KamR Stockholm - 2829-23: Difference between revisions

From GDPRhub
m (Hi Izel, Thank you for your summary! I just edited the summary to be in line with the previous appeal and changed IMY into DPA and some other minor spelling mistakes. Again super good summary :))
(Hi Izel, I'm sorry for completely rearranging your summary. We realised that it was very convoluted and difficult for readers to understand why the court first did not see a violation of e.g. art. 12 and then for something else suddenly there was. This was not you but the way the court wrote its decision. I shortened the summary now and only kept the relevant parts that referred to the previous decision ((dis)agreements w/other court) to make it easier to read. Thank you for your work!!)
 
(11 intermediate revisions by 2 users not shown)
Line 25: Line 25:
|Year=2024
|Year=2024


|GDPR_Article_1=Article 1(2) GDPR
|GDPR_Article_1=Article 12(1) GDPR
|GDPR_Article_Link_1=Article 1 GDPR#2
|GDPR_Article_Link_1=Article 12 GDPR#1
|GDPR_Article_2=Article 5(1)(a) GDPR
|GDPR_Article_2=Article 13(1)(f) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1a
|GDPR_Article_Link_2=Article 13 GDPR#1f
|GDPR_Article_3=Article 5(2) GDPR
|GDPR_Article_3=Article 13(2)(b) GDPR
|GDPR_Article_Link_3=Article 5 GDPR#2
|GDPR_Article_Link_3=Article 13 GDPR#2b
|GDPR_Article_4=Article 12(1) GDPR
|GDPR_Article_4=Article 14(2)(g) GDPR
|GDPR_Article_Link_4=Article 12 GDPR#1
|GDPR_Article_Link_4=Article 14 GDPR#2g
|GDPR_Article_5=Article 13 GDPR
|GDPR_Article_5=Article 83(2) GDPR
|GDPR_Article_Link_5=Article 13 GDPR
|GDPR_Article_Link_5=Article 83 GDPR#2
|GDPR_Article_6=Article 13(1)(e) GDPR
|GDPR_Article_Link_6=Article 13 GDPR#1e
|GDPR_Article_7=Article 13(1)(c) GDPR
|GDPR_Article_Link_7=Article 13 GDPR#1c
|GDPR_Article_8=Article 13(1)(f) GDPR
|GDPR_Article_Link_8=Article 13 GDPR#1f
|GDPR_Article_9=Article 13(2)(a) GDPR
|GDPR_Article_Link_9=Article 13 GDPR#2a
|GDPR_Article_10=Article 13(2)(b) GDPR
|GDPR_Article_Link_10=Article 13 GDPR#2b
|GDPR_Article_11=Article 13(2)(f) GDPR
|GDPR_Article_Link_11=Article 13 GDPR#2f
|GDPR_Article_12=Article 14(2)(g) GDPR
|GDPR_Article_Link_12=Article 14 GDPR#2g
|GDPR_Article_13=Article 15 GDPR
|GDPR_Article_Link_13=Article 15 GDPR
|GDPR_Article_14=
|GDPR_Article_Link_14=
|GDPR_Article_15=
|GDPR_Article_Link_15=


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 88: Line 68:
}}
}}


The Administrative Court of Appeal g raised the administrative fine back to €730,000 (SEK 7,300,000) for Klarna Bank AB's insufficient and incomplete privacy policy.
A court confirmed a €730,000 (SEK 7,300,000) fine against Klarna, dismissing the controller’s argument that the DPA took unreasonably long in the procedure and violated the controller’s procedural rights.


== English Summary ==
== English Summary ==
Line 95: Line 75:
On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects.
On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects.


The controller appealed the DPA's decision to the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information.
The controller appealed the DPA's decision to a court of first instance, the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information.


The DPA appealed this decision to the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000).  
The DPA appealed this decision to a court of appeal, the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000).  


=== Holding ===
=== Holding ===
The Court reviewed the appealed decision to determine whether the controller should be fined on the grounds put forward by the DPA. The Court specifically reviewed whether the controller's privacy policy fulfills the requirement of [[Article 12 GDPR]] - [[Article 16 GDPR]] and whether the controller's processing activities fulfill the principle of transparency in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and accountability in [[Article 5 GDPR#2|Article 5(2) GDPR]].
The court of appeal, reviewed the entire appealed decision to decide whether the controller should be fined on the grounds put forward by the DPA. The Court therefore reviewed whether the controller provided complete or sufficient information on different aspects in their privacy policy and if they fulfilled the requirements on how it should be provided under [[Article 12 GDPR]], [[Article 13 GDPR]] and [[Article 14 GDPR]].


The Court considered that the controller violated the GPDR by:
The court of appeal disagreed with the court of first instance on whether the controller infringed [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]] by not indicating the specific countries to which personal data is transferred. The court of appeal found that the GDPR does not require that the specific third countries must be named. Therefore, the Court held that the controller did not violate [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]] by not specifying the third countries in their privacy policy.


* not specifying in its privacy policy the legal basis for all purposes ([[Article 13 GDPR#1c|Article 13(1)(c) GDPR]])
Moreover, the court of appeal disagreed with the court of first instance on whether the information provided by the controller on the rights of data subjects fulfilled the requirements of [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]]. This Article requires the controller to inform the data subject of the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning him or her, or to object to processing, and of the right to data portability. The court of appeal held that the wording of the provision does not indicate anything other than that the data subject must be informed of the existence of the rights. The court of appeal found that there is nothing to suggest that the controller, in addition to informing the data subject of the existence of the rights listed in [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]], is obliged to describe the meaning of the rights in more detail. Therefore, unlike the court of first instance, the court of appeal found that the controller did not violate [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]] in that respect.
* not providing information on how data subjects can access information on safeguards for third country transfers ([[Article 13 GDPR#1f|Article 13(1)(f) GDPR]])
* not providing full information on how personal data will be stored ([[Article 13 GDPR#2a|Article 13(2)(a) GDPR]])
* not providing information on the use of a scoring model and the data processed in it ([[Article 13 GDPR#2f|Article 13(2)(f) GDPR]] and
[[Article 14 GDPR#2g|Article 14(2)(g) GDPR]])
* and not providing clear and easily accessible information on the “My economy” service, the right to data portability, restriction and automated decision-making ([[Article 12 GDPR#1|Article 12(1) GDPR]])


The Court took into account that the information concerned a large number of data subjects and that the shortcomings related to information based on articles that are central to the data subjects. Moreover, the Court took into consideration that the breaches did not take place for a long time and the privacy policy had been continuously improved. Moreover, taking into account the controller’s argument that the DPA’s case took unreasonably long and that the controller’s right to informed without delay of the significance of and grounds for the accusations was violated, the Court did not see a reason to reduce the fine on the basis of [[Article 83 GDPR#2|Article 83(2) GDPR]] and [https://fra.europa.eu/en/law-reference/european-convention-human-rights-article-6 Article 6(1) and 6(3)(a) ECHR].
The court of appeal agreed with the court of first instance that the controller failed to provide information on safeguards for third country transfers ([[Article 13 GDPR#1f|Article 13(1)(f) GDPR]]) and the use of a scoring model in their automated decision-making and how the data was processed in it ([[Article 14 GDPR#2g|Article 14(2)(g) GDPR]]). Thus, the court of appeal  held that the controller violated [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]] and [[Article 14 GDPR#2g|Article 14(2)(g) GDPR]] regarding these two elements of the privacy policy.  


Thus, the Court held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, upholding the DPA’s appeal.
Moreover, the court of appeal found that the controller did not provide information on automated decision-making in such an easily accessible form as required by [[Article 12 GDPR#1|Article 12(1) GDPR]]. The court of appeal considered that spreading information over different sections does not necessarily mean that the information is difficult to access by data subjects. However, the court of appeal found that the information on automated decision-making in the privacy policy referred to different sections of the privacy policy which made the information not easily accessible as it was difficult to identify what the relevant information was in the referred sections.  


==== Detailed Summary of the Court's assessment ====
The court of appeal also found that the information about the right to data portability was provided in such a way that it was difficult to understand that it is a separate right. The right to restriction was also expressed in the privacy policy as "oppose" and "stop processing". This was different terminology than the GDPR and created obscurity according to the court of appeal. Due to these ambiguities, the court of appeal found that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]].
<u>Information about transfers to third countries:</u> The Court agreed with the Administrative Court that the controller violated [[Article 13 GDPR#1f|Article&nbsp;13(1)(f)&nbsp;GDPR]] by not providing information on how data subjects can access information on safeguards for third-country transfers.  


However, the Court did hold that [[Article 13 GDPR#1f|Article 13(1)(f) GDPR]] does not require specific third countries to be specified on privacy policy. Therefore, the Court found, contrary to Administrative Court's finding, that controller's privacy policy met the requirements of [[Article 13 GDPR#1f|Article&nbsp;13(1)(f)&nbsp;GDPR]].
Given this new legal assessment, the court of appeal evaluated the appropriateness of the fine. As a mitigating factor, the court of appeal recognised that the breaches did not take place for a long time and the privacy policy had been continuously improved. However, the court of appeal took into account that the information concerned a large number of data subjects and that the shortcomings related to information based on articles that are fundamental to the data subjects. Finally, the court of appeal dismissed the controller’s argument that the DPA’s case took unreasonably long and that the controller’s right to be informed without delay of the significance of and grounds for the accusations was violated. Thus, the court of appeal did not see a reason to reduce the fine on the basis of [[Article 83 GDPR#2|Article 83(2) GDPR]] and [https://fra.europa.eu/en/law-reference/european-convention-human-rights-article-6 Article 6(1) and 6(3)(a) ECHR].


<u>Information about processing related to "My Economy" service:</u> Agreeing with the Administrative Court, the Court rejected the controllers arguments and held that controller violated [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] regarding information on the legal basis for each purposes in relation to the service "My Economy" and [[Article 13 GDPR#2a|Article 13(2)(a) GDPR]] regarding data storage. 
Thus, the court of appeal held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, and upheld the DPA’s appeal.
 
According to the Court, the information provided about the legal basis during the registration for the "My Economy" service was clear and did not violate [[Article 12 GDPR#1|Article 12(1) GDPR]], contrary to DPA's claim. However, regarding the information about the purpose, the Court assessed that the structure of the data protection information, the terms of use, and the cross-references between the documents made the information difficult to access and was unclear to data subjects. Therefore, the Court held that the information did not comply with [[Article 12 GDPR#1|Article 12(1) GDPR]].
 
<u>Recipients of personal data</u><nowiki>:</nowiki> The Court agreed with the Administrative Court's finding that the controller does not have an obligation to differentiate between Swedish or foreign credit agencies in the information provided under [[Article 13 GDPR#1e|Article 13(1)(e) GDPR]]. Thus, the controller can put credit reference agencies in the same category of recipient, regardless of the country in which the business is conducted. Therefore, the Court found that controller did not violate [[Article 13 GDPR#1e|Article 13(1)(e) GDPR]].
 
<u>Informing about data subjects rights<nowiki>:</nowiki></u> The Court stated that the wording of [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]] indicates that the data controller should inform about the existence of the rights specified in the article. On the question of whether the controller should also inform about the meanings of these rights, the Court pointed out the one of the purpose of GDPR is to protect the rights of individuals in the processing of personal data (see [[Article 1 GDPR#2|Article 1(2) GDPR]]). The Court also referred to [https://gdpr-text.com/read/recital-39/ Recital 39], stating that individuals should be made aware of their rights regarding processing of personal data, including how to exercise them. The Court found no indication that the controller, in addition to informing about the existence of the rights listed in [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]], was obliged to further describe the meaning of those rights. Consequently, the Court, contrary to Administrative Court and the DPA, found that the controller did not violate [[Article 13 GDPR#2b|Article 13(2)(b) GDPR]]. 
 
On the other hand, the Court, agreeing with the DPA's findings, concluded that controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]]. This was because the name of the "right to restriction" was not provided and instead expressed as the right to "oppose" and "stop processing", which the Court found to be unclear terminology and difficult to understand for the data subject. The Court also found that controller breached [[Article 12 GDPR#1|Article&nbsp;12(1)&nbsp;GDPR]], because the right to data portability was provided under right to access, which according to the Court and the DPA, made it difficult to understand that it is a separate right.
 
<u>Information about profiling and automated decision making</u><nowiki>:</nowiki> The Court, like the Administrative Court and contrary to the DPA's finding, stated that controller is not obliged to provide information about the circumstances that always lead to rejection. However, the Court assessed that the controller violated [[Article 13 GDPR#2f|Article 13(2)(f) GDPR]] and [[Article 14 GDPR#2g|Article 14(2)(g) GDPR]] by not informing data subjects about the use of a scoring model and the data processed in it.
 
Furthermore, the Court stated that when information, for example on automated decision-making, is provided in different places,  greater clarity is required for it to be easily accessible. The Court considered that, referencing to information at another section of the privacy policy, made it difficult to access and identify relevant information. Consequently, the Court found that the controller did not inform about automated decision-making in an easily accessible manner and therefore breached [[Article 12 GDPR#1|Article 12(1) GDPR]].
 
<u>The principle of transparency</u><nowiki>:</nowiki> The Court considered that the violations consisted of controller not providing complete or sufficient information and not meeting the requirements on how it should be provided. The Court found that, although the controller had breached several articles expressing the principle of transparency in the GDPR, the violations are not of a character and extent that the controller could be considered to have violated the principle of transparency in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. Thus, the Court held that the controller did not violate [[Article 5 GDPR#2|Article 5(2) GDPR]].


== Comment ==
== Comment ==
''Share your comments here!''
Please find the summary of the court of first instance's decision here: [[FiS - 7679-22]].


== Further Resources ==
== Further Resources ==

Latest revision as of 11:55, 15 May 2024

KamR Stockholm - 2829-23
Courts logo1.png
Court: KamR Stockholm (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(1) GDPR
Article 13(1)(f) GDPR
Article 13(2)(b) GDPR
Article 14(2)(g) GDPR
Article 83(2) GDPR
Decided: 11.03.2024
Published: 11.03.2024
Parties: Klarna Bank AB
IMY
National Case Number/Name: 2829-23
European Case Law Identifier:
Appeal from: Administrative Court of Stockholm (Sweden)
7679-22
Appeal to: Not appealed
Original Language(s): Swedish
Original Source: Kammarrätten i Stockholm (in Swedish)
Initial Contributor: inkg

A court confirmed a €730,000 (SEK 7,300,000) fine against Klarna, dismissing the controller’s argument that the DPA took unreasonably long in the procedure and violated the controller’s procedural rights.

English Summary

Facts

On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects.

The controller appealed the DPA's decision to a court of first instance, the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information.

The DPA appealed this decision to a court of appeal, the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000).

Holding

The court of appeal, reviewed the entire appealed decision to decide whether the controller should be fined on the grounds put forward by the DPA. The Court therefore reviewed whether the controller provided complete or sufficient information on different aspects in their privacy policy and if they fulfilled the requirements on how it should be provided under Article 12 GDPR, Article 13 GDPR and Article 14 GDPR.

The court of appeal disagreed with the court of first instance on whether the controller infringed Article 13(1)(f) GDPR by not indicating the specific countries to which personal data is transferred. The court of appeal found that the GDPR does not require that the specific third countries must be named. Therefore, the Court held that the controller did not violate Article 13(1)(f) GDPR by not specifying the third countries in their privacy policy.

Moreover, the court of appeal disagreed with the court of first instance on whether the information provided by the controller on the rights of data subjects fulfilled the requirements of Article 13(2)(b) GDPR. This Article requires the controller to inform the data subject of the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning him or her, or to object to processing, and of the right to data portability. The court of appeal held that the wording of the provision does not indicate anything other than that the data subject must be informed of the existence of the rights. The court of appeal found that there is nothing to suggest that the controller, in addition to informing the data subject of the existence of the rights listed in Article 13(2)(b) GDPR, is obliged to describe the meaning of the rights in more detail. Therefore, unlike the court of first instance, the court of appeal found that the controller did not violate Article 13(2)(b) GDPR in that respect.

The court of appeal agreed with the court of first instance that the controller failed to provide information on safeguards for third country transfers (Article 13(1)(f) GDPR) and the use of a scoring model in their automated decision-making and how the data was processed in it (Article 14(2)(g) GDPR). Thus, the court of appeal held that the controller violated Article 13(1)(f) GDPR and Article 14(2)(g) GDPR regarding these two elements of the privacy policy.

Moreover, the court of appeal found that the controller did not provide information on automated decision-making in such an easily accessible form as required by Article 12(1) GDPR. The court of appeal considered that spreading information over different sections does not necessarily mean that the information is difficult to access by data subjects. However, the court of appeal found that the information on automated decision-making in the privacy policy referred to different sections of the privacy policy which made the information not easily accessible as it was difficult to identify what the relevant information was in the referred sections.

The court of appeal also found that the information about the right to data portability was provided in such a way that it was difficult to understand that it is a separate right. The right to restriction was also expressed in the privacy policy as "oppose" and "stop processing". This was different terminology than the GDPR and created obscurity according to the court of appeal. Due to these ambiguities, the court of appeal found that the controller violated Article 12(1) GDPR.

Given this new legal assessment, the court of appeal evaluated the appropriateness of the fine. As a mitigating factor, the court of appeal recognised that the breaches did not take place for a long time and the privacy policy had been continuously improved. However, the court of appeal took into account that the information concerned a large number of data subjects and that the shortcomings related to information based on articles that are fundamental to the data subjects. Finally, the court of appeal dismissed the controller’s argument that the DPA’s case took unreasonably long and that the controller’s right to be informed without delay of the significance of and grounds for the accusations was violated. Thus, the court of appeal did not see a reason to reduce the fine on the basis of Article 83(2) GDPR and Article 6(1) and 6(3)(a) ECHR.

Thus, the court of appeal held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, and upheld the DPA’s appeal.

Comment

Please find the summary of the court of first instance's decision here: FiS - 7679-22.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Klarna must pay a penalty fee of SEK 7.5 million because the data protection information did not meet the requirements of the EU's data protection regulation.

The violations of the data protection regulation consist of Klarna not providing sufficient information to the data subjects, for example, about how personal data will be stored, and that the information was difficult to access or unclear.
- The Court of Appeal considers that a penalty fee of SEK 7.5 million is justified to be effective, proportionate and dissuasive. The Court of Appeal thus makes the same assessment as the Swedish Privacy Protection Authority, says Peder Liljeqvist, a lawyer at the Court of Appeal.
The Court of Appeal thus changes the administrative court's ruling that the sanction fee would be SEK 6 million.