IMY (Sweden) - DI-2021-10488: Difference between revisions
From GDPRhub
No edit summary |
mNo edit summary |
||
| Line 65: | Line 65: | ||
}} | }} | ||
The Swedish Authority for Privacy Protection reprimanded a controller for violating [[Article 12 GDPR#3|Article 12(3) GDPR]] by not informing a data subject about a delay of their erasure request within a month of receiving | The Swedish Authority for Privacy Protection reprimanded a controller for violating [[Article 12 GDPR#3|Article 12(3) GDPR]] by not informing a data subject about a delay of their erasure request within a month of receiving it. | ||
== English Summary == | == English Summary == | ||
Revision as of 10:18, 12 October 2022
| IMY - DI-2021-10488 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(3) GDPR Article 17 GDPR Article 58(2)(b) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 18.03.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | Klarna Bank AB |
| National Case Number/Name: | DI-2021-10488 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
The Swedish Authority for Privacy Protection reprimanded a controller for violating Article 12(3) GDPR by not informing a data subject about a delay of their erasure request within a month of receiving it.
English Summary
Facts
The complainant requested erasure under Article 17 GDPR. It took two months before they received a reply from the controller. After two months, the data subject received a reply which stated that her request will be handled but that her request for erasure may take another 90 days to be completed. The complainant considered it unreasonable that it takes a total of five months for the controller to handle her request.
The controller stated that the initial delays were due to issues on its side in verifying the data subject's identity. The erasure was delayed due to lower staffing during the Christmas and New Year holidays. The controller holds that it has handled the complainants request without undue delay considering the Christmas and New Year holidays and the individual error concerning the confirmation.
Holding
The DPA pointed out that Article 12(3) GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to Article 17 GDPR. Moreover, the one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. In this case, the controller shall inform the data subject of the extension and indicate the reasons for the delay.
The investigation found that the controller did not inform the data subject until approximately two months after the request was received and the identity of the complainant was verified, that the erasure process was initiated and that it can take up to 90 days for the erasure to be completed nor did the controller state the reasons for the delay.
Consequently, the DPA held that controller did not dealt with the complainant’s request without undue delay within the meaning of Article 12(3) GDPR. In light of the this, the DPA concluded that the controller has processed the complainant’s personal data in violation of Article 12(3) GDPR. Since the violation occurred due to human error and only affected one person, the DPA limited its corrective measures to giving a reprimand pursuant to Article 58(2)(b) of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(4)
Notice: This document is an unofficial translation of the
Swedish Authority for Privacy Protection’s (IMY) decision
2022-03-18, no. DI-2021-10488. Only the Swedish version
of the decision is deemed authentic.
Ref no:
DI-2021-10488 Decision under the General Data
Date of decision: Protection Regulation – Klarna Bank
2022-03-18
Date of translation: AB
2022-03-18
Decision of the Swedish Authority for Privacy
Protection (IMY)
The Authority for Privacy Protection (IMY) finds that Klarna Bank AB has processed
personal data in breach of Article 12(3) of the General Data Protection Regulation
(GDPR) by not without undue delay complying with the complainant’s request for
erasure pursuant to Article 17 of 25 November 2020 only on 24 January 2020.
The Authority for Privacy Protection issues Klarna Bank AB a reprimand pursuant to
Article 58(2)(b) of the GDPR for the infringement of Article 12(3) of the GDPR.
Report on the supervisory report
The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna
Bank AB (Klarna or the company) due to a complaint. The complaint has been
submitted to IMY, as responsible supervisory authority pursuant to Article 56 of the
General Data Protection Regulation (GDPR) from the supervisory authority in the
Netherlands where the complainant has lodged their complaint in accordance with the
Regulation’s provisions on cooperation in cross-border processing.
The investigation in the case has been carried out through correspondence. In the light
of a complaint relating to cross-border processing, IMY has used the mechanisms for
cooperation and consistency contained in Chapter VII GDPR. The supervisory
authorities concerned have been the data protection authorities in Germany, Denmark,
Austria, Italy, Poland, and Finland.
The complaint
Postal address: The complainant has mainly stated she requested erasure under Article 17 of the
Box 8114 GDPR, but that it took two months before she received a reply from Klarna. After two
104 20 Stockholm
Website: months, she has received a reply which states that her request will be handled and
www.imy.se that her request for erasure may take another 90 days to be completed. The
E-mail:
imy@imy.se
Phone: 1
Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
08-657 61 00 protection of natural persons with regard to he processing of personal data and on he free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation).Integritetsskyddsmyndigheten Diarienummer: DI-2021-10488 2(4)
Datum: 2022-03-18
complainant considers it unreasonable that it takes a total of five months for Klarna to
handle her request.
What Klarna has stated
Klarna has mainly stated the following.
Klarna is the data controller for the processing to which the complaint relates.
The complainant’s request for erasure was received by Klarna on 18 November 2020,
after which Klarna verified the applicant’s identity on 25 November 2020 and on 26
November 2020 requested a confirmation of the initiation of the erasure process. On
27 November 2020 the complainant submitted a confirmation, but this has not been
brought to the attention of the case handler. Klarna sent a further request for
confirmation on December 202020. On 24 January 2021, Klarna informed the
complainant that the erasure process had been initiated and that the processing was
delayed due to lower staffing during the Christmas and New Year holidays. On the
same date, the process of erasure of the complainant’s personal data was completed.
Klarna holds that it has handled the complainants request without undue delay
considering the Christmas and New Year holidays and the individual error concerning
the confirmation. Pursuant to Article 12(3) of the GDPR, Klarna informed the
complainant of the maximum period allowed for carrying out a deletion. The reason for
this was that the number of incoming cases was sometimes very high and the
processing during these times could take more than a month. Klarna further states that
it has further developed the processes concerning data subjects’ rights in order to
ensure that the deadlines set are met and that the data subject is clearly informed. In
addition, the responsible case officer in the case in question, as well as the other case
officers, have received additional information on the importance of careful and
expeditious handling of these cases.
Justification of the decision
Applicable provisions, etc.
Article 12(3) of the GDPR requires the controller to provide the data subject, upon
request, without undue delay and in any event no later than one month after receiving
the request, with information on the actions taken pursuant to, inter alia, Article 17. The
one-month time limit may be extended by a further two months where the request is
particularly complex or the number of requests received is high. If the time limit of one
month is extended, the controller shall inform the data subject of the extension.
Notification of the extension of the deadline shall take place within one month of
receipt of the request. The controller shall also indicate the reasons for the delay.
European Data Protection Board (EDPB) Guidelines 01/2022 on access state that the
time limit starts when the controller has received a request. However, when the
controller needs to communicate with the data subject due to the uncertainty as to the
identity of the person making the request, there may be a suspension in time until the
controller has obtained the information needed from the data subject, provided the
controller has asked for additional information without undue delay. 2
2EDPB Guidelines 01/2022 on data subject rights - Right of access, Version 1.0, adopted for public consulta ion on
18 January 2022Integritetsskyddsmyndigheten Diarienummer: DI-2021-10488 3(4)
Datum: 2022-03-18
Article 17(1)(a) provides that the data subject shall have the right to have his or her
personal data erased without undue delay from the controller and the controller shall
be obliged to erase personal data without undue delay if they are no longer necessary
for the purposes for which they were collected or otherwise processed. Article 17(3)
lists exhaustively the exceptions to this right.
Assessment of the Authority for Privacy Protection (IMY)
The investigation shows that the complainant’s request for erasure was received by
Klarna on 18 November 2020. Since Klarna had to communicate with the complainant
in order to secure their identity and requested additional information without undue
delay, IMY considers that the time limit to start again once the identity of the
complainant has been verified on 25 November 2020. According to Klarna, the request
has been fully met on 24 January 2021, which IMY does not find any reason to call into
question.
Klarna did not inform the complainant until 24 January 2021, i.e. approximately two
months after the request was received and the identity of the complainant was verified,
that the erasure process was initiated and that it can take up to 90 days for the erasure
to be completed as well as stated the reasons for the delay. IMY therefore concludes
that Klarna has not dealt with the complainant’s request without undue delay within the
meaning of Article 12(3) of the GDPR.
In light of the above, IMY concludes that Klarna has processed the complainant’s
personal data in violation of Article 12(3) of the GDPR.
Choice of corrective measure
It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
power to impose administrative fines in accordance with Article 83. Depending on the
circumstances of the case, administrative fines shall be imposed in addition to or in
place of the other measures referred to in Article 58(2), such as injunctions and
prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
account when deciding on administrative fines and in determining the amount of the
fine.
In the case of a minor infringement, as stated in recital 148, IMY may, instead of
imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
the aggravating and mitigating circumstances of the case, such as the nature, gravity
and duration of the infringement and past relevant infringements.
IMY notes the following relevant facts. The handling of the complainant’s request has
been delayed mainly due to an individual procedural error. The violation is due to
human error and has affected only one person. Against this background IMY considers
that it is a minor infringement within the meaning of recital 148 and that Klarna Bank
AB must be given a reprimand pursuant to Article 58(2)(b) of the GDPR.
This decision has been made by the specially appointed decision-maker
after presentation by legal advisor .Integritetsskyddsmyndigheten Diarienummer: DI-2021-10488 4(4)
Datum: 2022-03-18
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.
