IMY (Sweden) - DI-2020-10696: Difference between revisions

From GDPRhub
No edit summary
 
Line 77: Line 77:
=== Facts ===
=== Facts ===
Nordax (controller) is a Swedish bank. The bank entrusted a processor, Iper Direct AB (Iper), to manage its customers' address register. According to Nordax, this processor was the controller in all matters regarding this register and was also responsible for answering data subjects requests related to any processing of this register's personal data. Iper's task was to provide another processor of Nordax a selection of e-mail addresses, which were used by this second processor for direct marketing purposes on behalf of Nordax. The selection of addresses from Iper's address register was also carried out on behalf of Nordax and was based on selection criteria determined by Nordax.       
Nordax (controller) is a Swedish bank. The bank entrusted a processor, Iper Direct AB (Iper), to manage its customers' address register. According to Nordax, this processor was the controller in all matters regarding this register and was also responsible for answering data subjects requests related to any processing of this register's personal data. Iper's task was to provide another processor of Nordax a selection of e-mail addresses, which were used by this second processor for direct marketing purposes on behalf of Nordax. The selection of addresses from Iper's address register was also carried out on behalf of Nordax and was based on selection criteria determined by Nordax.       
It is not explicitly mentioned in this decision whether or not the data subject used to be a (former) customer of the controller. It is also not explicitly stated that the data subject received direct marketing e-mails from the controller. The latter is however most likely, looking at the objection of the data subject against direct marketing, which was eventually granted by the controller (will be further discussed below).     


<u>Round 1 (''Access 1 and Erasure 1'')</u>     
<u>Round 1 (''Access 1 and Erasure 1'')</u>     
Line 94: Line 96:
In its reply to the data subject's ''objection'', the controller stated that the request for objection had now been granted and that the controller had taken measures to block the data subject from direct marketing. Besides the fact that Nordax did not specify what specific measures it had taken, this also turned out to be incorrect information. Nordax had not yet taken any measures to block the data subject from direct marketing. According to Nordax, this incorrect information was provided because of human error.   
In its reply to the data subject's ''objection'', the controller stated that the request for objection had now been granted and that the controller had taken measures to block the data subject from direct marketing. Besides the fact that Nordax did not specify what specific measures it had taken, this also turned out to be incorrect information. Nordax had not yet taken any measures to block the data subject from direct marketing. According to Nordax, this incorrect information was provided because of human error.   


<u>Third round (''Objection 2'')</u>   
<u>Round 3 (''Objection 2'')</u>   


Another four months later, on 9 July 2019, Nordax received another objection against the controller's marketing operation from the data subject.       
Another four months later, on 9 July 2019, Nordax received another objection against the controller's marketing operation from the data subject.       

Latest revision as of 13:54, 1 February 2023

IMY - DI-2020-10696
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(3) GDPR
Article 12(6) GDPR
Article 15 GDPR
Article 17 GDPR
Article 58(2)(c) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 27.06.2022
Published: 23.01.2023
Fine: n/a
Parties: Nordax Bank AB
National Case Number/Name: DI-2020-10696
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 GDPR procedure, the Swedish DPA reprimanded Nordax Bank for violations of Articles 12(3), 12(6), 15 and 17 GDPR. The bank had not complied with several requests of the data subject. The DPA also ordered the bank to comply with these requests.

English Summary

Facts

Nordax (controller) is a Swedish bank. The bank entrusted a processor, Iper Direct AB (Iper), to manage its customers' address register. According to Nordax, this processor was the controller in all matters regarding this register and was also responsible for answering data subjects requests related to any processing of this register's personal data. Iper's task was to provide another processor of Nordax a selection of e-mail addresses, which were used by this second processor for direct marketing purposes on behalf of Nordax. The selection of addresses from Iper's address register was also carried out on behalf of Nordax and was based on selection criteria determined by Nordax.

It is not explicitly mentioned in this decision whether or not the data subject used to be a (former) customer of the controller. It is also not explicitly stated that the data subject received direct marketing e-mails from the controller. The latter is however most likely, looking at the objection of the data subject against direct marketing, which was eventually granted by the controller (will be further discussed below).

Round 1 (Access 1 and Erasure 1)

On 5 December 2018, the data subject filed an access request and an erasure request at Nordax, which were answered by the controller on 6 December 2018.

The access request inquired on all data relating to him and the way Nordax used it. The controller replied to the access request that it did not process and/or store the personal data of the data subject and was therefore unable to comply with the request. Rather, the controller informed the data subject of the fact that personal data was processed by its appointed processor, Iper, which was responsible for the address register of the bank and for managing data subject rights related to any processing regarding this register. Furthermore, Nordax also did not classify the request of the data subject as an access request at first, but as an objection to processing. Based on information in the data subject's e-mail, Nordax determined that the data subject's primary wish was to be blocked from the controller's direct marketing e-mails. In its reply, the controller only provided information on how the data subject could block himself from the direct marketing of the controller. In order to block the data subject from direct marketing, Nordax requested the data subject's name and address.

On the same day, 5 December 2018, the data subject also submitted an erasure request. The scope of the erasure request was not specified in this decision. In its reply to the erasure request, and along the lines of the answer to the access request, the controller stated that it did not store the data subject's personal data. It was therefore also not able to erase it, since it was stored in Iper's register.

Round 2 (Access 2, Erasure 2 and Objection 1)

Around two months later, on 11 February 2019, the data subject submitted new requests for erasure and access. This time, the data subject also specifically objected to the controller's direct marketing operations for the first time. The controller answered all off these requests on 12 February 2019.

In its reply to the access request, Nordax referred to its earlier reply of 6 December 2018 to the data subject's first access request. The same was true for the controller's response to the erasure request.

In its reply to the data subject's objection, the controller stated that the request for objection had now been granted and that the controller had taken measures to block the data subject from direct marketing. Besides the fact that Nordax did not specify what specific measures it had taken, this also turned out to be incorrect information. Nordax had not yet taken any measures to block the data subject from direct marketing. According to Nordax, this incorrect information was provided because of human error.

Round 3 (Objection 2)

Another four months later, on 9 July 2019, Nordax received another objection against the controller's marketing operation from the data subject.

In its reply to the second objection, the controller reiterated again how the data subject could block himself from the direct marketing operation of the controller, just like it did when answering the first access request (which it had mistaken for an objection). The controller also repeated its request for additional information from the data subject in order to block the data subject from its direct marketing. Strangely enough, the controller then blocked the data subject from its direct marketing without the requested information. The controller also did not inform the data subject that it had finally complied with his objection to processing.

Data subject files complaint

Even after three rounds of requests, Nordax had failed to comply with the data subject's requests for access and erasure, and did not inform the data subject that his objection to processing had been granted.

The data subject filed a complaint at the Norwegian DPA (date not disclosed), which transferred the complaint to the Swedish DPA, the supervisory authority in this decision. The concerned authorities were the DPA's of Norway, Denmark, Finland and Germany. In this complaint, the data subject stated that the controller did not respect his rights by not responding to his requests.

During the investigation of the DPA, Nordax already acknowledged that it was the controller in this case and that it should have complied with the data subject's request for access, by requesting the help of its processor, according to Article 28 GDPR.

Holding

First, the DPA confirmed that Nordax Bank was the controller because it decided both the purposes and the means of the processing. The processing in question was the selection of addresses from Iper's address register for direct marketing purposes. This selection was carried out on behalf of Nordax and was based on selection criteria determined by Nordax. Because Nordax Bank was the controller, it was also responsible for handling the data subject's requests. The fact that Nordax claimed that Iper was responsible for the address register did not change this. Also, the fact that Nordax only received de-identified data from Iper was also irrelevant for its responsibility for the processing.

Second, the DPA held that the controller violated Article 15 GDPR by failing to handle the data subject's request for access. It should have given the personal data and information to the data subject with the assistance of its processor Iper. It also should have recognised the data subject's initial request as an access request.

Third, the DPA determined that the controller violated Article 17 GDPR by not handling the data subject's request for erasure. None of the exceptions in Article 17(3) GDPR were applicable. Nordax therefore violated Article 17(1) GDPR.

Fourth, The DPA determined that the controller violated Article 12(3) GDPR because the controller had provided incorrect information. The controller had incorrectly informed the data subject on 12 February 2019 that he was blocked from the controller's direct marketing operation, while this was not the case at the time.

Fifth; The DPA determined that the controller violated Article 12(6) GDPR by requesting additional information of the data subject before complying with the data subject's second objection request on 9 July 2019. Nordax already had access to all the information necessary to comply with the objection of the data subject.

Lastly, the DPA concluded that the controller violated Article 12(3) GDPR once more by not informing the data subject that, in accordance with his second objection request of 9 July 2019, he would no longer be subject to the controller's direct marketing operation.

The DPA held that this was a minor infringement and reprimanded the controller pursuant of Article 58(2)(b) GDPR. The DPA further ordered the controller to comply with the access request pursuant of Article 58(2)(c) GDPR and to deal with the erasure request pursuant of Article 58(2)(d) GDPR. Also, the DPA ordered the controller pursuant of Article 58(2)(d) GDPR to provide the data subject information on the measures taken to comply with the data subject's objection to the processing in accordance with Article 12(3) GDPR.

Comment

Regarding the violation of Article 15 GDPR, the DPA states that the controller should have complied with the data subject's request for access. It is not clear to which of the two access requests the DPA is referring. It could be that this is the second request of 11 February 2019, since the controller had mistaken the first request to be an objection to processing. This is however speculative.

In contrast, regarding the violation of Article 17 GDPR, the DPA states that the controller should have complied with the data subject's requests for erasure. So in this case, the DPA does determine a violation for both requests of the data subject.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

1(11)







                                                                         Notice: This document is an unofficial translation of the
                                                                         Swedish Authority for Privacy Protection’s (IMY) decision
                                                                         2022-06-27, no. DI-2020-10696. Only the Swedish version
                                                                         of the decision is deemed authentic.






Ref no:
2020-10696,                       Decision under the General Data
IMI case no. 134903
                                  Protection Regulation – Nordax Bank
Date of decision:
                                  AB
2022-06-27

Date of translation:
2022-06-27


                                  Decision of the Swedish Authority for Privacy

                                  Protection (IMY)

                                  The Swedish Authority for Privacy Protection (IMY) finds that Nordax Bank AB has

                                  processed personal data in breach of:

                                      -    Article 15 of the General Data Protection Regulation (GDPR) by failing to

                                           handle the complainant’s requests of access made on 5 December 2018 and
                                           11 February 2019.


                                      -    Article 17 by not without undue delay handle the complainant’s requests for
                                           erasure made on 5 December 2018 and 11 February 2019.



                                      -    Article 12(3) by not without undue delay provide information to the
                                           complainant on the measures taken, namely that the complainant was

                                           blocked from direct marketing mailings, in response to the complainant’s
                                           objection to direct marketing made on 9 July 2019.


                                  The Swedish Authority for Privacy Protection finds that Nordax Bank AB has
                                  processed personal data in breach of:

                                      -    Article 12(6) by requesting the complainant to submit further information in

                                           order to comply with the request to object to direct marketing on 9 July 2019,
                                           even though the data provided in the request was sufficient to actually
                                           complete the request.


                                  The Authority for Privacy Protection issues Nordax Bank AB a reprimand pursuant to
  Postal address:                 Article 58(2)(b) of the GDPR for the infringement of the Articles 12(3), 12(6), 15, 17 of
  Box 8114
                                  the GDPR.
  104 20 Stockholm
  Website:                        In accordance with Article 58(2)(c) of the GDPR, IMY orders Nordax Bank AB to:
  www.imy.se

  E-mail:
  imy@imy.se                      1
  Phone:                          protection of natural persons with regard to he processing of personal data and on the free movement of such data,
                                  and repealing Directive 95/46/EC (General Data Protection Regulation).
  08-657 61 00Privacy Protection Authority   Our ref: 2020-10696                                                                   2(11)
                               Date:2022-06-27






                                    -   Comply with the complainant’s request to exercise its right of access under
                                        Article 15 of the GDPR, with exception for information which is subject to any
                                        applicable derogation provided for in Article 15(4). This is done by providing

                                        the complainant access to all personal data that Nordax process regarding the
                                        complainant by providing the complainant with a copy of the personal data
                                        referred to in Article 15(3) and provide information pursuant to points (a) to (h)
                                        of Article 15(1) and 15.2. The measures shall be implemented no later than

                                        two weeks after this decision has become final.

                               In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to:


                                    -   Handle the complainant’s request of erasure of all of his personal data
                                        according to Article 17 by assessing whether there is personal data that the

                                        company in accordance with Article 17 is obliged to erase and, if so, to do so,
                                        and to inform the complainant in accordance with Article 12(3) or (4). The
                                        measures must be implemented no later than two weeks after this decision

                                        has become final.

                               In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to:


                                    -   In accordance with Article 12(3), provide the complainant with information on
                                        the measures which have been taken in response to the complainant’s
                                        request to exercise his right of objection to processing for direct marketing

                                        purposes. The measures shall be implemented no later than two weeks after
                                        this decision has become final.


                               Report on the supervisory matter


                               The Authority for Privacy Protection (IMY) has initiated supervision regarding Nordax
                               Bank AB (Nordax or the company) due to a complaint. The complaint has been
                               submitted to IMY, as responsible supervisory authority for the company’s operations

                               pursuant to Article 56 of the General Data Protection Regulation (GDPR). The
                               handover has been made from the supervisory authority of the country where the
                               complainant has lodged their complaint (Norway) in accordance with the Regulation’s

                               provisions on cooperation in cross-border processing.

                               The investigation in the case has been carried out through correspondence. In the light

                               of a complaint relating to cross-border processing, IMY has used the mechanisms for
                               cooperation and consistency contained in Chapter VII of the GDPR. The supervisory
                               authorities concerned have been the data protection authorities in Norway, Denmark,

                               Finland and Germany.

                               The complaint

                               The complaint states the following. The complaint alleges that the company has not
                               dealt with the complainant’s requests to exercise the complainant’s rights under the
                               GDPR in relation to the right of access pursuant to Article 15, the right of erasure
                               pursuant to Article 17 and objection to obtaining personal data processed for direct

                               marketing purposes as referred to in Article 21(2). E-mail correspondence with the
                               company is attached to the complaint.


                               What Nordax has stated
                               Nordax has mainly stated the following.Privacy Protection Authority   Our ref: 2020-10696                                                                   3(11)
                               Date:2022-06-27






                               Nordax is the data controller for the processing to which the complaint relates. The
                               processing is carried out by Nordax personal data processor Iper Direkt AB (Iper) on

                               behalf of Nordax and for direct marketing purposes, which is regulated in agreements
                               between Nordax and Iper. Nordax determines the purposes and means of the

                               processing. The relationship can be compared to the example set out in the EDPB
                               Guidelines 07/2020 on the terms “controller” and “processor” in GDPR, (“Example:
                               market research”).  2


                               Iper is responsible and the controller of the address register and responsible for
                               managing the rights of data subjects whose personal data are available in this address
                               register. Based on these, Iper makes, on behalf of Nordax, a selection from its address
                               register and provides the addresses to another data processor that Nordax uses to
                               carry out the marketing mailings. Nordax does not process or store any personal data

                               since the data provided by Iper to Nordax is de-identified.

                               Right of access
                               Nordax Bank AB originally received a request for access from the complainant on 5

                               December 2018. The request concerned "information on all data relating to me as you
                               have stored and what the data is used for". The complainant’s request was answered
                               by email on 6 December 2018 with the information that the complainant’s personal
                               data are not processed by Nordax why a request for access (or erasure) could not be
                               handled. Nordax states that, as a data controller, however, the company should have
                               interpreted this as a request under Article 15 of the GDPR and provided the

                               complainant with access to personal data with the help of the personal data processor
                               Iper in accordance with the provisions of Article 28 of the GDPR. Nordax took the view
                               that the complainant´s main request was not a request of access to personal data
                               pursuant to Article 15. In the light of the information in the complainant’s email and that
                               the complainant did not contact Nordax after a block on direct marketing was

                               established in respect of the complainant on 9 July 2019, Nordax considered that the
                               complainant’s primary wish was to be blocked against addressed direct marketing from
                               the company. Nordax believes that the complainant considers that the request for
                               objection has been dealt with but can definitely comply with the complainant’s request
                               for access if the complainant still wishes to exercise its right to access to the personal
                               data.


                               Right to erasure

                               The complainant´s request for erasure was received on 5 December 2018 and Nordax
                               replied to it on 6December 2018. It was clear from the reply that the company did not
                               consider that it stored the complainant´s personal data, why any erasure of data at

                               Nordax could not be done. It is the address provider Iper, Nordax data processor, who
                               is reported to have stored the complainant’s personal data at the time of the
                               complainant’s request. Iper is controller of the address register for which Nordax

                               receives addresses for direct marketing mailings. Nordax does not have the ability to
                               erase personal data in Iper’s register. It is against this background that Nordax has not
                               complied with the complainant’s request for erasure.


                               Furthermore, Nordax states that the company is currently processing personal data
                               regarding the complainant in order to maintain a block on addressed direct marketing,

                               which is necessary to comply with a legal obligation. Nordax has by e-mail on 6
                               December 2018 and 16July 2019 provided general information to the complainant that
                               Nordax may process the complainant’s personal data in order to maintain a block on

                               addressed direct marketing. Personal data of the complainant is also being processed
                               to deal with the ongoing supervisory case which will be discontinued when the
                               enforcement case is closed. The company has not interpreted the complainant´s



                               2 EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.Privacy Protection Authority   Our ref: 2020-10696                                                                   4(11)
                               Date:2022-06-27






                               request for erasure in such a way that it would have included these ongoing processes
                               of personal data.


                               Right of objection
                               The complainant submitted a request for access and deletion on 5December 2018
                               which Nordax replied on 6December 2018. In the light of the information in
                               the complainant´s request Nordax presumed that the complainant had received

                               addressed direct marketing mailings of Nordax products. Therefore, Nordax provided
                               information on how the complainant should proceed with a block against further direct
                               marketing mailings of Nordax products. In order to block an individual against

                               addressed direct marketing Nordax needs information about the individual’s pre- and
                               surname and full address which the company informed the complainant about. Nordax
                               never received additional information from the complainant and could not therefore

                               block the complainant from the addressed direct marketing mailings. On 11February
                               2019, the complainant submitted a further request for access and erasure and
                               objection to receiving direct marketing mailings. Nordax responded to the

                               complainant´s request on 12   February 2019 by referring to an earlier reply to the
                               request for access and erasure and stated that Nordax has grant the complainant´s
                               request to object to receiving further direct marketing. However, the complainant was
                               wrongly informed on that occasion that Nordax had taken measures to prevent the

                               complainant from receiving further direct marketing mailings. Nordax believes that the
                               handling of the case in question has failed due to the human factor and the company
                               reviews its procedures for individuals who wish to object to direct marketing mailings

                               because of this, to ensure that incorrect information is not sent again.

                               The complainant´s lodged a further complaint on 9July 2019, which Nordax once

                               again replied with information on how the complainant should proceed in order to block
                               himself against addressed direct marketing mailings. At the time of receipt of this
                               objection, the complainant was also finally blocked against further addressed direct

                               marketing mailing from Nordax products. However, Nordax has not informed that
                               complainant was blocked from such further direct marketing mailings of Nordax
                               products. Nor did the complainant contact Nordax after 9July 2019.











                               Justification of the decision

                               Applicable provisions, etc.

                               Data controller

                               The controller, as defined in Article 4(7) of the GDPR, means the natural or legal
                               person which alone or jointly with others determines the purposes and means of
                               the processing of personal data.

                               In the European Data Protection Board (EDPB) Guidelines 07/2020 on the concepts
                               data controller and processor in the General Data Protection Regulation
                               the following is mentioned concerning the respective roles of processors and

                               controllers in the exercise of data subjects’ rights:
                               “It is crucial to bear in mind that, although the practical management ofPrivacy Protection Authority    Our ref: 2020-10696                                                                     5(11)
                                Date:2022-06-27






                                individual requests can be outsourced to the processor, the controller bears the

                                responsibility for complying with such requests. Therefore, the assessment as to
                                whether requests by data subjects are admissible and/or the requirements

                                set by the GDPR are met should be performed by the controller, either on a case-by-
                                case basis or through clear instructions provided to the processor in the contract
                                before the start of the processing. Also, the deadlines set out by Chapter III cannot be

                                extended by the controller based on the fact that the necessary information must be
                                provided by the processor.”  3


                                It also states the following in an example, to which Nordax refers to concerning
                                the relationship between Nordax and Iper:
                                “Example: Market research 1 Company ABC wishes to understand which types of

                                consumers are most likely to be interested in its products and contracts a service
                                provider, XYZ, to obtain the relevant information. Company ABC instructs XYZ on what
                                type of information it is interested in and provides a list of questions

                                to be asked to those participating in the market research. Company ABC receives only
                                statistical information (e.g., identifying consumer trends per region) from XYZ and does

                                not have access to the personal data itself. Nevertheless, Company ABC decided that
                                the processing should take place, the processing is carried out for its purpose and its
                                activity and it has provided XYZ with detailed instructions on what information to

                                collect. Company ABC is therefore still to be considered a controller with respect of the
                                processing of personal data that takes place in order to deliver the information it has
                                requested. XYZ may only process the data for the purpose given by Company ABC

                                and according to its detailed instructions and is therefore to be regarded as
                                processor.” 4


                                In the literature, Öman points out the following.
                                “The legal person which engages any other legal person to process personal data, e.g.

                                for storing and disseminating or for collecting and processing the personal data, is
                                normally considered to be the data controller and the hired as a personal data

                                processor. This applies even if it is the hired company and not the company who hires
                                who has the knowledge of how to best process the personal data, such as how to
                                store, collect, disseminate and process them, and the resources to do it. In fact, the

                                company who hires has decided the means of processing of the personal data by
                                employing a company that can use certain methods. This may involve outsourcing IT
                                operations or to hire a company to collect personal data within the framework of a

                                market research."


                                Rights of the data subject
                                According to Article 12(3) of the GDPR, the controller shall provide information on
                                action taken on a request under Articles 15 to 22 to the data subject without undue

                                delay and in any event within one month of receipt of the request. That period may be
                                extended by two further months where necessary, taking into account the complexity
                                and number of the requests. The controller shall inform the data subject of any such

                                extension within one month of receipt of the request, together with the reasons for the
                                delay.


                                Pursuant to Article 12(6), where the controller has reasonable doubts concerning the
                                identity of the natural person making the request referred to in Articles 15 to 21, the

                                controller may request the provision of additional information necessary to confirm the
                                identity of the data subject.


                                3EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.
                                4EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.Privacy Protection Authority    Our ref: 2020-10696                                                                    6(11)
                                Date:2022-06-27







                                Under Article 15(1), the data subject shall have the right to obtain from the controller
                                confirmation as to whether or not personal data concerning him or her are being

                                processed, and, where that is the case, access to the personal data from the
                                controller.


                                Pursuant to Article 17(1), the data subject shall have the right to obtain from the
                                controller the erasure of personal data concerning him or her without undue delay and
                                the controller shall have the obligation to erase personal data without undue delay

                                under certain conditions set out in the current article.

                                Under Article 21(2) and (3), the data subject shall have the right to object at any time

                                to processing of personal data for direct marketing purposes concerning him
                                or her. Where the data subject objects to processing for direct marketing purposes, the
                                personal data shall no longer be processed for such purposes.


                                Assessment of the Authority for Privacy Protection (IMY)
                                On the basis of the complaint in this case, IMY examined the company’s conduct in the

                                individual case. Therefore IMY will not consider whether the company’s current
                                procedure for processing requests is compatible with the GDPR, but may take into
                                account possible improvements when considering choice of corrective measures.


                                Is Nordax’s data controller for the processing in question and has the company
                                been obliged to deal with the complainant´s requests to exercise his rights?

                                The question in this case is whether Nordax has had an obligation to comply with the
                                complainant’s requests for access, erasure and objection under the GDPR and in in
                                that case, if the company handled the complainant´s requests correctly. In order to

                                investigate this, IMY first needs to consider whether Nordax is the controller of
                                personal data for the processing of personal data in this case.


                                Nordax has stated that the company is the data controller for the processing.
                                The processing consists of the fact that the company Iper — on behalf of Nordax and
                                based on selection criteria that Nordax determines — makes a selection from Iper’s

                                address register and provides addresses for the sending of direct marketing to a third
                                company that Nordax hires to make the mailings. Nordax argues that the company
                                itself does not deal with any data, as the data provided by Iper to Nordax are de-

                                identified.

                                The investigation shows that Nordax initially failed to comply with the complainanat´s
                                first requests for access and erasure pursuant to Articles 15 and 17 on the grounds

                                that the Company does not process or store the complainant’s personal data and that
                                instead the complainant should refer directly to Iper. IMY notes, however, that it is not
                                required to have access to or store personal data in order to be considered to be data

                                controller for a particular processing operation. What matters is who decides
                                the purposes and means of the processing.


                                Since the processing consisting of the selection from Iper´s address register for direct
                                marketing is carried out on behalf of Nordax and based on the selection criteria that
                                Nordax has decided, IMY believes that Nordax determines the purpose and means of

                                the processing and is therefore the controller for the processing. This means that
                                Nordax is responsible for handling the complainant’s requests, either by handling the
                                request itself or to give clear instructions to for example a data processor, in order forPrivacy Protection Authority    Our ref: 2020-10696                                                                     7(11)
                                Date:2022-06-27






                                the data processor to be able to do so. Nordax’s argument that it is not responsible for
                                Iper’s address register does not alter that.


                                What Nordax has stated that Nordax receives only de-identified data from Iper is

                                irrelevant for the company’s responsibility to deal with the complainant´s requests.
                                Nordax is responsible for the processing of personal data carried out by Iper namely
                                the selection of the advertising received by the complainant to which the complaint

                                relates.

                                There is therefore no need to consider whether the data received by Nordax are

                                de-identified in such a way that they are not personal data. IMY points out that even
                                information that can directly or indirectly identify a natural person is personal data,
                                including information that has been encoded, encrypted or pseudonymised but which

                                can be linked to a natural person with help of additional information.

                                Since IMY has found that Nordax is the data controller for the processing that

                                the complaint concerns and is therefore responsible for ensuring that the
                                complainant’s requests to exercise its rights under the GDPR are dealt with, IMY goes
                                on to investigate whether Nordax handled the requests correctly under the Regulation.


                                Has Nordax handled the complainant’s requests to exercise its rights been in
                                compliance with the GDPR?

                                Request for access
                                It is apparent from the investigation that the complainant submitted its first request to

                                access to the company on 5December 2018. The request was worded in such a way
                                that the complainant would like to receive access to all data stored by the company on
                                the complainant and information about what the data was used for. Nordax did not

                                take any action other than to inform the complainant that the complainant´s personal
                                data were not being processed by the company and that the request could therefore
                                not be met. At the same time, Nordax informed of its process for selection and

                                dispatch of addressed direct marketing and which address provider Nordax uses for
                                selection of addresses. The complainant subsequently submitted its second request
                                for access on 11February 2019, to which Nordax replied on 12February by referring to

                                its previous reply to the complainant.

                                During the investigation Nordax stated that it should have interpreted the

                                complainant´s requests as a request to exercise their right of access under Article 15
                                of the GDPR and provided the complainant with the data and information
                                to which the complainant was entitled too with the assistance of Iper. IMY shares this

                                assessment. IMY notes in that regard that it is true that, in its request, the complainant
                                referred to the storage data, but that nevertheless, it should have been clear to Nordax

                                that the complainant intended to exercise its full right of access and that it is Nordax
                                responsibility, such as data controller for the processing, to ensure that the request
                                was handled.


                                Furthermore, IMY notes that Nordax has still not complied with the request even
                                though the company now admits that the company is obliged to do so. Nordax has

                                stated that it can comply with the complainant’s request for access if the complainant
                                so wishes. IMY notes, however, that there has been no evidence to suggest that the
                                request still wouldn’t be relevant, such as the fact that the complainant would have



                                5EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.Privacy Protection Authority   Our ref: 2020-10696                                                                   8(11)
                               Date:2022-06-27






                               withdrawn it. By failing to comply with the applicant’s request for access Nordax has
                               processed personal data in violation of Article 15 of the GDPR.


                               Request for deletion
                               It is apparent from the investigation that, on 5December 2018, the complainant also
                               submitted his first request for deletion. Nordax did not take any action other than to

                               inform the complainant that the complainant´s personal data were not processed by
                               the company and that the request could therefore not be met. At the same time,
                               Nordax informed of its process for selection and dispatch of addressed direct

                               marketing and which address provider Nordax uses for selection of addresses. The
                               complainant subsequently submitted its second request for deletion on 11February
                               2019, to which Nordax replied on 12February by referring to its previous reply to the

                               complainant.

                               Article 17(3) of the GDPR provides for an exhaustive demonstration of the

                               grounds on which a request for erasure may be rejected. That the controller
                               not storing the data being processed is not such a basis. As IMY has stated above, the
                               company is obliged to deal with the complainant’s requests, which the company

                               haven't done. Nordax thus processes personal data in violation of Article 17 of the
                               GDPR by not without undue delay handle the complainant’s requests for erasure.


                               Request for objection
                               The investigation shows that Nordax perceived that, on 5December 2018, the
                               complainant also submitted an objection to the processing of personal data for

                               direct marketing purposes pursuant to Article 21(2) GDPR. Nordax informed the
                               complainant how the complainant could proceed to object to further direct marketing
                               and requested additional information from the complainant in order to be able to fulfil
                               that right. However, the complainant did not return with additional information.


                               IMY considers that, as the request was worded, the complainant had not invoked its
                               right of objecting to direct marketing. IMY therefore notes that Nordax did not have

                               any obligation to deal with it as such a request, but welcomes the fact that
                               Nordax nevertheless provided information on how the complainant could proceed to
                               block further direct marketing.


                               However, the complainant lodged its first actual request of objection to further direct
                               marketing on 11February 2019. Nordax provided information that the complainant had

                               been blocked against further direct marketing, but the information at this point was
                               incorrect. Because Nordax left incorrect information to the complainant on 12February
                               2019 on the measures taken on the basis of the complainant´s request for objection

                               meaning that the complainant´s information was blocked for further direct marketing
                               mailings Nordax has acted in violation of article 12.3.


                               The complainant lodged its second objection on 9July 2019. Nordax
                               replied to the complainant on 16July 2019 referring to previous replies on how
                               the complainant could try to block him or herself from further marketing. The company

                               however blocked, the complainant against further addressed direct marketing on 9July
                               2019, but did not inform the complainant of this measure.


                               Against this background, IMY takes the view that Nordax has satisfied the
                               complainant´s second request of objection pursuant to Article 21(2) of the GDPR.Privacy Protection Authority    Our ref: 2020-10696                                                                    9(11)
                                Date:2022-06-27






                                In Nordax reply to the second request, the company asked the complainant to submit
                                additional information in order to comply with the request, even though the existing
                                information in the request according to Nordax, was sufficient to actually satisfy the

                                request directly. For this reason Nordax has requested additional information that has
                                not been necessary to confirm the identity of the data subject in violation of 12(6).


                                Furthermore, Nordax did not inform the complainant that, in accordance with its
                                second requests for objection the complainant was blocked against further addressed
                                direct marketing. By doing so, Nordax has failed to fulfil its obligation under Article

                                12(3) to provide the data subject with information on the measures taken under
                                Article 21 and thus processed personal data in breach of Article 12(3) of
                                the GDPR.


                                Choice of corrective measure


                                It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
                                power to impose administrative fines in accordance with Article 83. Depending on the
                                circumstances of the case, administrative fines shall be imposed in addition to or in

                                place of the other measures referred to in Article 58(2), such as injunctions and
                                prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
                                account when deciding on administrative fines and in determining the amount of the

                                fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of
                                imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
                                the aggravating and mitigating circumstances of the case, such as the nature, gravity

                                and duration of the infringement and past relevant infringements.

                                IMY notes the following relevant facts. Nordax have stated that they have taken action

                                by reviewing their procedures to ensure that incorrect information should not be
                                sent again and reviewing how the company handles data subjects’ rights regarding
                                processing carried out on the company’s behalf by the company’s processor.
                                According to IMY the noted infringements found occurred relatively far back in time,

                                partly due to the human factor and has affected one person. In addition, the company
                                has not previously acted in breach of the GDPR.


                                Against this background IMY considers that it is a minor infringement within the
                                meaning of recital 148 and that Nordax Bank AB must be given a reprimand pursuant
                                to Article 58(2)(b) of the GDPR.


                                Since the company has not handled the complainat´s request for access even though
                                the company is obliged to do so, IMY considers that there is reason in accordance with

                                Article 58(2)(c) to order the company to comply with the complainant´s request to
                                exercise its right of access under Article 15 with exception for information which is
                                subject to any applicable derogation provided for in Article 15(4).This is done by

                                providing the complainant access to all personal data that Nordax process regarding
                                the complainant by arranging a copy to the complainant of the personal data referred
                                to in Article 15(3) and provide information pursuant to points (a) to (h) of Article 15(1)

                                and 15.2. The measures shall be implemented no later than two weeks after this
                                decision has become final.


                                The company has also failed to deal with the complainant’s request for erasure even
                                though the company is obliged to do so. IMY therefore considers that it is appropriate,
                                on the basis of Article 58.2(d) to order the company to deal with the complainant’s

                                request for erasure of all personal data referred to in Article 17 by considering whetherPrivacy Protection Authority    Our ref: 2020-10696                                                                   10(11)
                                Date:2022-06-27






                                there is personal data which the company is obliged to erase in accordance with
                                Article 17 and, if so, erase the information and inform the complainant in accordance

                                with Article 12(3) or (4). Measures shall be completed no later than two weeks after the
                                date on which this decision has become final.


                                Furthermore, Nordax did not inform the complainant about the measure which been
                                taken, namely that the complainant been blocked for further addressed direct

                                marketing, in response to the complainant’s second request to exercise the right of
                                objection to process for direct marketing purposes. IMY considers that it is appropriate,
                                pursuant to Article 58(2)(d), to order the company to in accordance with Article 12(3),

                                provide the complainant with information on the measures which been taken in
                                response to the complainant’s request to exercise his right of objection to processing
                                for direct marketing purposes. The measures shall be implemented no later than two

                                weeks after this decision has become final.



                                _________________________________________________________

                                This decision has been approved by the specially appointed decision-maker

                                            after presentation by legal advisorPrivacy Protection Authority     Our ref: 2020-10696                                                                     11(11)
                                 Date:2022-06-27






                                 How to appeal


                                 If you want to appeal the decision, you should write to the Authority for Privacy
                                 Protection. Indicate in the letter which decision you appeal and the change you

                                 request. The appeal must have been received by the Authority for Privacy Protection
                                 no later than three weeks from the day you received the decision. If the appeal has
                                 been received at the right time, the Authority for Privacy Protection will forward it to the
                                 Administrative Court in Stockholm for review.


                                 You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
                                 any privacy-sensitive personal data or information that may be covered by

                                 confidentiality. The authority’s contact information is shown in the first page of the
                                 decision.