article 6(1)(a) GDPR. This was reinforced by the text on the subscription terms and the provided information on the right to withdraw consent. As the controller did not base its processing on consent but on the legal grounds of contract (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR), the DPA found that the controller violated Article 13(1)(c) GDPR by indicating an incorrect legal basis.
The DPA found that the violations were a minor infringement pursuant to Recital 148, because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under Article 58(2)(b) GDPR against the controller for violating Article 13(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(3) Expressen Lifestyle AB 105 44 Stockholm Diary number: DI-2019-6523 Supervision according to the data protection regulation Date: 2023-06-26 – Expressen Lifestyle AB The Privacy Protection Authority's decision The Privacy Protection Authority states that Expressen Lifestyle AB (556025-4525), has processed personal data in violation of Article 13.1 c of the data protection regulation by stating an incorrect legal basis for the processing of the data subject personal data during May 2018 until 4 June 2019. The Privacy Protection Authority gives Expressen Lifestyle AB a reprimand according to article 58.2 b of the data protection regulation for violation of 13.1 c of the data protection regulation. Account of the supervisory matter On June 4, 2019, the Swedish Privacy Protection Authority (IMY) began an investigation against Bonnier Magazine and Brands AB. The supervision was not prompted by any complaint but aimed at to review the consents obtained to fulfill the obligation to have one legal basis according to Article 6.1 of the data protection regulation met the requirements of the data protection regulation on voluntariness, information and clarity and that the legal the basis clearly appears. Bonnier Magazine and Brands AB was in charge introducing a checkbox on their web page along with the text. "I approve the subscription terms. I hereby consent to the processing of personal data within The Bonnier Group.” In its statement to IMY, Bonnier Magazines and Brands has stated that the information in the registration flow in the company's webshop, Magasinshoppen, was accidentally not updated in the same way as on other web pages. In accordance with the data protection regulation coming into force in 2018, Bonnier Magazine and Brands AB carried out an extensive work which meant, among other things, that the company reassessed its legal basis for Processing of personal data. Instead of consent, Bonnier Magazine founded and Brands AB's processing of customers' personal data mainly on legal grounds Postal address: the grounds in Article 6.1 b of the Data Protection Regulation, agreement, or in Article 6.1 f i Box 8114 data protection regulation, legitimate interest. In the normal registration flow that 104 20 Stockholm is used on Bonnier Magazine and Brands AB's web pages, the customer is asked to Website: agree to the subscription terms and confirm that he has taken part in Bonnier www.imy.se Magazine and Brands AB's data protection policy. Bonnier Magazines and Brands AB has E-mail: stated that immediately when IMY started the supervision measures were taken to imy@imy.se update the Magasinshoppen with correct information in the registration flow. Phone: 08-657 61 00 The Swedish Privacy Agency Diary number: DI-2019-6523 2(3) Date: 2023-06-26 Bonnier Magazines and Brands AB has been dissolved by merger on June 1, 2022 and joined Expressen Lifestyle AB (556025-4525). Justification of the decision Of ch. 23 Section 1 of the Companies Act (2005:551) follows that the effects of a merger mean that all assets and liabilities are taken over by another company at the time of the merger. The The acquiring company is therefore responsible for the obligations that existed in the company that taken over. In light of this, IMY makes the assessment that the acquiring company after the time of the merger is a party to IMY's supervision matter and this supervision is therefore aimed at against Expressen Lifestyle AB. When a personal data controller collects personal data from a registered person shall information regarding the legal basis for the processing appears, according to Article 13.1 c in the data protection regulation. The person in charge of personal data must, according to Article 12.1 i data protection regulation take measures to provide this to the data subject information in a concise, clear and clear, comprehensible and easily accessible form, with the use of clear and unambiguous language. IMY considers that the text next to the checkbox on the company's website "I accept the subscription terms. I hereby agree personal data processing within the Bonnier Group", gives the registered impression that the company's legal basis for processing personal data is consent according to article 6.1. a in the data protection regulation. The information text that was under the link with the text of the subscription terms further reinforces this through wording "When ordering, you agree that your personal data including email address, mobile number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, as well as for statistical and analysis purposes.”. Furthermore, information is provided in the same place about the terms of consent including the right to withdraw consent. The company has stated that the company does not base its processing on customers' personal data on consent but mainly on the legal grounds agreement or justified interest according to Article 6.1 b and f of the data protection regulation. Against this background, IMY notes that the company has processed personal data in violation of Article 13.1 c of the Data Protection Regulation by stating the wrong legal basis for the processing of data subjects' personal data. Choice of intervention From article 58.2 and article 83.2 of the data protection regulation, it appears that IMY has power to impose administrative penalty charges in accordance with Article 83. Depending on the circumstances of the individual case, the administrative sanction fees are imposed in addition to or instead of the other measures referred to in Article 58(2), which for example injunctions and prohibitions. Furthermore, Article 83.2 states which factors which must be taken into account when deciding whether administrative penalty charges must be imposed and at determining the size of the fee. If it is a question of a minor violation, IMY gets as set out in recital 148 instead of imposing a penalty charge issue one reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors circumstances of the case, such as the nature, severity and duration of the infringement as well as previous violations of relevance. IMY notes the following relevant circumstances. Bonnier Magazines and Brands AB immediately took measures when IMY began its supervision to update the Privacy Protection Agency Diary number: DI-2019-6523 3(3) Date: 2023-06-26 the information in the registration flow on its website so that it registered accordingly neither met with a consent request nor informational text about consent. Instead the data subject is asked to accept the subscription terms (ie the terms of purchase) and confirm that he has read the company's data protection policy. The website has not been the page through which most of the company's customers signed their subscriptions. The use of the web shop has therefore been limited, which is why only 1372 customers signed their subscriptions via this website during the current time period. Further where it was a mistake that the website was not updated in connection with the company's review its routines in connection with the entry into force of the data protection association. IMY assesses that the shortcoming in question did not have serious consequences for the data subjects. Against this one background, IMY assesses that it is a question of such a minor violation in that sense which is referred to in reason 148 which results in Expressen Lifestyle AB being given a reprimand according to article 58.2 b of the data protection regulation for the identified deficiency. This decision has been taken by the unit manager Catharina Fernquist after a presentation by lawyer Ulrika Bergström. Catharina Fernquist, 2023-06-26 (This is an electronic signature) How to appeal If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received it part of the decision. If the appeal has been received in time send The Privacy Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or information that may be covered by secrecy. The authority's contact details appear on the first page of the decision.