IMY (Sweden) - DI-2020-10518: Difference between revisions
From GDPRhub
No edit summary |
m (Msm moved page Datainspektionen - DI-2020-10518 to IMY - DI-2020-10518) |
Revision as of 11:28, 14 April 2021
| IMY - DI-2020-10518 | |
|---|---|
 | |
| Authority: | Integritetsskyddsmyndigheten (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR Article 56 GDPR Article 58(2)(b) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 31.03.2021 |
| Published: | |
| Fine: | None |
| Parties: | Klarna Bank AB |
| National Case Number/Name: | DI-2020-10518 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish English |
| Original Source: | Original decision (in SV) Inofficial English version of decision (in EN) |
| Initial Contributor: | Kave Noori |
The Swedish DPA reprimanded a Swedish bank for not responding to an access request for 5 months following complaints filed with DPAs in Germany in Austria.
Facts
The DPA opened an investigation into Klarna Bank following complaints filed with DPAs in Germany and Austria. The IMY assumed the role of lead supervisory authority under Article 56, as Klarna is based in Sweden. These cross-border cases were handled through the consistency and cooperation procedure under Chapter VII of the GDPR.
Complaint 1 from Austria concerned the fact that Klarna took more than 5 months to process a request for access to personal data under Article 15. The complainant's access request was sent to a different email than the one Klarna intended for data protection matters. Therefore, the request was not processed according to Klarna's internal procedures.
Complaint 2 from Germany concerned a data subject access request under Article 15, initially initiated by chat and resubmitted by email two days later. Klarna complied with the request within 14 days and shortly thereafter sent more detailed information about its automated decision making for purchases. A month later, the complainant contacted Klarna again. Another month passed until Klarna asked the complainant to provide a new address but received no reply.
Dispute
Did Klarna violate Article 15 of the GDPR?
Holding
Complaint 1 (Austria)
The DPA considered that Klarna failed to process the request within the timeframe required by Article 12(3) and without the required notice of delay. The DPA did not consider that the fact that Klarna receives a high volume of requests related to the GDPR or Klarna's quick responses to the complainant's follow-up questions should influence this decision.
Complaint 2
The DPA considered that Klarna did what could be expected of a company in dealing with the Complaint 2. In the DPA's view, Klarna provided the requested information within 14 days, although it did not reach the recipient. When the complainant informed Klarna that he/she had not received the mailing, Klarna asked for a new address. Klarna never received an alternative address. The DPA concluded that Klarna was not obliged to take further action and therefore did not breach the law.
Corrective action
The DPA considered Klarna's handling of complaint 1 to be a minor infringement and issued a reprimand on the basis of Article 58(2)(b).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (5)
Klarna Bank AB
Sveavägen 46
113 35 Stockholm
dataprotectionofficer@klarna.com
Record number:
DI-2020-10518 Decision after supervision according to
Data Protection Regulation - Klarna
Date:
2021-03-31 Bank AB
The decision of the Integrity Protection Authority
The Privacy Protection Authority states that Klarna Bank AB has processed
personal data in breach of Article 12 (3) of the Data Protection Regulation by
regarding complaint 1: not without undue delay, at the request of the 5
January 2019, give the complainant access to his personal data in accordance with
Article 15.
The Privacy Protection Authority gives Klarna Bank a reprimand in accordance with Article 58 (2) (b) i
the Data Protection Regulation.
Report on the supervisory matter
The Privacy Protection Authority (IMY) has initiated supervision regarding Klarna Bank AB
(the company) due to two complaints. Respective complaints have been submitted to
IMY, as the supervisory authority responsible for the company's operations under Article 56
in the Data Protection Regulation, from the supervisory authority of the country where the complainant has left
lodged their complaint (Austria and Germany) in accordance with the provisions of the Regulation
on cooperation in cross-border matters.
The complainants have indicated that they have requested access to their personal data under Article 15 of the
the Data Protection Regulation. In response to the complaints, IMY has initiated supervision with a view to:
investigate whether the complainants' requests for access under Article 15 have been complied with
and if done within the time limit specified in Article 12 (3).
Klarna Bank AB states that they are responsible for personal data for it
personal data processing to which the complaints relate. The company also states that they handle
Postal address: a large number of requests in accordance with the Data Protection Regulation.
Box 8114
104 20 Stockholm Complaint 1 (Appendix 1 from Austria with national reference number: D130.247)
Website:
www.imy.se
E-mail:
imy@imy.se REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on
08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation).
Page 1 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 2 (5)
Date: 2021-03-31
With regard to the first complaint, the company states that the complainant's request for access
was received by the company via e-mail on 5, 10 and 29 January 2019. Since the request was received by
an e-mail address other than the one the company refers to for data protection issues
The request was not processed in accordance with the company's internal processing routines. The
caused a longer processing time and that information as well as a copy of
the complainant's personal data pursuant to Article 15 was not sent until 18 June 2019. The company
has promptly answered the complainant's follow-up questions about the company's personal data processing
which the complainant was satisfied with.
Complaint 2 (Annex 2 from Germany with national reference number: LDA-1085.1-
13373/19-F)
With regard to the second complaint, the company states that the complainant's request for access
joined the company's chat on October 28, 2019. The complainant repeated his request
via e-mail on October 30, 2019. The company contacted the complainant on November 6
2019 to request further information. These were provided the same day. The
On November 11, 2019, the company sent out information and a copy of the personal data
to the complainant under Article 15, ie within 14 days of receiving the company
request. On November 14, 2019, the company sent more detailed information about
the company's automatic decision-making when purchasing. The complainant contacted the company again on
December 13, 2019 due to the fact that he has not received the company's mailing. The company
requested a new address on January 7, 2020 and has not received a response.
The processing has taken place through correspondence. Given that there are two
cross-border complaints, the IMY has used the mechanisms of cooperation
and uniformity contained in Chapter VII of the Data Protection Regulation. Affected
regulators have been the data protection authorities of Austria, Germany, the Czech Republic,
Denmark and Norway.
Justification of decision
Applicable regulations
The person responsible for personal data is obliged to provide information to anyone who requests it
information on personal data concerning the applicant is processed or not. treated
such data, the controller shall, in accordance with Article 15 i
the Data Protection Regulation, provide the applicant with additional information and a
a copy of the personal data processed by the data controller.
According to Article 12 (3), a request for access shall be dealt with without undue delay and
in any case no later than one month after receipt of the request. The deadline for
one month may be extended by a further two months if the request is special
complicated or the number of requests received is high.
If the time limit is extended by one month, the person responsible for personal data shall notify it
registered about the extension. The extension of the time limit shall be notified
within one month of receipt of the request. The person responsible for personal data must also
state the reasons for the delay.
According to Article 12 (6), the controller may, if he has reasonable grounds for:
question the identity of the natural person submitting a request under Article 15;
request additional information necessary to confirm the data subject's
identity is provided.
Page 2 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 3 (5)
Date: 2021-03-31
IMY's assessment
Has there been a breach of the Data Protection Regulation?
Complaint 1 (Annex 1 from Austria with national reference number: D130.247)
With regard to the first complaint, the IMY notes that the complainant, in accordance with
Article 15 of the Data Protection Regulation, provided with information and a copy of the
personal data processed. However, the right of access was only satisfied after more than
five months from the submission of the first request. The request thus does not have
handled without undue delay and within the stipulated time limit in Article 12 (3) and
the complainant has also not been informed of the delay.
What the company has stated that they handle a large number of inquiry matters according to
the Data Protection Regulation and that prompt questions are answered promptly does not cause anyone
another assessment regarding the delay and that it was thus a question of one
infringement of Article 12 (3) concerning complaints 1.
Complaint 2 (Annex 2 from Germany with national reference number: LDA-1085.1-
13373/19-F)
With regard to the second complaint, the IMY notes that the complainant, in accordance with
Article 15, provided with information and a copy of the personal data provided
treated. The information was provided without undue delay. After the complainant
pointed out that he had not received the mailing, the company requested alternative contact information.
Against this background, IMY considers that the company has not been obliged to take any
further action in response to that request.
Choice of intervention
Article 58 (2) (i) and Article 83 (2) state that the IMY has the power to impose
administrative penalty fees in accordance with Article 83.
the circumstances of the individual case, administrative penalty fees shall be imposed
in addition to or in place of the other measures referred to in Article 58 (2), such as:
injunctions and prohibitions. Furthermore, Article 83 (2) sets out the factors to be taken into account
taken into account when deciding whether to impose administrative penalty fees and at
determining the amount of the fee. In the case of a minor infringement, IMY
as stated in recital 148 instead of imposing a penalty fee issue one
reprimand under Article 58 (2) (b). Account shall be taken of aggravating and mitigating circumstances
circumstances of the case, such as the nature, severity and duration of the infringement
as well as previous violations of relevance.
In an overall assessment of the circumstances, the IMY finds that, with regard to complaints
1, is a minor infringement within the meaning of recital 148 and that
Klarna Bank AB must therefore be reprimanded in accordance with Article 58 (2) (b) for the person found
the infringement.
_________________
This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by
jurist Murat Vrana.
Catharina Fernquist, 2021-03-31 (This is an electronic signature)
Page 3 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 4 (5)
Date: 2021-03-31
Copy to
The Data Protection Officer, filip.johnssen@klarna.com
Page 4 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 5 (5)
Date: 2021-03-31
How to appeal
If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received
part of the decision. If the appeal has been received in time, send
The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact information appears on the first page of the decision.
Page 5 of 5
