IMY (Sweden) - DI-2019-6523: Difference between revisions
From GDPRhub
mNo edit summary |
m (→Facts) |
||
| Line 68: | Line 68: | ||
The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with [[Article 6 GDPR#1|Article 6(1) GDPR.]] | The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with [[Article 6 GDPR#1|Article 6(1) GDPR.]] | ||
Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity | Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity under [[Article 6 GDPR|Article 6(1)(b) GDPR]] or legitimate interest udner [[Article 6 GDPR|Article 6(1)(f) GDPR]] instead of consent when subscribing for the controller's magazine. However, the controller accidentally missed updating the registration form of one of the company's webshop, Magasinshoppen. The webshop had a checkbox on its webpage along with the text "''I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group.''" The controller also did not update the subscription terms which stated: “''When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes.''" Furthermore, information was provided on the the right to withdraw consent. | ||
After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy. | After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy. | ||
=== Holding === | === Holding === | ||
When collecting personal data from a data subject, the controller is | When collecting personal data from a data subject, the controller is obliged under [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] to provide information regarding the legal bases of the processing. [[Article 12 GDPR#1|Article 12(1) GDPR]] requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain language. The DPA held that the text next to the tick box of the controller’s website gave the data subject the impression that the controller’s legal basis for processing personal data was consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. This was reinforced by the text on the subscription terms and the provided information on the right to withdraw consent. As the controller did not base its processing on consent but on the legal grounds of contract ([[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]) and legitimate interests ([[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]), the DPA found that the controller violated [[Article 13 GDPR|Article 13(1)(c) GDPR]] by indicating an incorrect legal basis. | ||
The DPA found that the violations were a minor infringement pursuant to [https://gdpr-text.com/read/recital-148/ Recital 148], because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] against the controller for violating [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | The DPA found that the violations were a minor infringement pursuant to [https://gdpr-text.com/read/recital-148/ Recital 148], because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] against the controller for violating [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | ||
Revision as of 13:19, 7 May 2024
| IMY - DI-2019-6523 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 13(1)(c) GDPR [[Article 58 GDPR#2b|]] [[Category:]] |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 04.06.2019 |
| Decided: | 26.06.2023 |
| Published: | 29.04.2024 |
| Fine: | n/a |
| Parties: | Expressen Lifestyle AB |
| National Case Number/Name: | DI-2019-6523 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | IMY (Sweden) (in SV) |
| Initial Contributor: | inkg |
The DPA issued a reprimand against the controller for violating Article 13(1)(c) GDPR for giving data subjects the wrong impression by stating an incorrect legal basis for the processing of personal data on their website.
English Summary
Facts
The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with Article 6(1) GDPR.
Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity under Article 6(1)(b) GDPR or legitimate interest udner Article 6(1)(f) GDPR instead of consent when subscribing for the controller's magazine. However, the controller accidentally missed updating the registration form of one of the company's webshop, Magasinshoppen. The webshop had a checkbox on its webpage along with the text "I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group." The controller also did not update the subscription terms which stated: “When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes." Furthermore, information was provided on the the right to withdraw consent.
After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy.
Holding
When collecting personal data from a data subject, the controller is obliged under Article 13(1)(c) GDPR to provide information regarding the legal bases of the processing. Article 12(1) GDPR requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain language. The DPA held that the text next to the tick box of the controller’s website gave the data subject the impression that the controller’s legal basis for processing personal data was consent under Article 6(1)(a) GDPR. This was reinforced by the text on the subscription terms and the provided information on the right to withdraw consent. As the controller did not base its processing on consent but on the legal grounds of contract (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR), the DPA found that the controller violated Article 13(1)(c) GDPR by indicating an incorrect legal basis.
The DPA found that the violations were a minor infringement pursuant to Recital 148, because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under Article 58(2)(b) GDPR against the controller for violating Article 13(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(3)
Expressen Lifestyle AB
105 44 Stockholm
Diary number:
DI-2019-6523
Supervision according to the data protection regulation
Date:
2023-06-26
– Expressen Lifestyle AB
The Privacy Protection Authority's decision
The Privacy Protection Authority states that Expressen Lifestyle AB (556025-4525),
has processed personal data in violation of Article 13.1 c of the data protection regulation
by stating an incorrect legal basis for the processing of the data subject
personal data during May 2018 until 4 June 2019.
The Privacy Protection Authority gives Expressen Lifestyle AB a reprimand according to article
58.2 b of the data protection regulation for violation of 13.1 c of the data protection regulation.
Account of the supervisory matter
On June 4, 2019, the Swedish Privacy Protection Authority (IMY) began an investigation against Bonnier
Magazine and Brands AB. The supervision was not prompted by any complaint but aimed at
to review the consents obtained to fulfill the obligation to have one
legal basis according to Article 6.1 of the data protection regulation met the requirements of
the data protection regulation on voluntariness, information and clarity and that the legal
the basis clearly appears. Bonnier Magazine and Brands AB was in charge
introducing a checkbox on their web page along with the text. "I approve
the subscription terms. I hereby consent to the processing of personal data within
The Bonnier Group.”
In its statement to IMY, Bonnier Magazines and Brands has stated that the information in
the registration flow in the company's webshop, Magasinshoppen, was accidentally not updated
in the same way as on other web pages. In accordance with the data protection regulation
coming into force in 2018, Bonnier Magazine and Brands AB carried out an extensive
work which meant, among other things, that the company reassessed its legal basis for
Processing of personal data. Instead of consent, Bonnier Magazine founded and
Brands AB's processing of customers' personal data mainly on legal grounds
Postal address: the grounds in Article 6.1 b of the Data Protection Regulation, agreement, or in Article 6.1 f i
Box 8114 data protection regulation, legitimate interest. In the normal registration flow that
104 20 Stockholm is used on Bonnier Magazine and Brands AB's web pages, the customer is asked to
Website: agree to the subscription terms and confirm that he has taken part in Bonnier
www.imy.se Magazine and Brands AB's data protection policy. Bonnier Magazines and Brands AB has
E-mail: stated that immediately when IMY started the supervision measures were taken to
imy@imy.se update the Magasinshoppen with correct information in the registration flow.
Phone:
08-657 61 00 The Swedish Privacy Agency Diary number: DI-2019-6523 2(3)
Date: 2023-06-26
Bonnier Magazines and Brands AB has been dissolved by merger on June 1, 2022 and
joined Expressen Lifestyle AB (556025-4525).
Justification of the decision
Of ch. 23 Section 1 of the Companies Act (2005:551) follows that the effects of a merger mean that
all assets and liabilities are taken over by another company at the time of the merger. The
The acquiring company is therefore responsible for the obligations that existed in the company that
taken over. In light of this, IMY makes the assessment that the acquiring company
after the time of the merger is a party to IMY's supervision matter and this supervision is therefore aimed at
against Expressen Lifestyle AB.
When a personal data controller collects personal data from a registered person shall
information regarding the legal basis for the processing appears, according to Article 13.1
c in the data protection regulation. The person in charge of personal data must, according to Article 12.1 i
data protection regulation take measures to provide this to the data subject
information in a concise, clear and clear, comprehensible and easily accessible form, with
the use of clear and unambiguous language. IMY considers that the text next to the checkbox on
the company's website "I accept the subscription terms. I hereby agree
personal data processing within the Bonnier Group", gives the registered impression that
the company's legal basis for processing personal data is consent according to article
6.1. a in the data protection regulation. The information text that was under the link with
the text of the subscription terms further reinforces this through wording
"When ordering, you agree that your personal data including email address,
mobile number for calls and text messages and any other digital
addresses, may be stored and used within Bonnier for digital services, marketing,
as well as for statistical and analysis purposes.”. Furthermore, information is provided in the same place
about the terms of consent including the right to withdraw consent.
The company has stated that the company does not base its processing on customers' personal data
on consent but mainly on the legal grounds agreement or justified
interest according to Article 6.1 b and f of the data protection regulation.
Against this background, IMY notes that the company has processed personal data in violation of
Article 13.1 c of the Data Protection Regulation by stating the wrong legal basis for
the processing of data subjects' personal data.
Choice of intervention
From article 58.2 and article 83.2 of the data protection regulation, it appears that IMY has
power to impose administrative penalty charges in accordance with Article 83.
Depending on the circumstances of the individual case, the administrative sanction
fees are imposed in addition to or instead of the other measures referred to in Article 58(2), which
for example injunctions and prohibitions. Furthermore, Article 83.2 states which factors
which must be taken into account when deciding whether administrative penalty charges must be imposed and at
determining the size of the fee. If it is a question of a minor violation, IMY gets
as set out in recital 148 instead of imposing a penalty charge issue one
reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors
circumstances of the case, such as the nature, severity and duration of the infringement
as well as previous violations of relevance.
IMY notes the following relevant circumstances. Bonnier Magazines and Brands
AB immediately took measures when IMY began its supervision to update the Privacy Protection Agency Diary number: DI-2019-6523 3(3)
Date: 2023-06-26
the information in the registration flow on its website so that it registered accordingly
neither met with a consent request nor informational text about consent. Instead
the data subject is asked to accept the subscription terms (ie the terms of purchase)
and confirm that he has read the company's data protection policy. The website has not been
the page through which most of the company's customers signed their subscriptions.
The use of the web shop has therefore been limited, which is why only 1372 customers
signed their subscriptions via this website during the current time period. Further where
it was a mistake that the website was not updated in connection with the company's review
its routines in connection with the entry into force of the data protection association. IMY assesses that
the shortcoming in question did not have serious consequences for the data subjects. Against this one
background, IMY assesses that it is a question of such a minor violation in that sense
which is referred to in reason 148 which results in Expressen Lifestyle AB being given a reprimand
according to article 58.2 b of the data protection regulation for the identified deficiency.
This decision has been taken by the unit manager Catharina Fernquist after a presentation by
lawyer Ulrika Bergström.
Catharina Fernquist, 2023-06-26 (This is an electronic signature)
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
