BlnBDI (Berlin) - 521.14730 / 631.410: Difference between revisions
(→Facts) |
(added date) |
||
Line 22: | Line 22: | ||
|Outcome=Rejected | |Outcome=Rejected | ||
|Date_Started= | |Date_Started= | ||
|Date_Decided= | |Date_Decided=26 April 2022 | ||
|Date_Published= | |Date_Published= | ||
|Year= | |Year= |
Revision as of 13:34, 19 October 2022
BlnBDI - 521.14730 / 631.410 | |
---|---|
Authority: | BlnBDI (Berlin) |
Jurisdiction: | Germany |
Relevant Law: | Article 12(3) GDPR Article 12(6) GDPR Article 15 GDPR Article 60(8) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 26 April 2022 |
Published: | |
Fine: | n/a |
Parties: | Klarna Bank AB |
National Case Number/Name: | 521.14730 / 631.410 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
Pursuant to the Article 60 GDPR cooperation mechanism, the Berlin DPA adopted a draft decision by a Swedish DPA which rejected a complaint on the basis of Article 15 GDPR. The complaint was rejected as the controller, firstly, had reasonable grounds to doubt the identity of the requester and, secondly, responded in time as the monthly time limit pursuant to Article 12(3) GDPR pauses while the data subject responds to an authentication request.
English Summary
Facts
The complaint was raised before the Berlin DPA in July 2021. It was transferred to the supervisory authority Sweden, which is the Lead Supervisory Authority (LSA) in accordance with Article 56 GDPR. The LSA Sweden conducted the investigation and the cooperation procedure in accordance with Article 60 GDPR and proposed a Draft Decision which dismissed / rejected the complaint. In accordance with Article 60(8) GDPR, the Berlin DPA, as the supervisory authority with which the complaint was lodged, adopted the Swedish decision.
According to the Swedish decision, Klarna, the controller, received an access request by the complainant on 6 June 2021. Klarna's customer service requested the complainant to complete their request with information regarding the complainant’s identity and requested the complainant’s telephone number in order to send a data access verification code. The complainant then provided the information regarding identity without giving a telephone number. On 17 June 2021, the complainant requested that the request be dealt with by 19 June 2021. On 24 June 2021, Klarna’s customer service again asked the complainant to provide a telephone number. The complainant submitted the information on the same day. The register extract with password was sent to the complainant on 12 July 2021.
The complainant is of the opinion that Klarna did not follow their duties according to Article 15 GDPR by replying to the request in time. Klarna was late in responding to the access request. Klarna considers that the extract of the register has been submitted within the time frame set out in Article 12(3) GDPR after the complainant has provided the necessary information regarding their identity.
Holding
The Swedish DPA pointed out that Article 12(3) GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to Article 15 GDPR. Further, the one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. If the time limit of one month is extended, the controller shall inform the data subject of the extension.
However, the DPA also noted that, as is clear form Article 12(6) GDPR, where the controller has reasonable grounds to doubt the identity of the natural person making a request pursuant to Articles 15 to 21 GDPR, the controller may request the provision of additional information necessary to confirm the identity of the data subject. In light of the facts, the DPA considered that Klarna had reasonable grounds to doubt the identity of the appellant and had adequately requested proportionate information without undue delay. Since the complainant did not submit that information until 24 June 2021, the time limit did not start to run again until then. Furthermore, the PDA considered that Klarna has handled the request without undue delay through the total 23 days.
The DPA held against this background that the investigation in the case does not show that the controller has processed the complainant’s personal data in breach of Articles 12(3), 12(6) and 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
521.14730 / 631.410 CR: 134712 Draft Decision IMI A60DD 372925 Berlin, 26 April 2022 Final Decision Preliminary remarks The complaint (ref. no. 521.14730 / 631.410 ) was raised before the Berlin DPA in July 2021. It was transferred to the supervisory authority Sweden, which is the Lead Supervisory Authority (LSA) for the cross-border processing carried out by Klarna Bank AB, in accordance with Article 56 GDPR. The LSA Sweden conducted the investigation and the cooperation procedure with all concerned supervisory authorities in accordance with Article 60 GDPR. The LSA Sweden pro- posed the Draft Decision 372925 and thereby the complaint was dismissed /rejected. In ac- cordance with Article 60 (8) GDPR, the Berlin DPA as the supervisory authority with which the complaint was lodged, hereby adopts the decision as it was agreed upon in the cooperation procedure and is included below: “ Decision of the Swedish Authority for Privacy Protection (IMY) The Authority for Privacy Protection (IMY) finds that Klarna not has processed personal data in breach of Articles 12.3, 12.6 and 15 of the General Data Protection Regulation (GDPR) 1 . The case is hereby closed. Berlin Commissionerfor Data ProtectioPhone: (030) 13889-0 Mail:mailbox@datenschutz-berlin.de and Freedom of Information (BlnBDI) Fax: (030) 215 50 50 Web: www.datenschutz-berlin.de Friedrichstr. 219, 10969 Berlin Officehours: Daily from 10 am to 3 pm, Visitors‘ entrance: Puttkamerstr. 16–Thursdays from 10 am to 6 pmReport on the supervisory report The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna Bank AB (Klarna or the company) due to a complaint. The complaint has been submitted to IMY, as responsible supervisory authority for the company’s operations pursuant to Article 56 of the General Data Protection Regulation (GDPR). The handover has been made from the supervisory authority of the country where the complainant has lodged their complaint (Germany, Berlin) in accordance with the Regulation’s provisions on coopera- tion in cross-border processing. The investigation in the case has been carried out through correspondence. In the light of a complaint relating to cross-border processing, IMY has used the mechanisms for coop- eration and consistency contained in Chapter VII GDPR. The supervisory authorities con- cerned have been the data protection authorities in the Czech Republic, Denmark, Ger- many, Finland, Norway and Poland. The complaint The complaint states the following. On 6 June 2021, the complainant requested access to his personal data pursuant to Article 15 of the GDPR. When Klarna did not reply, a re- minder of the request for access was sent on 11 June 2021 and 17 June 2021. What Klarna has stated Klarna is the data controller for the processing to which the complaint relates. The request was received by Klarna on 6 June 2021. Klarna has dealt with the request received and has taken the following steps. On 11 June 2021, Klarna’s customer service requested the complainant to complete their request with information regarding the complainant’s iden- tity and requested the complainant’s telephone number in order to send a verification code(to access the personal data). The complainant then provided the information re- garding identity without giving a telephone number. On 17 June 2021, the complainant requested that the request be dealt with by 19 June 2021. On 24 June 2021, Klarna’s customer service again asked the complainant to provide a telephone number. The complainant submitted the information on the same day. The reg- ister extract with password was sent to the complainant on 12 July 2021. Klarna considers 2that the extract of the register has been submitted within the timeframe set out in Article 12(3) of the GDPR after the complainant has provided the necessary information regard- ing their identity. Justification of the decision Applicable provisions, etc. Article 12(3) of the GDPR requires the controller to provide the data subject, upon re- quest, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to, inter alia, Article 15. The one- month time limit may be extended by a further two months where the request is particu- larly complex or the number of requests received is high. If the time limit of one month is extended, the controller shall inform the data subject of the extension. Notification of the extension of the deadline shall take place within one month of receipt of the request. The controller shall also indicate the reasons for the delay. Without prejudice to Article 11, where the controller has reasonable grounds to doubt the identity of the natural person making a request pursuant to Articles 15 to 21, the control- ler may request the provision of additional information necessary to confirm the identity of the data subject. This is clear from Article 12(6). Under Article 15, the data subject has the right to obtain from the controller a copy of the personal data processed by the controller. The data subject shall also receive other infor- mation, such as the purpose for which the personal data are processed and to which re- cipients or categories of recipients the data are disclosed. The European Data Protection Board (EDPB) Guidelines 01/2022 on access indicate that the calculation of the one month deadline in Article 12(3) is calculated from the date of receipt of the request. However, where, following the request, a controller needs to take measures to ensure the identity of the data subject, the time limit may be suspended until the controller has received the information necessary to identify the data subject. This provided that the request for additional information has been made without undue delay. Assessment of the Authority for Privacy Protection (IMY) 3 The investigation shows that the complainant’s request for access was made on 6 June 2021 and that Klarna met the request on 12 July 2021, i.e. approximately one month later. It is also apparent that Klarna had doubts as to whether it was indeed the appellant who made the request and therefore, on 11 June 2021, asked the appellant to supple- ment the request with information for the purpose of verifying its identity and reminded it on 24 June 2021. IMY considers that Klarna had reasonable grounds to doubt the identity of the appellant and has adequately requested proportionate information without undue delay. Since the complainant did not submit that information until 24 June 2021, the time limit did not start to run again until then. Furthermore, IMY considers that Klarna has handled the request without undue delay through the total 23 days. IMY concludes against this background that the investigation in the case does not show Klarna has processed the complainant’s personal data in breach of Articles 12(3), 12(6) and 15 of the GDPR. The case is hereby closed.” Appeal Notice Against this decision a lawsuit before the Verwaltungsgericht Berlin (administrative court of Berlin), Kirchstraße 7, 10557 Berlin is admissible. The lawsuit needs to be filed in written form within one month after the announcement of this decision, it can also be filed as an electronic document with a qualified electronic signature (QES) for the record of the clerk of the court. Please, note that in case of filing the lawsuit in writing the legal deadline is only met if the lawsuit reaches the administrative court within the deadline. The Berlin Commissioner for Data Protection and Freedom of Information 4