FiS - 6034-24: Difference between revisions
No edit summary |
|||
Line 121: | Line 121: | ||
Section 7 Notified in Stockholm 6034-24 | Section 7 Notified in Stockholm 6034-24 | ||
THE COMPLAINANT | |||
THE | |||
Dr Complainant | Dr Complainant | ||
Line 147: | Line 142: | ||
The Administrative Court rejects the appeal. | The Administrative Court rejects the appeal. | ||
Visiting address Opening hours Postal address E-mail address | |||
o Tegeluddsvägen 1 Monday-Friday avd7.fst@dom.se | o Tegeluddsvägen 1 Monday-Friday avd7.fst@dom.se | ||
D Page 1 | D Page 1 | ||
Line 259: | Line 219: | ||
movement of such data, and repealing Directive 95/46/EC (General Data Protection | movement of such data, and repealing Directive 95/46/EC (General Data Protection | ||
Regulation). | Regulation). | ||
Doc.Id 1771278 Page 4 | Doc.Id 1771278 Page 4 | ||
Line 389: | Line 279: | ||
information letter does not have the intended effect, it states | information letter does not have the intended effect, it states | ||
Line 520: | Line 406: | ||
Administrative Court, the above provisions, reasons and statements, taken | Administrative Court, the above provisions, reasons and statements, taken | ||
together, thus support the conclusion that IMY, as | together, thus support the conclusion that IMY, as | ||
Line 596: | Line 480: | ||
</pre> | </pre> |
Latest revision as of 12:35, 30 July 2024
FiS - 6034-24 | |
---|---|
Court: | FiS (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 58 GDPR |
Decided: | 17.07.2024 |
Published: | 17.07.2024 |
Parties: | Region Uppsala |
National Case Number/Name: | 6034-24 |
European Case Law Identifier: | |
Appeal from: | IMY (Sweden) |
Appeal to: | |
Original Language(s): | English |
Original Source: | noyb (in English) |
Initial Contributor: | ec |
A court held that the DPA has the discretion to assess the extent to which a complaint should be investigated and that only sending an information letter to a controller was a sufficient measure.
English Summary
Facts
The data subject lodged a complaint against the controller, the Region Uppsala, at the Swedish DPA (“IMY”) for recording telephone conversations without a legal basis for the processing.
The DPA sent an information letter to the controller, informing them of the complaint, the applicable law and closed the case without taking any further action. The DPA held that the purpose of the letter was to give the controller the opportunity to review its processing and to correct any shortcomings themselves. The DPA therefore did not see any grounds to investigate the complaint further.
The data subject appealed this decision at the Administrative Court of Stockholm (“Förvaltningsrätten I Stockholm”), arguing that the DPA has the obligation to take effective measures to limit violations. As the letter stated that the DPA did not intend to take further action, there was no incentive for the controller to remedy its violations. Therefore, the data subject argued that the DPA failed to investigate the matter with due diligence, even though it was clear from the complaint that the controller did not have a legal basis for its processing.
The data subject further argued that information letters are not a corrective measure under Article 58 GDPR and can therefore not constitute as an effective measure. The data subject argued that this was also not in line with the EDPB internal document on Supervisory Authorities’ duties in relation to alleged GDPR infringements.
The IMY held that the appeal should be rejected as the measure was sufficient. The IMY held that if the letter did not result in the controller correcting any shortcomings, the data subject was free to submit a new complaint at a later stage.
Holding
The court assessed whether IMY had grounds for not investigating the data subject’s complaint further, beyond sending an information letter to the controller.
The court took into account the CJEU judgement in the Case C-311/18 Schrems II and the Joined Cases C-26/22 and C‑64/22 SCHUFA which concerns corrective measures under the GDPR and held that it supports the conclusion that IMY as a supervisory authority has considerable discretion to assess the extent to which a complaint should be investigated and that investigative measures are appropriate, necessary and proportionate in the individual case.
The court also took into account the Swedish preparatory works on the GDPR (2017/18:105), which stated that the IMY has no obligation to take supervisory measures or even to always investigate the facts more closely. The court thus held that IMY has a clear discretion to decide for itself which supervisory cases are to be pursued and how this is to be done.
The court further found that the IMY was uncertain whether the controller had complied with its obligations under Article 6 GDPR, and therefore was justified to send an information letter. The court found that there was no reason to question IMY's view that no further investigative measure was necessary.
The court thus dismissed the data subject’s arguments and held that the IMY has the possibility to decide not to investigate a complaint further and to close a case by sending an information letter to the controller.
Regarding the data subject's argument that the IMY's information letter was not in line the EDPB's internal documents, the court held that these documents were not binding and therefore did not lay down any obligations for the IMY as regards to the content of the information letter.
Therefore the court held that the IMY investigated the matter in question to the extent that was appropriate and that the information letter sent was a sufficient measure. Thus, the court dismissed the appeal.
Comment
First of all, the Schufa case indicates the following:
Para 57: "In order to deal with complaints received, Article 58(1) of the GDPR grants each supervisory authority significant investigative powers. Where such an authority, after completing its investigation, finds that the provisions of this regulation have been infringed, it is obliged to take appropriate measures to remedy the deficiency found."
Para 68: "However, it should be added that, although, as stated in paragraph 56 above, the supplementary authority is obliged to treat a complaint with all due diligence, it has, as regards the remedies listed in Article 58(2) of the GDPR, a discretion as to the choice of appropriate and necessary measures."
This in no way supports the court's finding that DPA's have the discretion to assess the extent to which a complaint should be investigated. It only confirms that DPA's maintain a margin of discretion as to the choice of the appropriate means under Article 58(2) GDPR.
Secondly, even if the Swedish preparatory works states that the Swedish DPA has no obligation to take supervisory measures or even to always investigate the facts more closely, such a practice would evidently be contrary to the GDPR and CJEU case-law.
Thirdly, the court's view that EDPB's internal documents are not binding and therefore do not lay down any obligations for the IMY seems rather odd as the IMY as member of the EDPB co-wrote this document. These internal documents are also written to have a uniform application of the GDPR. By not following these internal documents, would go against the aim of the EDPB.
Lastly, it seems odd that the responsibility of monitoring compliance with the GDPR is put on the data subject. Instead of the IMY monitoring and enforcing compliance with the GDPR, the IMY closed the case and held that the data subject is free to submit a new complaint at a later stage if the controller did not comply after the information letter.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation.
Page 1 (7) ADMINISTRATIVE FOD Target COURT IN STOCKHOLM 2024-07-17 No Section 7 Notified in Stockholm 6034-24 THE COMPLAINANT Dr Complainant PARTNER The Authority for the Protection of Privacy APPEALED DECISION Decision of the Data Protection Authority 2024-03-19 THE CASE Processing of personal data DECISION OF THE ADMINISTRATIVE COURT The Administrative Court rejects the appeal. Visiting address Opening hours Postal address E-mail address o Tegeluddsvägen 1 Monday-Friday avd7.fst@dom.se D Page 1 08:00-16:00 115 76 Stockholm Phone number Website (7) 08-561 680 00 www.domstol.se/forvaltningsratten-i- stockholm/ Page 2 ADMINISTRATIVE DOM 6034-24 COURT IN STOCKHOLM APPEALS ETC. Dr Complainant has lodged a complaint against Region Uppsala with the Swedish Authority for Privacy Protection (IMY), essentially alleging that the Region is recording telephone conversations without a legal basis for the processing. The IMY decided on 19 March 2024 to send an information letter to the Region informing it, interalia,of the applicable law and to close the complaint case without taking any further action. The reasons for the decision were essentially as follows. IMY is required to deal with complaints and, where appropriate, to investigate the substance of the complaint. The purpose of sending information about the complaint and the applicable rules is to give the region an opportunity to review its own processing of personal data and to correct any shortcomings. In view of the above, IMY does not find grounds to investigate the complaint further. Dr Complainant requests that IMY initiate supervision under the EU Data Protection Regulation and argues, interalia,the following. The supervisory authority shall investigate with due diligence complaints lodged by an individual who considers that the processing of personal data relating to him or her constitutes a breach of the General Data Protection Regulation. The supervisory authority also has an obligation to take effective measures to curb infringements. It is therefore not true that IMY has the same scope as other Swedish supervisory authorities to decide which supervisory cases to pursue and how to do so. According to the case law of the Court of Justice of the European Union, the supervisory authority must first determine whether therehas been a breach of the rules and, if so, take appropriate measures to remedy the identified deficiency. In this case, the information letter has preceded the investigation that would have formed the basis for sending the letter. The information letter also ends with the information that 1Regulation (EU) 2016/679 of the European Parliament and of the Council of27 April 2016 on Doc.Id 1771278 Page 3 theprotection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Doc.Id 1771278 Page 4 ADMINISTRATIVE DOM 6034-24 COURT IN STOCKHOLM IMY does not intend to take further action and there is thus no incentive for the controller to remedy its legal infringements. IMY has therefore failed to investigate the matter with due diligence and to take a decision to remedy the identified deficiency, despite the fact that it is clear from the documents it has submitted that the Region has not been able to provide a legal basis for its processing of personal data. He does not question that in some cases a matter can be resolved by an information letter. However, this concerns issues where the controller's behaviour is due to ignorance or misunderstanding, which the region can hardly hide behind in this case. Furthermore, information letters are not a corrective measure under Article 58 of the GDPR and therefore cannot constitute an effective measure within IMY's discretionary range of appropriate measures. In addition, IMY does not follow the internal guidance established by the European Data Protection Board regarding the content of an information letter. For example, there is no call for the controller to comply with the law or information on how to make such a correction. The guidance also refers to the IMY's task of monitoring and enforcing the application of the GDPR. It is highly questionable whether the authority fulfils that mission when it does not take a position on complaints. It is not he as a rights holder who should be responsible for ensuring that the controller or the supervisory authority does what is required of them. IMY considers that the appeal should be rejected and states, inter alia, the following. IMY has not taken a position on whether the personal data processing in question fulfils the provisions of the Data Protection Regulation, but has sent an information letter informing the region of the complaint and the applicable rules on the matter. The purpose of sending an information letter is to give the person against whom the case is directed an opportunity to review their processing of personal data and correct any shortcomings. In case the information letter does not have the intended effect, it states Doc.Id 1771278 Page 5 ADMINISTRATIVE DOM 6034-24 COURT IN STOCKHOLM the complainant was free to submit a new complaint at a later stage. IMY has considered this measure to be sufficient and has closed the case. THE REASONS FOR THE DECISION Applicable provisions According to Article 77(1) of the GDPR, a data subject who considers that the processing of personal data relating to him or her infringes the GDPR has the right to lodge a complaint with a supervisory authority. Article 57(1)(f) of the Regulation requires the supervisory authority to examine the complaint lodged by a data subject and, where appropriate, to investigate the substance of the complaint. Recital 141 of the Regulation states that, subject to possible judicial review, the investigation of complaints should be carried out to the extent appropriate in the individual case. Recital 129 of the Regulation further states, inter alia, that The powers of the supervisory authorities should be exercised impartially, fairly and within a reasonable time, in accordance with the appropriate procedural safeguards laid down in Union and Member State law. In particular, any measure should be appropriate, necessary and proportionate to ensure compliance with this Regulation, taking into account the circumstances of each case, respecting the right of every person to be heard before any individual measure adversely affecting him or her is taken, and designed to avoid unnecessary costs and excessive inconvenience for the persons concerned. The Court of Justice of the European Union has stated that the supervisory authority must investigate complaints with due diligence, choose a necessary and appropriate measure, and ensure full compliance with the Regulation (judgement of the Court of Justice of the European Union in Case C-311/18, Facebook Doc.Id 1771278 Page 6 ADMINISTRATIVE DOM 6034-24 COURT IN STOCKHOLM Ireland and Schrems, EU:C:2020:559, paragraphs 109 and 112). According to the CJEU, the supervisory authority also has a discretion as to the choice of appropriate and necessary measures (judgments of the CJEU in Joined Cases C-26/22 and C-64/22 UF and AB v Land Hessen and SCHUFA Holding AG, EU:C:2023:958, paragraphs 57 and 68-69). In connection with the adaptation of Swedish law to the EU General Data Protection Regulation, the government stated that the supervisory authority has no obligation to take supervisory measures or even to always investigate the facts more closely. On the contrary, the authority has a clear discretion to decide for itself which supervisory cases are to be pursued and how this is to be done (Government Bill 2017/18:105, pp. 164-165). Assessment by the Administrative Court The issue in the case is whether IMY had grounds for not investigating Dr Complainant's complaint further, beyond sending an information letter to the region. Dr Complainant has argued that IMY is obliged to investigate complaints under the GDPR and that its discretion as to appropriate and necessary measures relates only to corrective measures under Article 58(2) of the GDPR, which IMY has not decided in the present case. Admittedly, the Administrative Court notes, like Dr Klagare, that cases C- 26/22 and C-64/22, as described above, primarily concern corrective measures under the Data Protection Regulation. However, the Administrative Court considers that the statements of the Court of Justice of the European Union in those cases are also relevant to the present review. According to the Administrative Court, the above provisions, reasons and statements, taken together, thus support the conclusion that IMY, as Doc.Id 1771278 Page 7 ADMINISTRATIVE DOM 6034-24 COURT IN STOCKHOLM of the supervisory authority has considerable discretion to assess the extent to which a complaint should be investigated and what investigative measures are appropriate, necessary and proportionate in the individual case. Therefore, even taking into account the arguments put forward by Dr Complainant in his appeal, the Administrative Court considers that IMY has the possibility to decide not to investigate a complaint further and to close a case by sending an information letter to the controller. However, this discretion is not entirely unlimited. Based on what is apparent from Dr Complainant's complaint, the Administrative Court considers that, at the time of IMY's decision, it must have appeared uncertain whether the Region had complied with its obligations under Article 6 of the EU Data Protection Regulation. It was therefore justified to send an information letter to the Region in the way it did. On the other hand, the Administrative Court considers that, on an overall assessment of the evidence in the case, and taking into account what has been presented above, there is no reason to question IMY's view that no further investigative measure was necessary. Against this background, and taking into account what Dr Complainant has stated in his complaint to IMY and what is evident from the investigation in general, the Administrative Court considers that IMY has investigated the matter in question to the extent that is appropriate in the individual case and that the information letter sent has been a sufficient measure. The arguments put forward by Dr Complainant regarding what an information letter should contain do not provide grounds for making any other assessment. In that context, the Administrative Court also notes that the European Data Protection Board's working document referred to by Dr Klagare is not binding and therefore does not lay down any obligations for the supervisory authority as regards the content of the information letter. IMY has thus had grounds to close the case without further action. The appeal should therefore be rejected. Doc.Id 1771278 Page 8 ADMINISTRATIVE DOM 6034-24 COURT IN STOCKHOLM