KamR Stockholm - 2829-23: Difference between revisions
mNo edit summary |
m (→Holding) |
||
Line 109: | Line 109: | ||
Moreover, the Court found that the controller did not provide information on automated decision-making in such an easily accessible form as required by [[Article 12 GDPR#1|Article 12(1) GDPR]]. The Court considered that the fact that the information was spread over different sections, did not necessarily mean that the information is difficult to access by data subjects. However, the Court found that the references to different sections made the information not easily accessible as it was difficult to identify what the relevant information was in the referred sections. | Moreover, the Court found that the controller did not provide information on automated decision-making in such an easily accessible form as required by [[Article 12 GDPR#1|Article 12(1) GDPR]]. The Court considered that the fact that the information was spread over different sections, did not necessarily mean that the information is difficult to access by data subjects. However, the Court found that the references to different sections made the information not easily accessible as it was difficult to identify what the relevant information was in the referred sections. | ||
The Court also found that the information about the right to data portability was provided in such a way that it was difficult to understand that it is a separate right. The right to restriction was also expressed in the privacy policy as "oppose" and "stop processing". This was different terminology than the GDPR and created obscurity according to the Court. Due to these ambiguities, the Court found that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]]. | The Court also found that the information about the right to data portability was provided in such a way that it was difficult to understand that it is a separate right. The right to restriction was also expressed in the privacy policy as "oppose" and "stop processing". This was different terminology than the GDPR and created obscurity according to the Court. Due to these ambiguities, the Court found that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]]. | ||
Given this new legal assessment, the court of appeal evaluate the appropriateness of the fine. As a mitigating factor, the Court recognised that the breaches did not take place for a long time and the privacy policy had been continuously improved. However, the Court took into account that the information concerned a large number of data subjects and that the shortcomings related to information based on articles that are fundamental to the data subjects. Finally, taking into account the controller’s argument that the DPA’s case took unreasonably long and that the controller’s right to be informed without delay of the significance of and grounds for the accusations was violated, the Court did not see a reason to reduce the fine on the basis of [[Article 83 GDPR#2|Article 83(2) GDPR]] and [https://fra.europa.eu/en/law-reference/european-convention-human-rights-article-6 Article 6(1) and 6(3)(a) ECHR]. | |||
Thus, the Court held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, and upheld the DPA’s appeal. | Thus, the Court held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, and upheld the DPA’s appeal. |
Revision as of 14:40, 14 May 2024
KamR Stockholm - 2829-23 | |
---|---|
Court: | KamR Stockholm (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | [[Article 1 GDPR#2|]] [[Category:]] Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 13 GDPR Article 13(1)(e) GDPR Article 13(1)(c) GDPR Article 13(1)(f) GDPR Article 13(2)(a) GDPR Article 13(2)(b) GDPR Article 13(2)(f) GDPR Article 14(2)(g) GDPR [[Article 15 GDPR|]] [[Category:]] |
Decided: | 11.03.2024 |
Published: | 11.03.2024 |
Parties: | Klarna Bank AB IMY |
National Case Number/Name: | 2829-23 |
European Case Law Identifier: | |
Appeal from: | Administrative Court of Stockholm (Sweden) 7679-22 |
Appeal to: | Not appealed |
Original Language(s): | Swedish |
Original Source: | Kammarrätten i Stockholm (in Swedish) |
Initial Contributor: | inkg |
The Administrative Court of Appeal raised the administrative fine back to €730,000 (SEK 7,300,000) for Klarna Bank AB's insufficient and incomplete privacy policy.
English Summary
Facts
On 28 March 2022, the Swedish DPA ("IMY") fined Klarna AB ("the controller") €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. The DPA found that the controller violated the GDPR in several respects.
The controller appealed the DPA's decision to the Administrative Court of Stockholm ("FiS"). The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000) because the violations did not cause considerable harm and were not intentional and the controller had improved its information.
The DPA appealed this decision to the Administrative Court of Appeal of Stockholm ("KamR Stockholm"), requesting the fine to be raised back to €730,000 (SEK 7,300,000).
Holding
The Court reviewed the entire appealed decision to decide whether the controller should be fined on the grounds put forward by the DPA. The Court therefore reviewed whether the controller provided complete or sufficient information on different aspects in their privacy policy and if they fulfilled the requirements on how it should be provided under Article 12 GDPR, Article 13 GDPR and Article 14 GDPR.
The Court disagreed with the Administrative Court on whether the controller infringed Article 13(1)(f) GDPR by not indicating the specific countries to which personal data is transferred. The Court found that the GDPR does not require that the specific third countries must be named. Therefore, the Court held that the controller did not violate Article 13(1)(f) GDPR by not specifying the third countries in their privacy policy.
Moreover, the Court disagreed with the Administrative Court on whether the information provided by the controller on the rights of data subjects fulfilled the requirements of Article 13(2)(b) GDPR. This Article requires the controller to inform the data subject of the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning him or her, or to object to processing, and of the right to data portability. The Court held that the wording of the provision does not indicate anything other than that the data subject must be informed of the existence of the rights. The Court found that there is nothing to suggest that the controller, in addition to informing the data subject of the existence of the rights listed in Article 13(2)(b) GDPR, is obliged to describe the meaning of the rights in more detail. Therefore, unlike the Administrative Court, the Court found that the controller did not violate Article 13(2)(b) GDPR in that respect.
The Court agreed with the Administrative Court that the controller failed to provide information on safeguards for third country transfers (Article 13(1)(f) GDPR) and the use of a scoring model in their automated decision-making and how the data was processed in it (Article 14(2)(g) GDPR). Thus, the Court held that the controller violated Article 13(1)(f) GDPR and Article 14(2)(g) GDPR regarding these two elements of the privacy policy.
Moreover, the Court found that the controller did not provide information on automated decision-making in such an easily accessible form as required by Article 12(1) GDPR. The Court considered that the fact that the information was spread over different sections, did not necessarily mean that the information is difficult to access by data subjects. However, the Court found that the references to different sections made the information not easily accessible as it was difficult to identify what the relevant information was in the referred sections.
The Court also found that the information about the right to data portability was provided in such a way that it was difficult to understand that it is a separate right. The right to restriction was also expressed in the privacy policy as "oppose" and "stop processing". This was different terminology than the GDPR and created obscurity according to the Court. Due to these ambiguities, the Court found that the controller violated Article 12(1) GDPR.
Given this new legal assessment, the court of appeal evaluate the appropriateness of the fine. As a mitigating factor, the Court recognised that the breaches did not take place for a long time and the privacy policy had been continuously improved. However, the Court took into account that the information concerned a large number of data subjects and that the shortcomings related to information based on articles that are fundamental to the data subjects. Finally, taking into account the controller’s argument that the DPA’s case took unreasonably long and that the controller’s right to be informed without delay of the significance of and grounds for the accusations was violated, the Court did not see a reason to reduce the fine on the basis of Article 83(2) GDPR and Article 6(1) and 6(3)(a) ECHR.
Thus, the Court held that for an effective, proportionate, and dissuasive measure, the violations justified an administrative fine of €730,000 (SEK 7,300,000), which was the maximum amount according to the penalty framework in the case, and upheld the DPA’s appeal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Klarna must pay a penalty fee of SEK 7.5 million because the data protection information did not meet the requirements of the EU's data protection regulation. The violations of the data protection regulation consist of Klarna not providing sufficient information to the data subjects, for example, about how personal data will be stored, and that the information was difficult to access or unclear. - The Court of Appeal considers that a penalty fee of SEK 7.5 million is justified to be effective, proportionate and dissuasive. The Court of Appeal thus makes the same assessment as the Swedish Privacy Protection Authority, says Peder Liljeqvist, a lawyer at the Court of Appeal. The Court of Appeal thus changes the administrative court's ruling that the sanction fee would be SEK 6 million.