IMY (Sweden) - DI-2021-10448,: Difference between revisions
No edit summary |
No edit summary |
||
Line 63: | Line 63: | ||
}} | }} | ||
In this [[Article 60 GDPR]] procedure, Klarna Bank AB, a Swedish payment provider, had wrongfully used the data subject's first name in an e-mail send to the data subject's parter, after which the data subject filed rectification - and access requests. The Swedish DPA only determined a violation of Article 15 GDPR because the controller only answered the request 1 year and 3 months after it was submitted. | In this [[Article 60 GDPR]] procedure, Klarna Bank AB, a Swedish payment provider, had wrongfully used the data subject's first name in an e-mail send to the data subject's parter, after which the data subject filed rectification - and access requests. The Swedish DPA only determined a violation of [[Article 15 GDPR]] because the controller only answered the request 1 year and 3 months after it was submitted. | ||
== English Summary == | == English Summary == |
Revision as of 08:51, 6 February 2023
IMY - DI-2021-10448, | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 15 GDPR Article 58(2)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 14.06.2022 |
Published: | |
Fine: | n/a |
Parties: | Klarna Bank |
National Case Number/Name: | DI-2021-10448, |
European Case Law Identifier: | EDPBI:SE:OSS:D:2022:381 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In this Article 60 GDPR procedure, Klarna Bank AB, a Swedish payment provider, had wrongfully used the data subject's first name in an e-mail send to the data subject's parter, after which the data subject filed rectification - and access requests. The Swedish DPA only determined a violation of Article 15 GDPR because the controller only answered the request 1 year and 3 months after it was submitted.
English Summary
Facts
The data subject had used the services of the controller, a Swedish payment provider for online services, to shop online. The partner of the data subject received the bills for these internet pruchases. In some instances, these wrongly delivered bills were in some instances addressed to the data subject. According to the data subject, he/she had requested the controller to correct the names in the e-mail in December 2018.
In 2020, the partner of the data subject used the controller's services again to shop online. The partner of the data subject again received an e-mail which was addressed to the data subject. On 15 October 2022, the data subject made a second request for rectification.
On 10 October 2020, the data subject had also submitted a request for access, but received no reply from the controller.
The data subject filed a complaint at a German DPA (not clear which DPA and not clear at what date the complaint was filed), which transferred the complaint to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Finland, Germany, France, Norway and the Netherlands. The Swedish DPA started an investiagtion into the controller.
During the subsequent investigation of the DPA, the controller stated that it had a system for automatic generation of first names in the initial greeting of an e-mail. According to the controller, both the data subject and their partner used the same e-mail address (email address "y"), to place orders using the controller's service, which was one of the reasons why it put the wrong name in the email.
The controller had also stated that it had rectified the information according to both requests of the data subject. It is not clear at what date the controller did this.
The controller also informed the DPA during its investigation that it had not "recognised" the access request of the data subject. The controller answered and complied with the access request on 21 January 2022, almost 1 year and 3 months after the request was submitted
Holding
First, the DPA determined that the controller did not violate Article 5(1)(d) GDPR by regulary confusing the personal data of both the data subject and their partner by adressing the wrong person in the e-mails. The DPA reitereated that both the data subject and their partner had used 'e-mail address Y' to place online orders using the controller's service. The DPA noted that no other personal data than the first name of the data subject had been disclosed to the wrongly addressed partner. It also stated that the first name of the data subject was quite common. Therefore, this name did not constitute an identifier specific to the data subject.
Second, The DPA held that the controller did not violate Article 16 GDPR for the way it handled the two erasure requests of the data subject. The DPA stated that the data subject had not claimed that their requests for rectification were not met to any extent. It also could not determine ant reason to question the information provided by the controller, which had stated that it complied with the requests of the data subject, although without providing a specific date when the controller did this.
Third, the DPA held that the controller had violated Article 15 GDPR because it only provided a reply to the data subject 1 year and 3 months after the request was submitted. The DPA noted that the time elapsed was 'relatively long'. Therefore, the controller had not handled the access request without undue delay pursuant of Article 12(3) GDPR. Therefore, the controller violated Article 15 GDPR.
The DPA considered this a minor infringement and reprimanded the controller pursuant of Article 58(2)(b) GDPR.
Comment
The data subject stated that in the orginal complaint that she requested the controller to adjust the names in the controller's e-mails in December 2018. However, the controller stated that it received the data subject's first request for rectification on 5 November 2018. Although there is only a difference of around a month between these dates and this difference is inconsequential for the non-violation of Article 16 GDPR, the difference is still there, without any clarification from the parties or the DPA when the first request was submitted.
A similair difference is present for the supossed date when the data subject filed the access request. The data subject stated that the access request was filed on 10 October 2022. According to the controller, the data subject had submitted the request on 15 October 2020.
Also, it is not clear from the decision at what date the original complaint was submitted. It also not clear from the decision which German DPA transferred the complaint to the Swedish DPA, although looking at the German case number ('83.41/20.039'), it is most likely that this was the Berlin DPA, although this is not 100% certain.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
One-Stop-Shop Leaflet Art. 60 final decisions Due to national legal restrictions, none or only some of the decisions from the following Supervisory Authorities will be available on this register: DE (Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia), LT, NL and ES SAs. The decisions from the following Supervisory Authorities will not include personal data of physical persons: BG, DE, CY (Baden-Wurttemberg, Berlin, German Federal, Rhineland - Palatinate, Saxony-Anhalt), DK, EL, ES, HR, LV, NO, RO, SK, SI and SE SAs. The decisions from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria (Private Sector), Brandenburg, Hesse, Mecklenburg - Western Pomerania, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LU, LV, MT, NL, PL, PT and UK SAs. The decisions from the following Supervisory Authorities will not be anonymised: HR Summaries of Art. 60 final decisions The summaries of Article 60 final decisions were made under the responsibility of the EDPB Secretariat for sole informative purpose and do not intend to create any legal effect or interpretation. Please note that only the national decisions in the official language of the SA are the authentic legal source of information relating to the relevant national decisions. The summaries from the following Supervisory Authorities will not include personal data of physical persons: BG, CY, DK, DE [Baden - Wuerttemberg, Berlin, Germany Federal, Rhineland-Palatinate, Saxony- Anhalt], EL, ES, NO, RO, SK, SI and SE SAs. The summaries from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria Private Sector, Brandenburg, Hesse, Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LI, LT, LU, LV, MT, NL, PL, PT and UK SAs. The summaries from the following Supervisory Authorities will not be anonymised: HR SA. Privacy Notice For more information on how we process your personal data in this, please consult the following page: EDPB Specific Privacy Statements