IMY (Sweden) - DI-2020-10696: Difference between revisions
No edit summary |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 71: | Line 71: | ||
}} | }} | ||
In an [[Article 60 GDPR]] procedure, the Swedish DPA reprimanded Nordax Bank for violations of [[Article 12 GDPR|Articles 12(3)]], [[Article 12 GDPR|12(6)]], [[Article 15 GDPR|15]] and [[Article 17 GDPR|17 GDPR]]. The bank had not complied with several requests of the data subject. The DPA ordered the bank to comply with these requests. | In an [[Article 60 GDPR]] procedure, the Swedish DPA reprimanded Nordax Bank for violations of [[Article 12 GDPR|Articles 12(3)]], [[Article 12 GDPR|12(6)]], [[Article 15 GDPR|15]] and [[Article 17 GDPR|17 GDPR]]. The bank had not complied with several requests of the data subject. The DPA also ordered the bank to comply with these requests. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Nordax (controller) is a Swedish bank. The bank entrusted a processor, Iper Direct AB (Iper), to manage its customers' address register. According to Nordax, this processor was the controller in all matters regarding this register and was also responsible for answering data subjects requests related to any processing of this register's personal data. Iper's task was to provide another processor of Nordax a selection of e-mail addresses, which were used by this second processor for direct marketing purposes on behalf of Nordax. The selection of addresses from Iper's address register was also carried out on behalf of Nordax and was based on selection criteria determined by Nordax. | |||
It is not explicitly mentioned in this decision whether or not the data subject used to be a (former) customer of the controller. It is also not explicitly stated that the data subject received direct marketing e-mails from the controller. The latter is however most likely, looking at the objection of the data subject against direct marketing, which was eventually granted by the controller (will be further discussed below). | |||
<u>Round 1 (''Access 1 and Erasure 1'')</u> | |||
On 5 December 2018, the data subject filed an access request and an erasure request at Nordax, which were answered by the controller on 6 December 2018. | |||
The data subject | The access request inquired on all data relating to him and the way Nordax used it. The controller replied to the ''access request'' that it did not process and/or store the personal data of the data subject and was therefore unable to comply with the request. Rather, the controller informed the data subject of the fact that personal data was processed by its appointed processor, Iper, which was responsible for the address register of the bank and for managing data subject rights related to any processing regarding this register. Furthermore, Nordax also did not classify the request of the data subject as an access request at first, but as an objection to processing. Based on information in the data subject's e-mail, Nordax determined that the data subject's primary wish was to be blocked from the controller's direct marketing e-mails. In its reply, the controller only provided information on how the data subject could block himself from the direct marketing of the controller. In order to block the data subject from direct marketing, Nordax requested the data subject's name and address. | ||
On | On the same day, 5 December 2018, the data subject also submitted an ''erasure request''. The scope of the erasure request was not specified in this decision. In its reply to the ''erasure request'', and along the lines of the answer to the access request, the controller stated that it did not store the data subject's personal data. It was therefore also not able to erase it, since it was stored in Iper's register. | ||
<u>Round 2 (''Access 2, Erasure 2 and Objection 1'')</u> | |||
Around two months later, on 11 February 2019, the data subject submitted new requests for erasure and access. This time, the data subject also specifically objected to the controller's direct marketing operations for the first time. The controller answered all off these requests on 12 February 2019. | |||
In its reply to the ''access request'', Nordax referred to its earlier reply of 6 December 2018 to the data subject's first access request. The same was true for the controller's response to the ''erasure request''. | |||
In its reply to the data subject's ''objection'', the controller stated that the request for objection had now been granted and that the controller had taken measures to block the data subject from direct marketing. Besides the fact that Nordax did not specify what specific measures it had taken, this also turned out to be incorrect information. Nordax had not yet taken any measures to block the data subject from direct marketing. According to Nordax, this incorrect information was provided because of human error. | |||
<u>Round 3 (''Objection 2'')</u> | |||
Another four months later, on 9 July 2019, Nordax received another objection against the controller's marketing operation from the data subject. | |||
In its reply to the second objection, the controller reiterated again how the data subject could block himself from the direct marketing operation of the controller, just like it did when answering the first access request (which it had mistaken for an objection). The controller also repeated its request for additional information from the data subject in order to block the data subject from its direct marketing. Strangely enough, the controller then blocked the data subject from its direct marketing without the requested information. The controller also did not inform the data subject that it had finally complied with his objection to processing. | |||
<u>Data subject files complaint</u> | |||
Even after three rounds of requests, Nordax had failed to comply with the data subject's requests for access and erasure, and did not inform the data subject that his objection to processing had been granted. | |||
The data subject filed a complaint at the Norwegian DPA (date not disclosed), which transferred the complaint to the Swedish DPA, the supervisory authority in this decision. The concerned authorities were the DPA's of Norway, Denmark, Finland and Germany. In this complaint, the data subject stated that the controller did not respect his rights by not responding to his requests. | The data subject filed a complaint at the Norwegian DPA (date not disclosed), which transferred the complaint to the Swedish DPA, the supervisory authority in this decision. The concerned authorities were the DPA's of Norway, Denmark, Finland and Germany. In this complaint, the data subject stated that the controller did not respect his rights by not responding to his requests. | ||
Line 99: | Line 115: | ||
<u>Second</u>, the DPA held that the controller violated [[Article 15 GDPR]] by failing to handle the data subject's request for access. It should have given the personal data and information to the data subject with the assistance of its processor Iper. It also should have recognised the data subject's initial request as an access request. | <u>Second</u>, the DPA held that the controller violated [[Article 15 GDPR]] by failing to handle the data subject's request for access. It should have given the personal data and information to the data subject with the assistance of its processor Iper. It also should have recognised the data subject's initial request as an access request. | ||
<u>Third</u>, the DPA determined that the controller violated [[Article 17 GDPR]] by not handling the data subject's request for erasure. None of the exceptions in [[Article 17 GDPR#3|Article 17(3) GDPR]] were applicable. | <u>Third</u>, the DPA determined that the controller violated [[Article 17 GDPR]] by not handling the data subject's request for erasure. None of the exceptions in [[Article 17 GDPR#3|Article 17(3) GDPR]] were applicable. Nordax therefore violated [[Article 17 GDPR|Article 17(1) GDPR]]. | ||
<u>Fourth</u>, The DPA determined that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]] because the controller had provided incorrect information. The controller had incorrectly informed the data subject that he was blocked from the controller's direct marketing operation, while this was not the case at the time. | <u>Fourth</u>, The DPA determined that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]] because the controller had provided incorrect information. The controller had incorrectly informed the data subject on 12 February 2019 that he was blocked from the controller's direct marketing operation, while this was not the case at the time. | ||
<u>Fifth</u>; The DPA determined that the controller violated [[Article 12 GDPR#6|Article 12(6) GDPR]] by requesting additional information of the data subject before complying with the data subject's second objection request on 9 July 2019. | <u>Fifth</u>; The DPA determined that the controller violated [[Article 12 GDPR#6|Article 12(6) GDPR]] by requesting additional information of the data subject before complying with the data subject's second objection request on 9 July 2019. Nordax already had access to all the information necessary to comply with the objection of the data subject. | ||
<u>Lastly</u>, the DPA concluded that the controller violated [[Article 12 GDPR|Article 12(3) GDPR]] once more by not informing the data subject that, in accordance with his second objection request, he would no longer be subject to the controller's direct marketing operation. | <u>Lastly</u>, the DPA concluded that the controller violated [[Article 12 GDPR|Article 12(3) GDPR]] once more by not informing the data subject that, in accordance with his second objection request of 9 July 2019, he would no longer be subject to the controller's direct marketing operation. | ||
The DPA held that this was a minor infringement and reprimanded the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The DPA further ordered the controller to comply with the access request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and to deal with the erasure request pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]. Also, the DPA ordered the controller pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] to provide the data subject information on the measures taken to comply with the data subject's objection to the processing in accordance with [[Article 12 GDPR|Article 12(3) GDPR]]. | The DPA held that this was a minor infringement and reprimanded the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The DPA further ordered the controller to comply with the access request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and to deal with the erasure request pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]. Also, the DPA ordered the controller pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] to provide the data subject information on the measures taken to comply with the data subject's objection to the processing in accordance with [[Article 12 GDPR|Article 12(3) GDPR]]. | ||
== Comment == | == Comment == | ||
'' | Regarding the violation of [[Article 15 GDPR]], the DPA states that the controller should have complied with the data subject's '''<u>request</u>''' for access. It is not clear to which of the two access requests the DPA is referring. It could be that this is the second request of 11 February 2019, since the controller had mistaken the first request to be an objection to processing. This is however speculative. | ||
In contrast, regarding the violation of [[Article 17 GDPR]], the DPA states that the controller should have complied with the data subject's '''<u>requests</u>''' for erasure. So in this case, the DPA does determine a violation for both requests of the data subject. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 13:54, 1 February 2023
IMY - DI-2020-10696 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(3) GDPR Article 12(6) GDPR Article 15 GDPR Article 17 GDPR Article 58(2)(c) GDPR Article 58(2)(d) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 27.06.2022 |
Published: | 23.01.2023 |
Fine: | n/a |
Parties: | Nordax Bank AB |
National Case Number/Name: | DI-2020-10696 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Swedish DPA reprimanded Nordax Bank for violations of Articles 12(3), 12(6), 15 and 17 GDPR. The bank had not complied with several requests of the data subject. The DPA also ordered the bank to comply with these requests.
English Summary
Facts
Nordax (controller) is a Swedish bank. The bank entrusted a processor, Iper Direct AB (Iper), to manage its customers' address register. According to Nordax, this processor was the controller in all matters regarding this register and was also responsible for answering data subjects requests related to any processing of this register's personal data. Iper's task was to provide another processor of Nordax a selection of e-mail addresses, which were used by this second processor for direct marketing purposes on behalf of Nordax. The selection of addresses from Iper's address register was also carried out on behalf of Nordax and was based on selection criteria determined by Nordax.
It is not explicitly mentioned in this decision whether or not the data subject used to be a (former) customer of the controller. It is also not explicitly stated that the data subject received direct marketing e-mails from the controller. The latter is however most likely, looking at the objection of the data subject against direct marketing, which was eventually granted by the controller (will be further discussed below).
Round 1 (Access 1 and Erasure 1)
On 5 December 2018, the data subject filed an access request and an erasure request at Nordax, which were answered by the controller on 6 December 2018.
The access request inquired on all data relating to him and the way Nordax used it. The controller replied to the access request that it did not process and/or store the personal data of the data subject and was therefore unable to comply with the request. Rather, the controller informed the data subject of the fact that personal data was processed by its appointed processor, Iper, which was responsible for the address register of the bank and for managing data subject rights related to any processing regarding this register. Furthermore, Nordax also did not classify the request of the data subject as an access request at first, but as an objection to processing. Based on information in the data subject's e-mail, Nordax determined that the data subject's primary wish was to be blocked from the controller's direct marketing e-mails. In its reply, the controller only provided information on how the data subject could block himself from the direct marketing of the controller. In order to block the data subject from direct marketing, Nordax requested the data subject's name and address.
On the same day, 5 December 2018, the data subject also submitted an erasure request. The scope of the erasure request was not specified in this decision. In its reply to the erasure request, and along the lines of the answer to the access request, the controller stated that it did not store the data subject's personal data. It was therefore also not able to erase it, since it was stored in Iper's register.
Round 2 (Access 2, Erasure 2 and Objection 1)
Around two months later, on 11 February 2019, the data subject submitted new requests for erasure and access. This time, the data subject also specifically objected to the controller's direct marketing operations for the first time. The controller answered all off these requests on 12 February 2019.
In its reply to the access request, Nordax referred to its earlier reply of 6 December 2018 to the data subject's first access request. The same was true for the controller's response to the erasure request.
In its reply to the data subject's objection, the controller stated that the request for objection had now been granted and that the controller had taken measures to block the data subject from direct marketing. Besides the fact that Nordax did not specify what specific measures it had taken, this also turned out to be incorrect information. Nordax had not yet taken any measures to block the data subject from direct marketing. According to Nordax, this incorrect information was provided because of human error.
Round 3 (Objection 2)
Another four months later, on 9 July 2019, Nordax received another objection against the controller's marketing operation from the data subject.
In its reply to the second objection, the controller reiterated again how the data subject could block himself from the direct marketing operation of the controller, just like it did when answering the first access request (which it had mistaken for an objection). The controller also repeated its request for additional information from the data subject in order to block the data subject from its direct marketing. Strangely enough, the controller then blocked the data subject from its direct marketing without the requested information. The controller also did not inform the data subject that it had finally complied with his objection to processing.
Data subject files complaint
Even after three rounds of requests, Nordax had failed to comply with the data subject's requests for access and erasure, and did not inform the data subject that his objection to processing had been granted.
The data subject filed a complaint at the Norwegian DPA (date not disclosed), which transferred the complaint to the Swedish DPA, the supervisory authority in this decision. The concerned authorities were the DPA's of Norway, Denmark, Finland and Germany. In this complaint, the data subject stated that the controller did not respect his rights by not responding to his requests.
During the investigation of the DPA, Nordax already acknowledged that it was the controller in this case and that it should have complied with the data subject's request for access, by requesting the help of its processor, according to Article 28 GDPR.
Holding
First, the DPA confirmed that Nordax Bank was the controller because it decided both the purposes and the means of the processing. The processing in question was the selection of addresses from Iper's address register for direct marketing purposes. This selection was carried out on behalf of Nordax and was based on selection criteria determined by Nordax. Because Nordax Bank was the controller, it was also responsible for handling the data subject's requests. The fact that Nordax claimed that Iper was responsible for the address register did not change this. Also, the fact that Nordax only received de-identified data from Iper was also irrelevant for its responsibility for the processing.
Second, the DPA held that the controller violated Article 15 GDPR by failing to handle the data subject's request for access. It should have given the personal data and information to the data subject with the assistance of its processor Iper. It also should have recognised the data subject's initial request as an access request.
Third, the DPA determined that the controller violated Article 17 GDPR by not handling the data subject's request for erasure. None of the exceptions in Article 17(3) GDPR were applicable. Nordax therefore violated Article 17(1) GDPR.
Fourth, The DPA determined that the controller violated Article 12(3) GDPR because the controller had provided incorrect information. The controller had incorrectly informed the data subject on 12 February 2019 that he was blocked from the controller's direct marketing operation, while this was not the case at the time.
Fifth; The DPA determined that the controller violated Article 12(6) GDPR by requesting additional information of the data subject before complying with the data subject's second objection request on 9 July 2019. Nordax already had access to all the information necessary to comply with the objection of the data subject.
Lastly, the DPA concluded that the controller violated Article 12(3) GDPR once more by not informing the data subject that, in accordance with his second objection request of 9 July 2019, he would no longer be subject to the controller's direct marketing operation.
The DPA held that this was a minor infringement and reprimanded the controller pursuant of Article 58(2)(b) GDPR. The DPA further ordered the controller to comply with the access request pursuant of Article 58(2)(c) GDPR and to deal with the erasure request pursuant of Article 58(2)(d) GDPR. Also, the DPA ordered the controller pursuant of Article 58(2)(d) GDPR to provide the data subject information on the measures taken to comply with the data subject's objection to the processing in accordance with Article 12(3) GDPR.
Comment
Regarding the violation of Article 15 GDPR, the DPA states that the controller should have complied with the data subject's request for access. It is not clear to which of the two access requests the DPA is referring. It could be that this is the second request of 11 February 2019, since the controller had mistaken the first request to be an objection to processing. This is however speculative.
In contrast, regarding the violation of Article 17 GDPR, the DPA states that the controller should have complied with the data subject's requests for erasure. So in this case, the DPA does determine a violation for both requests of the data subject.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(11) Notice: This document is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) decision 2022-06-27, no. DI-2020-10696. Only the Swedish version of the decision is deemed authentic. Ref no: 2020-10696, Decision under the General Data IMI case no. 134903 Protection Regulation – Nordax Bank Date of decision: AB 2022-06-27 Date of translation: 2022-06-27 Decision of the Swedish Authority for Privacy Protection (IMY) The Swedish Authority for Privacy Protection (IMY) finds that Nordax Bank AB has processed personal data in breach of: - Article 15 of the General Data Protection Regulation (GDPR) by failing to handle the complainant’s requests of access made on 5 December 2018 and 11 February 2019. - Article 17 by not without undue delay handle the complainant’s requests for erasure made on 5 December 2018 and 11 February 2019. - Article 12(3) by not without undue delay provide information to the complainant on the measures taken, namely that the complainant was blocked from direct marketing mailings, in response to the complainant’s objection to direct marketing made on 9 July 2019. The Swedish Authority for Privacy Protection finds that Nordax Bank AB has processed personal data in breach of: - Article 12(6) by requesting the complainant to submit further information in order to comply with the request to object to direct marketing on 9 July 2019, even though the data provided in the request was sufficient to actually complete the request. The Authority for Privacy Protection issues Nordax Bank AB a reprimand pursuant to Postal address: Article 58(2)(b) of the GDPR for the infringement of the Articles 12(3), 12(6), 15, 17 of Box 8114 the GDPR. 104 20 Stockholm Website: In accordance with Article 58(2)(c) of the GDPR, IMY orders Nordax Bank AB to: www.imy.se E-mail: imy@imy.se 1 Phone: protection of natural persons with regard to he processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 08-657 61 00Privacy Protection Authority Our ref: 2020-10696 2(11) Date:2022-06-27 - Comply with the complainant’s request to exercise its right of access under Article 15 of the GDPR, with exception for information which is subject to any applicable derogation provided for in Article 15(4). This is done by providing the complainant access to all personal data that Nordax process regarding the complainant by providing the complainant with a copy of the personal data referred to in Article 15(3) and provide information pursuant to points (a) to (h) of Article 15(1) and 15.2. The measures shall be implemented no later than two weeks after this decision has become final. In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to: - Handle the complainant’s request of erasure of all of his personal data according to Article 17 by assessing whether there is personal data that the company in accordance with Article 17 is obliged to erase and, if so, to do so, and to inform the complainant in accordance with Article 12(3) or (4). The measures must be implemented no later than two weeks after this decision has become final. In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to: - In accordance with Article 12(3), provide the complainant with information on the measures which have been taken in response to the complainant’s request to exercise his right of objection to processing for direct marketing purposes. The measures shall be implemented no later than two weeks after this decision has become final. Report on the supervisory matter The Authority for Privacy Protection (IMY) has initiated supervision regarding Nordax Bank AB (Nordax or the company) due to a complaint. The complaint has been submitted to IMY, as responsible supervisory authority for the company’s operations pursuant to Article 56 of the General Data Protection Regulation (GDPR). The handover has been made from the supervisory authority of the country where the complainant has lodged their complaint (Norway) in accordance with the Regulation’s provisions on cooperation in cross-border processing. The investigation in the case has been carried out through correspondence. In the light of a complaint relating to cross-border processing, IMY has used the mechanisms for cooperation and consistency contained in Chapter VII of the GDPR. The supervisory authorities concerned have been the data protection authorities in Norway, Denmark, Finland and Germany. The complaint The complaint states the following. The complaint alleges that the company has not dealt with the complainant’s requests to exercise the complainant’s rights under the GDPR in relation to the right of access pursuant to Article 15, the right of erasure pursuant to Article 17 and objection to obtaining personal data processed for direct marketing purposes as referred to in Article 21(2). E-mail correspondence with the company is attached to the complaint. What Nordax has stated Nordax has mainly stated the following.Privacy Protection Authority Our ref: 2020-10696 3(11) Date:2022-06-27 Nordax is the data controller for the processing to which the complaint relates. The processing is carried out by Nordax personal data processor Iper Direkt AB (Iper) on behalf of Nordax and for direct marketing purposes, which is regulated in agreements between Nordax and Iper. Nordax determines the purposes and means of the processing. The relationship can be compared to the example set out in the EDPB Guidelines 07/2020 on the terms “controller” and “processor” in GDPR, (“Example: market research”). 2 Iper is responsible and the controller of the address register and responsible for managing the rights of data subjects whose personal data are available in this address register. Based on these, Iper makes, on behalf of Nordax, a selection from its address register and provides the addresses to another data processor that Nordax uses to carry out the marketing mailings. Nordax does not process or store any personal data since the data provided by Iper to Nordax is de-identified. Right of access Nordax Bank AB originally received a request for access from the complainant on 5 December 2018. The request concerned "information on all data relating to me as you have stored and what the data is used for". The complainant’s request was answered by email on 6 December 2018 with the information that the complainant’s personal data are not processed by Nordax why a request for access (or erasure) could not be handled. Nordax states that, as a data controller, however, the company should have interpreted this as a request under Article 15 of the GDPR and provided the complainant with access to personal data with the help of the personal data processor Iper in accordance with the provisions of Article 28 of the GDPR. Nordax took the view that the complainant´s main request was not a request of access to personal data pursuant to Article 15. In the light of the information in the complainant’s email and that the complainant did not contact Nordax after a block on direct marketing was established in respect of the complainant on 9 July 2019, Nordax considered that the complainant’s primary wish was to be blocked against addressed direct marketing from the company. Nordax believes that the complainant considers that the request for objection has been dealt with but can definitely comply with the complainant’s request for access if the complainant still wishes to exercise its right to access to the personal data. Right to erasure The complainant´s request for erasure was received on 5 December 2018 and Nordax replied to it on 6December 2018. It was clear from the reply that the company did not consider that it stored the complainant´s personal data, why any erasure of data at Nordax could not be done. It is the address provider Iper, Nordax data processor, who is reported to have stored the complainant’s personal data at the time of the complainant’s request. Iper is controller of the address register for which Nordax receives addresses for direct marketing mailings. Nordax does not have the ability to erase personal data in Iper’s register. It is against this background that Nordax has not complied with the complainant’s request for erasure. Furthermore, Nordax states that the company is currently processing personal data regarding the complainant in order to maintain a block on addressed direct marketing, which is necessary to comply with a legal obligation. Nordax has by e-mail on 6 December 2018 and 16July 2019 provided general information to the complainant that Nordax may process the complainant’s personal data in order to maintain a block on addressed direct marketing. Personal data of the complainant is also being processed to deal with the ongoing supervisory case which will be discontinued when the enforcement case is closed. The company has not interpreted the complainant´s 2 EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.Privacy Protection Authority Our ref: 2020-10696 4(11) Date:2022-06-27 request for erasure in such a way that it would have included these ongoing processes of personal data. Right of objection The complainant submitted a request for access and deletion on 5December 2018 which Nordax replied on 6December 2018. In the light of the information in the complainant´s request Nordax presumed that the complainant had received addressed direct marketing mailings of Nordax products. Therefore, Nordax provided information on how the complainant should proceed with a block against further direct marketing mailings of Nordax products. In order to block an individual against addressed direct marketing Nordax needs information about the individual’s pre- and surname and full address which the company informed the complainant about. Nordax never received additional information from the complainant and could not therefore block the complainant from the addressed direct marketing mailings. On 11February 2019, the complainant submitted a further request for access and erasure and objection to receiving direct marketing mailings. Nordax responded to the complainant´s request on 12 February 2019 by referring to an earlier reply to the request for access and erasure and stated that Nordax has grant the complainant´s request to object to receiving further direct marketing. However, the complainant was wrongly informed on that occasion that Nordax had taken measures to prevent the complainant from receiving further direct marketing mailings. Nordax believes that the handling of the case in question has failed due to the human factor and the company reviews its procedures for individuals who wish to object to direct marketing mailings because of this, to ensure that incorrect information is not sent again. The complainant´s lodged a further complaint on 9July 2019, which Nordax once again replied with information on how the complainant should proceed in order to block himself against addressed direct marketing mailings. At the time of receipt of this objection, the complainant was also finally blocked against further addressed direct marketing mailing from Nordax products. However, Nordax has not informed that complainant was blocked from such further direct marketing mailings of Nordax products. Nor did the complainant contact Nordax after 9July 2019. Justification of the decision Applicable provisions, etc. Data controller The controller, as defined in Article 4(7) of the GDPR, means the natural or legal person which alone or jointly with others determines the purposes and means of the processing of personal data. In the European Data Protection Board (EDPB) Guidelines 07/2020 on the concepts data controller and processor in the General Data Protection Regulation the following is mentioned concerning the respective roles of processors and controllers in the exercise of data subjects’ rights: “It is crucial to bear in mind that, although the practical management ofPrivacy Protection Authority Our ref: 2020-10696 5(11) Date:2022-06-27 individual requests can be outsourced to the processor, the controller bears the responsibility for complying with such requests. Therefore, the assessment as to whether requests by data subjects are admissible and/or the requirements set by the GDPR are met should be performed by the controller, either on a case-by- case basis or through clear instructions provided to the processor in the contract before the start of the processing. Also, the deadlines set out by Chapter III cannot be extended by the controller based on the fact that the necessary information must be provided by the processor.” 3 It also states the following in an example, to which Nordax refers to concerning the relationship between Nordax and Iper: “Example: Market research 1 Company ABC wishes to understand which types of consumers are most likely to be interested in its products and contracts a service provider, XYZ, to obtain the relevant information. Company ABC instructs XYZ on what type of information it is interested in and provides a list of questions to be asked to those participating in the market research. Company ABC receives only statistical information (e.g., identifying consumer trends per region) from XYZ and does not have access to the personal data itself. Nevertheless, Company ABC decided that the processing should take place, the processing is carried out for its purpose and its activity and it has provided XYZ with detailed instructions on what information to collect. Company ABC is therefore still to be considered a controller with respect of the processing of personal data that takes place in order to deliver the information it has requested. XYZ may only process the data for the purpose given by Company ABC and according to its detailed instructions and is therefore to be regarded as processor.” 4 In the literature, Öman points out the following. “The legal person which engages any other legal person to process personal data, e.g. for storing and disseminating or for collecting and processing the personal data, is normally considered to be the data controller and the hired as a personal data processor. This applies even if it is the hired company and not the company who hires who has the knowledge of how to best process the personal data, such as how to store, collect, disseminate and process them, and the resources to do it. In fact, the company who hires has decided the means of processing of the personal data by employing a company that can use certain methods. This may involve outsourcing IT operations or to hire a company to collect personal data within the framework of a market research." Rights of the data subject According to Article 12(3) of the GDPR, the controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Pursuant to Article 12(6), where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject. 3EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132. 4EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.Privacy Protection Authority Our ref: 2020-10696 6(11) Date:2022-06-27 Under Article 15(1), the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data from the controller. Pursuant to Article 17(1), the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay under certain conditions set out in the current article. Under Article 21(2) and (3), the data subject shall have the right to object at any time to processing of personal data for direct marketing purposes concerning him or her. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. Assessment of the Authority for Privacy Protection (IMY) On the basis of the complaint in this case, IMY examined the company’s conduct in the individual case. Therefore IMY will not consider whether the company’s current procedure for processing requests is compatible with the GDPR, but may take into account possible improvements when considering choice of corrective measures. Is Nordax’s data controller for the processing in question and has the company been obliged to deal with the complainant´s requests to exercise his rights? The question in this case is whether Nordax has had an obligation to comply with the complainant’s requests for access, erasure and objection under the GDPR and in in that case, if the company handled the complainant´s requests correctly. In order to investigate this, IMY first needs to consider whether Nordax is the controller of personal data for the processing of personal data in this case. Nordax has stated that the company is the data controller for the processing. The processing consists of the fact that the company Iper — on behalf of Nordax and based on selection criteria that Nordax determines — makes a selection from Iper’s address register and provides addresses for the sending of direct marketing to a third company that Nordax hires to make the mailings. Nordax argues that the company itself does not deal with any data, as the data provided by Iper to Nordax are de- identified. The investigation shows that Nordax initially failed to comply with the complainanat´s first requests for access and erasure pursuant to Articles 15 and 17 on the grounds that the Company does not process or store the complainant’s personal data and that instead the complainant should refer directly to Iper. IMY notes, however, that it is not required to have access to or store personal data in order to be considered to be data controller for a particular processing operation. What matters is who decides the purposes and means of the processing. Since the processing consisting of the selection from Iper´s address register for direct marketing is carried out on behalf of Nordax and based on the selection criteria that Nordax has decided, IMY believes that Nordax determines the purpose and means of the processing and is therefore the controller for the processing. This means that Nordax is responsible for handling the complainant’s requests, either by handling the request itself or to give clear instructions to for example a data processor, in order forPrivacy Protection Authority Our ref: 2020-10696 7(11) Date:2022-06-27 the data processor to be able to do so. Nordax’s argument that it is not responsible for Iper’s address register does not alter that. What Nordax has stated that Nordax receives only de-identified data from Iper is irrelevant for the company’s responsibility to deal with the complainant´s requests. Nordax is responsible for the processing of personal data carried out by Iper namely the selection of the advertising received by the complainant to which the complaint relates. There is therefore no need to consider whether the data received by Nordax are de-identified in such a way that they are not personal data. IMY points out that even information that can directly or indirectly identify a natural person is personal data, including information that has been encoded, encrypted or pseudonymised but which can be linked to a natural person with help of additional information. Since IMY has found that Nordax is the data controller for the processing that the complaint concerns and is therefore responsible for ensuring that the complainant’s requests to exercise its rights under the GDPR are dealt with, IMY goes on to investigate whether Nordax handled the requests correctly under the Regulation. Has Nordax handled the complainant’s requests to exercise its rights been in compliance with the GDPR? Request for access It is apparent from the investigation that the complainant submitted its first request to access to the company on 5December 2018. The request was worded in such a way that the complainant would like to receive access to all data stored by the company on the complainant and information about what the data was used for. Nordax did not take any action other than to inform the complainant that the complainant´s personal data were not being processed by the company and that the request could therefore not be met. At the same time, Nordax informed of its process for selection and dispatch of addressed direct marketing and which address provider Nordax uses for selection of addresses. The complainant subsequently submitted its second request for access on 11February 2019, to which Nordax replied on 12February by referring to its previous reply to the complainant. During the investigation Nordax stated that it should have interpreted the complainant´s requests as a request to exercise their right of access under Article 15 of the GDPR and provided the complainant with the data and information to which the complainant was entitled too with the assistance of Iper. IMY shares this assessment. IMY notes in that regard that it is true that, in its request, the complainant referred to the storage data, but that nevertheless, it should have been clear to Nordax that the complainant intended to exercise its full right of access and that it is Nordax responsibility, such as data controller for the processing, to ensure that the request was handled. Furthermore, IMY notes that Nordax has still not complied with the request even though the company now admits that the company is obliged to do so. Nordax has stated that it can comply with the complainant’s request for access if the complainant so wishes. IMY notes, however, that there has been no evidence to suggest that the request still wouldn’t be relevant, such as the fact that the complainant would have 5EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.Privacy Protection Authority Our ref: 2020-10696 8(11) Date:2022-06-27 withdrawn it. By failing to comply with the applicant’s request for access Nordax has processed personal data in violation of Article 15 of the GDPR. Request for deletion It is apparent from the investigation that, on 5December 2018, the complainant also submitted his first request for deletion. Nordax did not take any action other than to inform the complainant that the complainant´s personal data were not processed by the company and that the request could therefore not be met. At the same time, Nordax informed of its process for selection and dispatch of addressed direct marketing and which address provider Nordax uses for selection of addresses. The complainant subsequently submitted its second request for deletion on 11February 2019, to which Nordax replied on 12February by referring to its previous reply to the complainant. Article 17(3) of the GDPR provides for an exhaustive demonstration of the grounds on which a request for erasure may be rejected. That the controller not storing the data being processed is not such a basis. As IMY has stated above, the company is obliged to deal with the complainant’s requests, which the company haven't done. Nordax thus processes personal data in violation of Article 17 of the GDPR by not without undue delay handle the complainant’s requests for erasure. Request for objection The investigation shows that Nordax perceived that, on 5December 2018, the complainant also submitted an objection to the processing of personal data for direct marketing purposes pursuant to Article 21(2) GDPR. Nordax informed the complainant how the complainant could proceed to object to further direct marketing and requested additional information from the complainant in order to be able to fulfil that right. However, the complainant did not return with additional information. IMY considers that, as the request was worded, the complainant had not invoked its right of objecting to direct marketing. IMY therefore notes that Nordax did not have any obligation to deal with it as such a request, but welcomes the fact that Nordax nevertheless provided information on how the complainant could proceed to block further direct marketing. However, the complainant lodged its first actual request of objection to further direct marketing on 11February 2019. Nordax provided information that the complainant had been blocked against further direct marketing, but the information at this point was incorrect. Because Nordax left incorrect information to the complainant on 12February 2019 on the measures taken on the basis of the complainant´s request for objection meaning that the complainant´s information was blocked for further direct marketing mailings Nordax has acted in violation of article 12.3. The complainant lodged its second objection on 9July 2019. Nordax replied to the complainant on 16July 2019 referring to previous replies on how the complainant could try to block him or herself from further marketing. The company however blocked, the complainant against further addressed direct marketing on 9July 2019, but did not inform the complainant of this measure. Against this background, IMY takes the view that Nordax has satisfied the complainant´s second request of objection pursuant to Article 21(2) of the GDPR.Privacy Protection Authority Our ref: 2020-10696 9(11) Date:2022-06-27 In Nordax reply to the second request, the company asked the complainant to submit additional information in order to comply with the request, even though the existing information in the request according to Nordax, was sufficient to actually satisfy the request directly. For this reason Nordax has requested additional information that has not been necessary to confirm the identity of the data subject in violation of 12(6). Furthermore, Nordax did not inform the complainant that, in accordance with its second requests for objection the complainant was blocked against further addressed direct marketing. By doing so, Nordax has failed to fulfil its obligation under Article 12(3) to provide the data subject with information on the measures taken under Article 21 and thus processed personal data in breach of Article 12(3) of the GDPR. Choice of corrective measure It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the power to impose administrative fines in accordance with Article 83. Depending on the circumstances of the case, administrative fines shall be imposed in addition to or in place of the other measures referred to in Article 58(2), such as injunctions and prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into account when deciding on administrative fines and in determining the amount of the fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is the aggravating and mitigating circumstances of the case, such as the nature, gravity and duration of the infringement and past relevant infringements. IMY notes the following relevant facts. Nordax have stated that they have taken action by reviewing their procedures to ensure that incorrect information should not be sent again and reviewing how the company handles data subjects’ rights regarding processing carried out on the company’s behalf by the company’s processor. According to IMY the noted infringements found occurred relatively far back in time, partly due to the human factor and has affected one person. In addition, the company has not previously acted in breach of the GDPR. Against this background IMY considers that it is a minor infringement within the meaning of recital 148 and that Nordax Bank AB must be given a reprimand pursuant to Article 58(2)(b) of the GDPR. Since the company has not handled the complainat´s request for access even though the company is obliged to do so, IMY considers that there is reason in accordance with Article 58(2)(c) to order the company to comply with the complainant´s request to exercise its right of access under Article 15 with exception for information which is subject to any applicable derogation provided for in Article 15(4).This is done by providing the complainant access to all personal data that Nordax process regarding the complainant by arranging a copy to the complainant of the personal data referred to in Article 15(3) and provide information pursuant to points (a) to (h) of Article 15(1) and 15.2. The measures shall be implemented no later than two weeks after this decision has become final. The company has also failed to deal with the complainant’s request for erasure even though the company is obliged to do so. IMY therefore considers that it is appropriate, on the basis of Article 58.2(d) to order the company to deal with the complainant’s request for erasure of all personal data referred to in Article 17 by considering whetherPrivacy Protection Authority Our ref: 2020-10696 10(11) Date:2022-06-27 there is personal data which the company is obliged to erase in accordance with Article 17 and, if so, erase the information and inform the complainant in accordance with Article 12(3) or (4). Measures shall be completed no later than two weeks after the date on which this decision has become final. Furthermore, Nordax did not inform the complainant about the measure which been taken, namely that the complainant been blocked for further addressed direct marketing, in response to the complainant’s second request to exercise the right of objection to process for direct marketing purposes. IMY considers that it is appropriate, pursuant to Article 58(2)(d), to order the company to in accordance with Article 12(3), provide the complainant with information on the measures which been taken in response to the complainant’s request to exercise his right of objection to processing for direct marketing purposes. The measures shall be implemented no later than two weeks after this decision has become final. _________________________________________________________ This decision has been approved by the specially appointed decision-maker after presentation by legal advisorPrivacy Protection Authority Our ref: 2020-10696 11(11) Date:2022-06-27 How to appeal If you want to appeal the decision, you should write to the Authority for Privacy Protection. Indicate in the letter which decision you appeal and the change you request. The appeal must have been received by the Authority for Privacy Protection no later than three weeks from the day you received the decision. If the appeal has been received at the right time, the Authority for Privacy Protection will forward it to the Administrative Court in Stockholm for review. You can e-mail the appeal to the Authority for Privacy Protection if it does not contain any privacy-sensitive personal data or information that may be covered by confidentiality. The authority’s contact information is shown in the first page of the decision.