IMY (Sweden) - IMY-2022-9442: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=IMY-2022-9442 |ECLI= |Original_Source_Name_1=IMY (Sweden) |Original_Source_Link_1=https://www.imy.se/tillsyner/sj-ab/ |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type=Complaint |Outcom...") |
mNo edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 69: | Line 69: | ||
}} | }} | ||
The DPA reprimanded a controller for not providing access to all data | The DPA reprimanded a controller for not providing access to all data processed about the data subject. The controller explained how to request the missing data, but the DPA considered this procedure overly complicated. | ||
== English Summary == | == English Summary == | ||
Line 80: | Line 80: | ||
On 15 February 2022, the controller contacted the data subject with a request for additional information to manually identify the data subject. The verification was done by the data subject on 19 April 2022 by mobile bank ID. | On 15 February 2022, the controller contacted the data subject with a request for additional information to manually identify the data subject. The verification was done by the data subject on 19 April 2022 by mobile bank ID. | ||
The documents the data subject requested were then sent in two batches. The first batch was sent on 3 May 2022 regarding the processing of personal data in the data subject’s capacity as a former employee of the controller. However, the provided information only | The documents the data subject requested were then sent in two batches. The first batch was sent on 3 May 2022 regarding the processing of personal data in the data subject’s capacity as a former employee of the controller. However, the provided information only covered the data subject’s employment from 2008 onwards and excluded any data of a technical nature. The controller later sent a cover letter explaining to the data subject how to request this additional information. | ||
The second batch was sent on 18 May 2022 regarding the processing of personal data in the data subject’s capacity as a customer. By mistake, the information was not provided in full, however, the controller argued that the full information was easily accessible on their website. The data subject was not informed how to access the missing information | The second batch was sent on 18 May 2022 regarding the processing of personal data in the data subject’s capacity as a customer. By mistake, the information was not provided in full, however, the controller argued that the full information was easily accessible on their website. The data subject was not informed how to access the missing information. | ||
The controller explained that personal data about the data subject in their customer case system was not included in the copy of the personal data provided to the subject, as a search for the data subject's email address in lower case did not produce any | In the light of this, on 18 November 2022, the data subject lodged a complaint with the Swedish DPA (“IMY”) against the controller. | ||
The controller explained that personal data about the data subject in their customer case system was not included in the copy of the personal data provided to the subject, as a search for the data subject's email address in lower case did not produce any result in the system. The controller did not know the system was case sensitive, and only found out later that using the data subject’s email address in capital letters would result in finding the customer case relating to the data subject’s access request. | |||
The controller also stated it had not included all personal data regarding the data subject’s travel history, because they typically retrieve personal data based on the email address and telephone number associated with the customer's bank ID. However, when making an access request, the data subject used a different email address and telephone number other than the one indicated in its customer profile. They explained that their routine is designed to avoid including personal data belonging to anyone other than the specific individual identified by the bank ID. This way, they aimed to prevent any potential privacy breaches or inclusion of unrelated personal data in the provided information. | The controller also stated it had not included all personal data regarding the data subject’s travel history, because they typically retrieve personal data based on the email address and telephone number associated with the customer's bank ID. However, when making an access request, the data subject used a different email address and telephone number other than the one indicated in its customer profile. They explained that their routine is designed to avoid including personal data belonging to anyone other than the specific individual identified by the bank ID. This way, they aimed to prevent any potential privacy breaches or inclusion of unrelated personal data in the provided information. | ||
=== Holding === | === Holding === | ||
Deadline | <u>Deadline</u> | ||
The DPA held that the time limit to respond to the data subject’s request started on 9 February 2022, the day the controller received it. The DPA took into account that the controller approached the data subject without undue delay with a request for additional information to verify the data subject’s identity. Due to this, the time limit was suspended until the controller received the information needed for verification. As the data subject verified their identity on 19 April 2022, the time limit continued to run from that date onwards. Therefore, the DPA held that the controller should have provided access under [[ | |||
The DPA held that the time limit to respond to the data subject’s request started on 9 February 2022, the day the controller received it. The DPA took into account that the controller approached the data subject without undue delay with a request for additional information to verify the data subject’s identity. Due to this, the time limit was suspended until the controller received the information needed for verification. As the data subject verified their identity on 19 April 2022, the time limit continued to run from that date onwards. Therefore, the DPA held that the controller should have provided access under [[Article 15 GDPR]] no later than 13 May 2022. Since the data subject received certain information on 3 May 2022 and the rest on 18 May 2022, the controller was supposed to notify the data subject of extending the deadline by one month. That did not happen. Therefore, the DPA found that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]] by failing to respond to the data subject’s request for access under [[Article 15 GDPR]] without undue delay, or at the latest within one month. | |||
<u>Copy of personal data about the data subject as a customer</u> | |||
As the copy of personal data provided to the data subject as a customer did not encompass all processed personal data at the time of the request. The DPA determined that this constituted a violation of [[Article 15 GDPR#3|Article 15(3) GDPR]]. The controller was obligated to search for personal data associated with the information provided by the data subject, such as their e-mail address and a telephone number regardless of what is provided in its customer profile. If doubts arose regarding the data subject's identity, the controller could request additional information. However, the DPA found no evidence that the controller sought such confirmation. Consequently, by only searching for personal data linked to the contact details in the customer profile, the controller failed to ensure the inclusion of all relevant personal data. In addition, the controller did not provide further information to the data subject ton how to access the missing data related to their travel history. The fact that the controller had the full information available on its website, does not remedy this deficiency according to the DPA. Thus, the DPA found that the controller violated Article 15(1)(a) to (h) and 15(2) GDPR by failing to provide the data subject with all the information specified in those provisions. | |||
The DPA | |||
Copy of personal data about the data subject as a | <u>Copy of personal data about the data subject as a former employee</u> | ||
The DPA stated that the data subject should have access to all their personal data processed. The controller may decide to split the copy in two parts as long as the right of access is met. However, the controller should inform the data subject about this. Additionally, the data subject cannot be required to contact the controller on several occasions and in a complicated manner. to return to the controller if the data subject wished to access additional data. The controller should therefore have disclosed all the personal data it processed about the data subject in their capacity as a former employee and thus also data of a more technical nature. Therefore, the controller violated [[Article 15 GDPR#3|Article 15(3) GDPR]]. | The DPA stated that the data subject should have access to all their personal data processed. The controller may decide to split the copy in two parts as long as the right of access is met. However, the controller should inform the data subject about this. Additionally, the data subject cannot be required to contact the controller on several occasions and in a complicated manner. to return to the controller if the data subject wished to access additional data. The controller should therefore have disclosed all the personal data it processed about the data subject in their capacity as a former employee and thus also data of a more technical nature. Therefore, the controller violated [[Article 15 GDPR#3|Article 15(3) GDPR]]. | ||
Conclusion | <u>Conclusion</u> | ||
The DPA held that the controller failed to comply with its obligations under the right of access in relation to the data subject and violated [[Article 12 GDPR#3|Article 12(3) GDPR]] and Article 15(1)(a) to (h) GDPR, [[Article 15 GDPR#2|Article 15(2) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]]. The DPA found that these were minor infringements pursuant to Recital 148 and therefore issued a reprimand against the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] for the shortcomings found. The DPA also ordered the controller to comply with the data subject’s request under [[ | |||
The DPA held that the controller failed to comply with its obligations under the right of access in relation to the data subject and violated [[Article 12 GDPR#3|Article 12(3) GDPR]] and [[Article 15 GDPR#1a|Article 15(1)(a)]] to [[Article 15 GDPR#1h|(h) GDPR]], [[Article 15 GDPR#2|Article 15(2) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]]. The DPA found that these were minor infringements pursuant to Recital 148 and therefore issued a reprimand against the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] for the shortcomings found. The DPA also ordered the controller to comply with the data subject’s request under [[Article 15 GDPR]] by giving access to more information that were not included in the copy before. | |||
== Comment == | == Comment == |
Latest revision as of 14:43, 5 June 2024
IMY - IMY-2022-9442 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(3) GDPR Article 15 GDPR Article 15(1)(a) GDPR Article 15(1)(h) GDPR Article 15(2) GDPR Article 15(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 19.04.2022 |
Decided: | 29.06.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | IMY-2022-9442 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY (Sweden) (in SV) |
Initial Contributor: | ec |
The DPA reprimanded a controller for not providing access to all data processed about the data subject. The controller explained how to request the missing data, but the DPA considered this procedure overly complicated.
English Summary
Facts
The data subject was both a former employee and a customer at SJ AB, a train operator in Sweden (“the controller”).
On 9 February 2022, the data subject emailed the controller to request access. Although the controller provided a portal for such requests within the customer profile, technical problems with bank ID verification prevented access.
On 15 February 2022, the controller contacted the data subject with a request for additional information to manually identify the data subject. The verification was done by the data subject on 19 April 2022 by mobile bank ID.
The documents the data subject requested were then sent in two batches. The first batch was sent on 3 May 2022 regarding the processing of personal data in the data subject’s capacity as a former employee of the controller. However, the provided information only covered the data subject’s employment from 2008 onwards and excluded any data of a technical nature. The controller later sent a cover letter explaining to the data subject how to request this additional information.
The second batch was sent on 18 May 2022 regarding the processing of personal data in the data subject’s capacity as a customer. By mistake, the information was not provided in full, however, the controller argued that the full information was easily accessible on their website. The data subject was not informed how to access the missing information.
In the light of this, on 18 November 2022, the data subject lodged a complaint with the Swedish DPA (“IMY”) against the controller.
The controller explained that personal data about the data subject in their customer case system was not included in the copy of the personal data provided to the subject, as a search for the data subject's email address in lower case did not produce any result in the system. The controller did not know the system was case sensitive, and only found out later that using the data subject’s email address in capital letters would result in finding the customer case relating to the data subject’s access request.
The controller also stated it had not included all personal data regarding the data subject’s travel history, because they typically retrieve personal data based on the email address and telephone number associated with the customer's bank ID. However, when making an access request, the data subject used a different email address and telephone number other than the one indicated in its customer profile. They explained that their routine is designed to avoid including personal data belonging to anyone other than the specific individual identified by the bank ID. This way, they aimed to prevent any potential privacy breaches or inclusion of unrelated personal data in the provided information.
Holding
Deadline
The DPA held that the time limit to respond to the data subject’s request started on 9 February 2022, the day the controller received it. The DPA took into account that the controller approached the data subject without undue delay with a request for additional information to verify the data subject’s identity. Due to this, the time limit was suspended until the controller received the information needed for verification. As the data subject verified their identity on 19 April 2022, the time limit continued to run from that date onwards. Therefore, the DPA held that the controller should have provided access under Article 15 GDPR no later than 13 May 2022. Since the data subject received certain information on 3 May 2022 and the rest on 18 May 2022, the controller was supposed to notify the data subject of extending the deadline by one month. That did not happen. Therefore, the DPA found that the controller violated Article 12(3) GDPR by failing to respond to the data subject’s request for access under Article 15 GDPR without undue delay, or at the latest within one month.
Copy of personal data about the data subject as a customer
As the copy of personal data provided to the data subject as a customer did not encompass all processed personal data at the time of the request. The DPA determined that this constituted a violation of Article 15(3) GDPR. The controller was obligated to search for personal data associated with the information provided by the data subject, such as their e-mail address and a telephone number regardless of what is provided in its customer profile. If doubts arose regarding the data subject's identity, the controller could request additional information. However, the DPA found no evidence that the controller sought such confirmation. Consequently, by only searching for personal data linked to the contact details in the customer profile, the controller failed to ensure the inclusion of all relevant personal data. In addition, the controller did not provide further information to the data subject ton how to access the missing data related to their travel history. The fact that the controller had the full information available on its website, does not remedy this deficiency according to the DPA. Thus, the DPA found that the controller violated Article 15(1)(a) to (h) and 15(2) GDPR by failing to provide the data subject with all the information specified in those provisions.
Copy of personal data about the data subject as a former employee
The DPA stated that the data subject should have access to all their personal data processed. The controller may decide to split the copy in two parts as long as the right of access is met. However, the controller should inform the data subject about this. Additionally, the data subject cannot be required to contact the controller on several occasions and in a complicated manner. to return to the controller if the data subject wished to access additional data. The controller should therefore have disclosed all the personal data it processed about the data subject in their capacity as a former employee and thus also data of a more technical nature. Therefore, the controller violated Article 15(3) GDPR.
Conclusion
The DPA held that the controller failed to comply with its obligations under the right of access in relation to the data subject and violated Article 12(3) GDPR and Article 15(1)(a) to (h) GDPR, Article 15(2) GDPR and Article 15(3) GDPR. The DPA found that these were minor infringements pursuant to Recital 148 and therefore issued a reprimand against the controller under Article 58(2)(b) GDPR for the shortcomings found. The DPA also ordered the controller to comply with the data subject’s request under Article 15 GDPR by giving access to more information that were not included in the copy before.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.