FiS - 7679-22: Difference between revisions

From GDPRhub
mNo edit summary
m (Link to user fixed)
 
(12 intermediate revisions by 3 users not shown)
Line 13: Line 13:


|Original_Source_Name_1=Sveriges Domstolar
|Original_Source_Name_1=Sveriges Domstolar
|Original_Source_Link_1=https://www.domstol.se/nyheter/2023/04/klarna-bank-ab-har-overtratt--dataskyddsforordningen-men-domstolen-sanker-sanktionsavgiften/
|Original_Source_Link_1=https://gdprhub.eu/images/5/50/Stockholm_FR_7679-22_Dom_2023-04-14.pdf
|Original_Source_Language_1=Swedish
|Original_Source_Language_1=Swedish
|Original_Source_Language__Code_1=SV
|Original_Source_Language__Code_1=SV
|Original_Source_Name_2=
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Link_2=https://www.domstol.se/forvaltningsratten-i-stockholm/
|Original_Source_Language_2=
|Original_Source_Language_2=Swedish
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=SV


|Date_Decided=14.04.2023
|Date_Decided=14.04.2023
Line 68: Line 68:
|Appeal_To_Link=https://www.domstol.se/nyheter/2024/03/kammarratten-faststaller-sanktionsavgift-for-klarna/
|Appeal_To_Link=https://www.domstol.se/nyheter/2024/03/kammarratten-faststaller-sanktionsavgift-for-klarna/


|Initial_Contributor=Izel
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Inkg inkg]
|
|
}}
}}


The Swedish Administrative Court reduced Klarna's fine to €600,000, finding fewer GDPR breaches than initially assessed by the Swedish DPA, while taking  Klarna's continuous improvement in information provision into account
A court reduced a fine issued against Klarna from €730,000 to €600,000, finding that the Swedish DPA erroneously relied on nonbinding guidelines in finding certain violations of disclosure obligations.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 28 March 2022, IMY fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities.  
On 28 March 2022, the Swedish DPA (IMY) fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. IMY found that the controller violated the GDPR in the following respects:
IMY found that Klarna violated GDPR in the following respects:
 
a) Klarna did not provide information about the purpose and the legal basis for data processing relating to service "My economy",
* It did not provide information about the purpose and the legal basis for data processing relating to the service "My economy",
b) Klarna provided incomplete and misleading information about who were the recipients of different categories of personal data when they were shared with Swedish and foreign credit reference agencies.
* It provided incomplete and misleading information about the recipients of different categories of personal data when they were shared with Swedish and foreign credit reference agencies.
c) Klarna did not provide information about which countries outside the EU/EEA personal data was transferred, and where and how data subjects can access or obtain documents regarding safeguards that applied to the applicable transfer.
* It did not provide information about which countries outside the EU/EEA personal data was transferred to, and where and how data subjects can access or obtain documents regarding safeguards that applied to the applicable transfer.
d) Klarna provided incomplete information about retention periods and the criteria to determine these periods.
* It provided incomplete information about retention periods and the criteria to determine these periods.
c) Klarna provided inadequate information about the below data subjects' rights which did not comply with the principle of transparency:
* It provided inadequate information about the data subjects' rights which did not comply with the principle of transparency, in particular the rights to request from the controller the erasure of personal data under [[Article 17 GDPR]], to restrict processing of personal data [[Article 18 GDPR]], to data portability under [[Article 20 GDPR]] and to object to the processing under [[Article 21 GDPR]]
- right to request from the controller the erasure of personal data under [[Article 17 GDPR]]
* Its privacy policy lacked meaningful information about the logic, significance and foreseen consequences of automated decision-making, including profiling, under [[Article 21 GDPR#1|Article 22(1) GDPR]].
- right to restrict the processing of personal data [[Article 18 GDPR]]
The controller appealed the decision to the administrative court, challenging the basis of IMY's decision. It claimed, in particular, that IMY relied heavily on non-binding guidelines. The controller argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, the controller claimed that it has been fined too heavily for violating non-binding guidelines.  The controller also argued that the fined should be reduced as a result of IMY's failure to adequately process the case, which weakened the controller's ability to defend itself. It claimed that it took IMY approximately three years to process the case, with two years of inactivity.  
- right to data portability under [[Article 20 GDPR]]
- right to object to the processing under [[Article 21 GDPR]]
d) Klarna's privacy policy lacked meaningful information about the logic, significance and foreseen consequences of automated decision-making, including profiling, under [[Article 22 GDPR#1|Article 22.1 GDPR]]
Klarna appealed the decision to the administrative court challenging, among others, that IMY relied heavily on non-binding guidelines. Klarna argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, Klarna claimed that it has been fined heavily for violating non-binding guidelines.


== Holding ==
== Holding ==
The Administrative Court upheld Klarna Bank AB's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The administrative court firstly reminded that Article 29 WP's Guidelines on transparency, which was formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It also stated that the guidelines are not binding, but may have some significance for guidance. It held that there is no possibility to impose sanctions based on guidelines without any support in GDPR.  
The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The Court began by noting that Article 29 WP's Guidelines on transparency, which were formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It stated that the guidelines are not binding, but may have some significance for guidance. Still, it held that there is no possibility to impose sanctions based on guidelines without any support in GDPR.
 
- "My economy" service
 
Klarna informed the data subjects at the time of registration that they collect and use data based on consent and for the purpose of provision of the service. Some additional purposes are listed only in the privacy notice. However, while the information provided during registration included the legal basis for data processing, Klarna's privacy notice only mentioned the processing purposes, not the legal basis. The Court therefore concluded that Klarna did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient and did not meet the requirements of [[Article 13 GPDR#1c|Article 13.1.c GDPR]]
 
- The recipients of personal data
 
The court found that Klarna did not breach [[Article 13 GDPR#1e|Article 13.1.e GDPR]], contrary to IMY's assertion. While acknowledging the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency.
 
- Transfers to third countries
 
The court found that Klarna violated [[Article 13 GDPR#1f|Article 13.1.f GDPR]] by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines.
 
- Retention of personal data
 
The Court ruled that Klarna's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet the transparency requirements of [[Article 13 GDPR#2a|Article 13.2.a GDPR]]. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose.


- Information about data subjects' rights
The Court considered each of the violations identified by IMY. It disagreed with the IMY's findings of GDPR breaches in two instances, holding that the controller did not breach [[Article 12 GDPR#1|Articles 12(1)]] and [[Article 13 GDPR#1e|13(1)(e) GDPR]]. On the other hand, it upheld IMY's findings that the controller was deficient in providing information to data subjects and violated the principle of transparency [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. 


The court stated that it is the controller's responsibility to provide information about the specific rights that allow the data subject to understand the meaning of their rights. The court found that Klarna has failed to provide sufficient information about data subjects' rights and thereby violated [[Article 13 GDPR#2b|Article 13.2.b GDPR]]. Specifically, Klarna did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing.  
In assessing the fine, the Court considered that these violations, in conjunction with the extent of data processing, led to GDPR breaches that cannot be considered to cause limited harm. At the same time, it considered that the controller's violations were not intentional and acknowledged that the controller had continuously improved its information. It rejected the controller's arguments that IMY's investigation was unreasonably long.


-Profiling and automated decision-making
==== Detailed Summary of the Court's Assessment of IMY's Findings ====
<u>Information about processing related to "My economy" service:</u> The Court concluded that the controller did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient, upholding IMY's finding that the controller violated [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. The controller informed the data subjects at the time of registration that it collects and uses data based on consent and for the purpose of provision of the service. Some additional purposes of collection were listed only in the privacy notice, but the privacy notice failed to indicate their legal basis. 


The court found that Klarna's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision.  The court disagreed with the Swedish DPA, stating that Klarna does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. However, the Court ruled that Klarna breached [[Article 13 GDPR#2f|Article 13.2.f GDPR]] and [[Article 14 GDPR#2g|Article 14.2.g GDPR]] for not disclosing its use of a scoring model and the information it processes.  
<u>Information about the recipients of personal data:</u> Contrary to IMY's finding, the Court held that the controller did not breach [[Article 13 GDPR#1e|Article 13(1)(e) GDPR]]. While it acknowledged the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the Court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency.  


- How the information has been provided
<u>Information about transfers to third countries:</u> The Court affirmed IMY's determination that the controller violated [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]] by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines.


The court reminded that [[Article 13 GDPR]] and [[Article 14 GDPR]] detail the information that needs to be disclosed to data subjects. while [[Article 12 GDPR#1|Article 12.1 GDPR]] outlines the manner in which this information should be delivered. Therefore, a breach of [[Article 13 GDPR]] and [[Article 14 GDPR]] does not inherently result in a breach of  [[Article 12 GDPR#1|Article 12.1 GDPR]] . The court ruled in favor of Klarna, stating that the Swedish DPA did not sufficiently prove that Klarna had violated [[Article 12 GDPR#1|Article 12.1 GDPR]].  
<u>Information about retention of personal data:</u> The Court ruled that the controller's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet [[Article 13 GDPR#2a|Article 13(2)(a) GDPR]] transparency requirements. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose.  


- Fundamental principles
<u>Information about data subjects' rights:</u> The Court found that the controller failed to provide sufficient information about data subjects' rights and thereby violated [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]], affirming IMY's finding. Specifically, the controller did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing. 


The Court ruled that Klarna's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, has been incomplete. As a result, Klarna violated the obligations on transparency and information provision, as outlined in [[Article 13 GDPR]] and [[Article 14 GDPR]]. The court found that this breach significantly impacted the company's processing of personal data and therefore Klarna breached the principle of transparency in [[Article 5 GDPR#1a|Article 5.1.a GDPR]]. However, the court did not agree with the Swedish DPA's claim that Klarna also violated principles of lawfulness and fairness in the GDPR.  
<u>Information about profiling and automated decision-making:</u> The Court found that the controller's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or about the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision. The court disagreed in part with IMY's reasoning, stating that the controller does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. Nonetheless, the Court ruled that the controller breached [[Article 13 GDPR#2f|Article 13(2)(f) GDPR]] and [[Article 14 GDPR#2g|Article 14(2)(g) GDPR]] for not disclosing its use of a scoring model and the information it processes.  


- The size of the sanction
<u>Disclosure of information:</u> The Court ruled in favor of the controller, stating that IMY did not sufficiently prove that the controller had violated [[Article 12 GDPR#1|Article 12(1) GDPR]]. The court explained that [[Article 13 GDPR]] and [[Article 14 GDPR]] detail the information that needs to be disclosed to data subjects, while [[Article 12 GDPR#1|Article 12(1) GDPR]] outlines the manner in which this information should be delivered. Therefore, it held, a breach of [[Article 13 GDPR]] and [[Article 14 GDPR]] does not inherently result in a breach of  [[Article 12 GDPR#1|Article 12(1) GDPR]], and that in this case IMY failed to prove a violation of [[Article 12 GDPR#1|Article 12(1) GDPR]] specifically.


The court considered that the violation cannot be considered as serious as Swedish DPA has assessed as the court found that, there was no deficiencies in information provided about the recipients of personal data, and that the Swedish DPA failed to prove how  [[Article 12 GDPR#1|Article 12.1 GDPR]] was violated. The court considered that the central deficiencies in providing information to data subjects, violation of principle of transparency [[Article 5 GDPR#1a|Article 5.1.a GDPR]], the extensive data processing, the importance of violated provisions for data subjects to exercise their rights, led to a violation that cannot be considered to cause limited harm. The court also took into account that Klarna has continuously improved the information. The court therefore lowered the sanction to €600,000 (SEK 6,000,000).
<u>Principle of transparency:</u> The Court ruled that the controller's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, was incomplete. As a result, the controller violated the obligations on transparency as required by [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]]. However, the court did not agree with the IMY's claim that the controller violated principles of lawfulness and fairness under [[Article 5 GDPR#1a|Articles 5(1)(a) GDPR]].


== Comment ==
== Comment ==

Latest revision as of 09:14, 2 May 2024

FiS - 7679-22
Courts logo1.png
Court: FiS (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 13(1)(c) GDPR
Article 17 GDPR
Article 18 GDPR
Article 20 GDPR
Article 21 GDPR
Article 22(1) GDPR
Decided: 14.04.2023
Published:
Parties: Klarna Bank AB
National Case Number/Name: 7679-22
European Case Law Identifier:
Appeal from: IMY (Sweden)
DI-2019-4062
Appeal to: Appealed - Overturned
KamR Stockholm (Sweden)‎
2829-23
Original Language(s): Swedish Swedish
Original Source: Sveriges Domstolar (in Swedish) (in Swedish)
Initial Contributor: inkg

A court reduced a fine issued against Klarna from €730,000 to €600,000, finding that the Swedish DPA erroneously relied on nonbinding guidelines in finding certain violations of disclosure obligations.

English Summary

Facts

On 28 March 2022, the Swedish DPA (IMY) fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. IMY found that the controller violated the GDPR in the following respects:

  • It did not provide information about the purpose and the legal basis for data processing relating to the service "My economy",
  • It provided incomplete and misleading information about the recipients of different categories of personal data when they were shared with Swedish and foreign credit reference agencies.
  • It did not provide information about which countries outside the EU/EEA personal data was transferred to, and where and how data subjects can access or obtain documents regarding safeguards that applied to the applicable transfer.
  • It provided incomplete information about retention periods and the criteria to determine these periods.
  • It provided inadequate information about the data subjects' rights which did not comply with the principle of transparency, in particular the rights to request from the controller the erasure of personal data under Article 17 GDPR, to restrict processing of personal data Article 18 GDPR, to data portability under Article 20 GDPR and to object to the processing under Article 21 GDPR
  • Its privacy policy lacked meaningful information about the logic, significance and foreseen consequences of automated decision-making, including profiling, under Article 22(1) GDPR.

The controller appealed the decision to the administrative court, challenging the basis of IMY's decision. It claimed, in particular, that IMY relied heavily on non-binding guidelines. The controller argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, the controller claimed that it has been fined too heavily for violating non-binding guidelines. The controller also argued that the fined should be reduced as a result of IMY's failure to adequately process the case, which weakened the controller's ability to defend itself. It claimed that it took IMY approximately three years to process the case, with two years of inactivity.

Holding

The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The Court began by noting that Article 29 WP's Guidelines on transparency, which were formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It stated that the guidelines are not binding, but may have some significance for guidance. Still, it held that there is no possibility to impose sanctions based on guidelines without any support in GDPR.

The Court considered each of the violations identified by IMY. It disagreed with the IMY's findings of GDPR breaches in two instances, holding that the controller did not breach Articles 12(1) and 13(1)(e) GDPR. On the other hand, it upheld IMY's findings that the controller was deficient in providing information to data subjects and violated the principle of transparency Article 5(1)(a) GDPR.

In assessing the fine, the Court considered that these violations, in conjunction with the extent of data processing, led to GDPR breaches that cannot be considered to cause limited harm. At the same time, it considered that the controller's violations were not intentional and acknowledged that the controller had continuously improved its information. It rejected the controller's arguments that IMY's investigation was unreasonably long.

Detailed Summary of the Court's Assessment of IMY's Findings

Information about processing related to "My economy" service: The Court concluded that the controller did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient, upholding IMY's finding that the controller violated Article 13(1)(c) GDPR. The controller informed the data subjects at the time of registration that it collects and uses data based on consent and for the purpose of provision of the service. Some additional purposes of collection were listed only in the privacy notice, but the privacy notice failed to indicate their legal basis.

Information about the recipients of personal data: Contrary to IMY's finding, the Court held that the controller did not breach Article 13(1)(e) GDPR. While it acknowledged the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the Court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency.

Information about transfers to third countries: The Court affirmed IMY's determination that the controller violated Article 13(1)(f) GDPR by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines.

Information about retention of personal data: The Court ruled that the controller's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet Article 13(2)(a) GDPR transparency requirements. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose.

Information about data subjects' rights: The Court found that the controller failed to provide sufficient information about data subjects' rights and thereby violated Article 13(2)(b) GDPR, affirming IMY's finding. Specifically, the controller did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing.

Information about profiling and automated decision-making: The Court found that the controller's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or about the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision. The court disagreed in part with IMY's reasoning, stating that the controller does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. Nonetheless, the Court ruled that the controller breached Article 13(2)(f) GDPR and Article 14(2)(g) GDPR for not disclosing its use of a scoring model and the information it processes.

Disclosure of information: The Court ruled in favor of the controller, stating that IMY did not sufficiently prove that the controller had violated Article 12(1) GDPR. The court explained that Article 13 GDPR and Article 14 GDPR detail the information that needs to be disclosed to data subjects, while Article 12(1) GDPR outlines the manner in which this information should be delivered. Therefore, it held, a breach of Article 13 GDPR and Article 14 GDPR does not inherently result in a breach of Article 12(1) GDPR, and that in this case IMY failed to prove a violation of Article 12(1) GDPR specifically.

Principle of transparency: The Court ruled that the controller's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, was incomplete. As a result, the controller violated the obligations on transparency as required by Articles 5(1)(a), 13 and 14 GDPR. However, the court did not agree with the IMY's claim that the controller violated principles of lawfulness and fairness under Articles 5(1)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

The administrative court in Stockholm assesses that Klarna Bank AB has not violated the data protection regulation to the extent claimed by the Privacy Protection Authority. The court has therefore decided that the penalty fee should be reduced.

The Privacy Protection Authority (IMY) decided on March 28, 2022 to impose a penalty fee of SEK 7.5 million on Klarna Bank AB because the company has breached its information obligation. Klarna Bank AB has appealed the decision and believes, among other things, that the company has been notified of a penalty fee for violating non-binding guidelines and that it is in violation of basic Swedish and European law. According to the company, there is therefore no support for imposing a penalty fee.
Judgment of the court
The administrative court in Stockholm shares IMY's assessment that the registered did not receive sufficient information about how and for what purposes certain personal data is processed. Those registered have also not received sufficient information about their rights. Support for imposing a penalty fee on Klarna Bank AB due to this can be found in the data protection regulation. However, there is not sufficient support that Klarna Bank AB has breached its obligation to provide information to the same extent as IMY claims.
- The court considers that Klarna Bank AB has violated the data protection regulation. However, the violation is not as serious as IMY has assessed in the appealed decision and the penalty fee must therefore be reduced from SEK 7.5 million to SEK 6 million, says councilor Gustav Forsberg.