KamR Stockholm - 2829-23: Difference between revisions

From GDPRhub
mNo edit summary
(7 intermediate revisions by 3 users not shown)
Line 25: Line 25:
|Year=2024
|Year=2024


|GDPR_Article_1=Article 1(2) GDPR
|GDPR_Article_1=
|GDPR_Article_Link_1=Article 1 GDPR#2
|GDPR_Article_Link_1=Article 1 GDPR#2
|GDPR_Article_2=Article 5(1)(a) GDPR
|GDPR_Article_2=Article 5(1)(a) GDPR
Line 49: Line 49:
|GDPR_Article_12=Article 14(2)(g) GDPR
|GDPR_Article_12=Article 14(2)(g) GDPR
|GDPR_Article_Link_12=Article 14 GDPR#2g
|GDPR_Article_Link_12=Article 14 GDPR#2g
|GDPR_Article_13=Article 15 GDPR
|GDPR_Article_13=
|GDPR_Article_Link_13=Article 15 GDPR
|GDPR_Article_Link_13=Article 15 GDPR
|GDPR_Article_14=
|GDPR_Article_14=
Line 84: Line 84:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Izel
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Inkg inkg]
|
|
}}
}}


The Administrative Court of Appeal granted IMY's appeal and raised the administrative fine back to €730,000 (SEK 7,300,000), for Klarna Bank AB's insufficient and incomplete privacy notice.
The Administrative Court of Appeal raised the administrative fine back to €730,000 (SEK 7,300,000) for Klarna Bank AB's insufficient and incomplete privacy policy.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 28 March 2022, the Swedish DPA (IMY) fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. IMY found that the controller violated the GDPR in several respects.
On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects.
The controller appealed the decision to the Administrative Court of Stockholm. The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000).
IMY appealed the Administrative Court's decision to Administrative Court of Appeal of Stockholm, requesting the fine to be raised back to €730,000 (SEK 7,300,000). The Administrative Court of Appeal reviewed the appealed decision to determine whether the controller should be subject to fine on the grounds put forward by IMY or if its privacy notice fulfills the requirement of [[Article 12 GDPR]] - [[Article 16 GDPR]]. In addition, the Court reviewed whether the controller's processing activities fulfill the principle of transparency in [[Article 5 GDPR 1|Article 5 GDPR#1a]] and accountability in [[Article 5 GDPR 2|Article 5 GDPR#2]].


In short, the privacy notice was examined in following aspects:
The controller appealed the DPA's decision to the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information.


* How data subjects can access information on safeguards for third-country transfers as provided in [Article 13 GDPR 1f]]
The DPA appealed this decision to the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000).  
* Whether information on the legal basis for each purposes in relation to the service "My Economy" was provided in compliance with <nowiki>[[Article 13 GDPR#1c]]</nowiki>
* Information on data storage as provided in [[Article 13 GDPR 2a|Article 13 GDPR#2a]]
* Whether it must to specify if the recipients are Swedish or foreign credit agencies under [[Article 13 GDPR 1e|Article 13 GDPR#1e]].
* Whether it must specify each third country personal data is transferred to under Article [[Article 13 GDPR 1f|Article 13 GDPR#1f]].  
* Whether the information about the rights of the data subjects meets the requirements set out in [[Article 13 GDPR 2 b|Article 13 GDPR#2b]].
* Which type of information about profiling and automated decision making should be provided


=== Holding ===
=== Holding ===
'''Infringements of [[Article 13 GDPR 1f|Article 13 GDPR#1f]], [[Article 13 GDPR 1c|Article 13 GDPR#1c]] and [[Article 13 GDPR 2a|Article 13 GDPR#2a]]''': The parties agreed that the controller violated [[Article 13 GDPR 1f|Article 13 GDPR#1f]] by not providing information regarding how data subjects can access information on safeguards for third-country transfers. The Administrative Court of Appeal agreed with the Administrative Court that controller violated GDPR in this aspect. Similarly, regarding the questions about violations of [[Article 13 GDPR 1c|Article 13 GDPR#1c]] regarding information on the legal basis for each purposes in relation to the service "My Economy" and [[Article 13 GDPR 2a|Article 13 GDPR#2a]] regarding data storage, the controllers arguments were rejected by the Court of Appeal and it was concluded that Klarna had indeed violated the regulation in these respects as well.
The Court reviewed the entire appealed decision to decide whether the controller should be fined on the grounds put forward by the DPA. The Court therefore reviewed whether the controller provided complete or sufficient information and fulfilled the requirements on how it should be provided on different aspects of the controller’s privacy policy under [[Article 12 GDPR]], [[Article 13 GDPR]] and [[Article 14 GDPR]].


'''Recipients of personal data
The Court agreed with the Administrative Court that the controller failed to provide information on safeguards for third country transfers ([[Article 13 GDPR#1f|Article 13(1)(f) GDPR]]) and the use of a scoring model and the data processed in it ([[Article 14 GDPR#2g|Article 14(2)(g) GDPR]]). Moreover, the Court found that the controller did not provide information on automated decision-making in such an easily accessible form as required by [[Article 12 GDPR#1|Article 12(1) GDPR]]. The Court considered that the fact that the information was spread over different sections, did not necessarily mean that the information is difficult to access by data subjects. However, the Court found that the references to different sections made the information not easily accessible as it was difficult to identify then what the relevant information was in the referred sections.
<nowiki>:</nowiki>'''The Court agreed with the Administrative Court's finding that the there is no obligation on the controller to differentiate between Swedish or foreign credit agencies in the information provided, considering the wording of [[Article 13 GDPR 1e|Article 13 GDPR#1e]] and the relationship between [[Article 13 GDPR]] and [[Article 15 GDPR]]. Therefore, the Court found that controller did not violate [[Article 13 GDPR 1e|Article 13 GDPR#1e]].


'''Transfers to third countries
On whether the information on the right to erasure, restriction and data portability in the privacy policy was designed in accordance with [[Article 12 GDPR#1|Article 12(1) GDPR]], the Court held that the privacy policy sufficiently informed data subjects about the existence of the right to erasure and no further information is required under [[Article 13 GDPR#1b|Article 13(1)(b) GDPR]]. However, the Court did find that the information about the right to data portability was provided in such a way that it was difficult to understand that it is a separate right. Moreover, the right to restriction was expressed in the information as "oppose" and "stop processing", using different terminology than the GDPR, which creates obscurity. Due to these ambiguities, the Court found that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]].
<nowiki>:</nowiki>''' The Court found that [[Article 13 GDPR 1f|Article 13 GDPR#1f]] does not require specific third countries to be specified on privacy notice. The Court found therefore, contrary to Administrative Court's finding that controller's privacy notice met the requirements of that article.


'''Informing about data subjects rights
The Court also examined whether the controller provided the information on both the purpose and the legal basis of the My Economy service in the privacy policy in a too scattered manner and with unclear references. Although the Court, unlike the DPA, did not find that the information legal basis was unclear, the Court did find that the way that the information on the purpose referred to different documents was difficult to access and unclear. Thus, the Court held that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]] in regards to the information on the purpose of the My Economy service.
<nowiki>:</nowiki>''' The Court stated that the wording of [[Article 13 GDPR 2b|Article 13 GDPR#2b]] indicates that the data controller should inform about the existence of the rights specified in the article. On the question of whether the controller should also inform about the meanings of these rights, the Court pointed out the one of the purpose of GDPR is to protect the rights of individuals in the processing of personal data [[Article 1 GDPR 2|Article 1 GDPR#2]]. the court also referred to [[Recital 39]] GDPR that individuals should be made aware of their rights regarding processing of personal data, including how to exercise them. The Court found no indication that the controller, in addition to informing about the existence of the rights listed in [[Article 13 GDPR 2b|Article 13 GDPR#2b]], is obliged to further describe the meaning of those rights. Consequently, the Court, contrary to Administrative Court and IMY, found that the controller did not violate [[Article 13 GDPR 2b|Article 13 GDPR#2b]]. On the other hand, the Court, agreeing to IMY's findings, concluded that controller violated [[Article 12 GDPR 1|Article 12 GDPR#1]]. This is because the name of the "right to restriction" was not provided and instead expressed as the right to "oppose" and "stop processing", which the Court found to be unclear terminology and difficult to understand for the data subject. The Court found that controller breached the same article when the right to data portability was provided under right to access, which according to the Court and IMY, made it difficult to understand that it is a separate right.  


'''Information about profiling and automated decision making
The Court took into account that the information concerned a large number of data subjects and that the shortcomings related to information based on articles that are central to the data subjects. Moreover, the Court recognised that the breaches did not take place for a long time and the privacy policy had been continuously improved. Moreover, taking into account the controller’s argument that the DPA’s case took unreasonably long and that the controller’s right to be informed without delay of the significance of and grounds for the accusations was violated, the Court did not see a reason to reduce the fine on the basis of [[Article 83 GDPR#2|Article 83(2) GDPR]] and [https://fra.europa.eu/en/law-reference/european-convention-human-rights-article-6 Article 6(1) and 6(3)(a) ECHR].
<nowiki>:</nowiki>''' The Court, like the administrative court and contrary to IMY's finding, stated that controller is not obliged to provide information about the circumstances that always lead to rejection. However, the Court assessed that Klarna has violated [[Article 13 GDPR 2f|Article 13 GDPR#2f]] and [[Article 14 GDPR 2g|Article 14 GDPR#2g]] by not informing about the use of a scoring model and the data processed in it. Furthermore, the Court stated that when information is scattered as it was regarding the information about automated decision-making, greater clarity is required for it to be easily accessible. The Court considered that, referencing to information at another section of the privacy notice, which was highly extensive, made it difficult to access. Consequently, the Court found that the controller did not inform about automated decision-making in an easily accessible manner and therefore breached [[Article 12 GDPR 1|Article 12 GDPR#1]].


'''Information about the "My Economy" service
Thus, the Court held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, and upheld the DPA’s appeal.
<nowiki>:</nowiki>''' According to the Court, the information provided about the legal basis during the registration for the "My Economy" service was clear and did not violate [[Article 12 GDPR 1|Article 12 GDPR#1]], contrary to IMY's claim. However, regarding the information about the purpose, the Court assessed that the structure of the data protection information, the terms of use, and the cross-references between the documents made the information difficult to access and unclear. Consequently, the information did not comply with [[Article 12 GDPR 1|Article 12 GDPR#1]] in that respect.
 
'''The principle of transparency
<nowiki>:</nowiki>''' The Court considered that violations consist of controller not providing complete or sufficient information and not meeting the requirements on how it should be provided. The Court found that, although the controller has breached several articles expressing the principle of transparency in the GDPR, the violations are not of a character and extent that the controller can be considered to have violated the principle of transparency in [[Article 5 GDPR 1a|Article 5 GDPR#1a]] , and thus not [[Article 5 GDPR 2|Article 5 GDPR#2]].
 
'''Sanction amount
<nowiki>:</nowiki>''' The Court considered that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case.


== Comment ==
== Comment ==

Revision as of 13:38, 10 May 2024

KamR Stockholm - 2829-23
Courts logo1.png
Court: KamR Stockholm (Sweden)
Jurisdiction: Sweden
Relevant Law: [[Article 1 GDPR#2|]] [[Category:]]
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 13(1)(e) GDPR
Article 13(1)(c) GDPR
Article 13(1)(f) GDPR
Article 13(2)(a) GDPR
Article 13(2)(b) GDPR
Article 13(2)(f) GDPR
Article 14(2)(g) GDPR
[[Article 15 GDPR|]] [[Category:]]
Decided: 11.03.2024
Published: 11.03.2024
Parties: Klarna Bank AB
IMY
National Case Number/Name: 2829-23
European Case Law Identifier:
Appeal from: Administrative Court of Stockholm (Sweden)
7679-22
Appeal to: Not appealed
Original Language(s): Swedish
Original Source: Kammarrätten i Stockholm (in Swedish)
Initial Contributor: inkg

The Administrative Court of Appeal raised the administrative fine back to €730,000 (SEK 7,300,000) for Klarna Bank AB's insufficient and incomplete privacy policy.

English Summary

Facts

On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects.

The controller appealed the DPA's decision to the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information.

The DPA appealed this decision to the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000).

Holding

The Court reviewed the entire appealed decision to decide whether the controller should be fined on the grounds put forward by the DPA. The Court therefore reviewed whether the controller provided complete or sufficient information and fulfilled the requirements on how it should be provided on different aspects of the controller’s privacy policy under Article 12 GDPR, Article 13 GDPR and Article 14 GDPR.

The Court agreed with the Administrative Court that the controller failed to provide information on safeguards for third country transfers (Article 13(1)(f) GDPR) and the use of a scoring model and the data processed in it (Article 14(2)(g) GDPR). Moreover, the Court found that the controller did not provide information on automated decision-making in such an easily accessible form as required by Article 12(1) GDPR. The Court considered that the fact that the information was spread over different sections, did not necessarily mean that the information is difficult to access by data subjects. However, the Court found that the references to different sections made the information not easily accessible as it was difficult to identify then what the relevant information was in the referred sections.

On whether the information on the right to erasure, restriction and data portability in the privacy policy was designed in accordance with Article 12(1) GDPR, the Court held that the privacy policy sufficiently informed data subjects about the existence of the right to erasure and no further information is required under Article 13(1)(b) GDPR. However, the Court did find that the information about the right to data portability was provided in such a way that it was difficult to understand that it is a separate right. Moreover, the right to restriction was expressed in the information as "oppose" and "stop processing", using different terminology than the GDPR, which creates obscurity. Due to these ambiguities, the Court found that the controller violated Article 12(1) GDPR.

The Court also examined whether the controller provided the information on both the purpose and the legal basis of the My Economy service in the privacy policy in a too scattered manner and with unclear references. Although the Court, unlike the DPA, did not find that the information legal basis was unclear, the Court did find that the way that the information on the purpose referred to different documents was difficult to access and unclear. Thus, the Court held that the controller violated Article 12(1) GDPR in regards to the information on the purpose of the My Economy service.

The Court took into account that the information concerned a large number of data subjects and that the shortcomings related to information based on articles that are central to the data subjects. Moreover, the Court recognised that the breaches did not take place for a long time and the privacy policy had been continuously improved. Moreover, taking into account the controller’s argument that the DPA’s case took unreasonably long and that the controller’s right to be informed without delay of the significance of and grounds for the accusations was violated, the Court did not see a reason to reduce the fine on the basis of Article 83(2) GDPR and Article 6(1) and 6(3)(a) ECHR.

Thus, the Court held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, and upheld the DPA’s appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details. 

Klarna must pay a penalty fee of SEK 7.5 million because the data protection information did not meet the requirements of the EU's data protection regulation.

The violations of the data protection regulation consist of Klarna not providing sufficient information to the data subjects, for example, about how personal data will be stored, and that the information was difficult to access or unclear.
- The Court of Appeal considers that a penalty fee of SEK 7.5 million is justified to be effective, proportionate and dissuasive. The Court of Appeal thus makes the same assessment as the Swedish Privacy Protection Authority, says Peder Liljeqvist, a lawyer at the Court of Appeal.
The Court of Appeal thus changes the administrative court's ruling that the sanction fee would be SEK 6 million.
Retrieved from "https://gdprhub.eu/index.php?title=KamR_Stockholm_-_2829-23&oldid=41245"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki