IMY (Sweden) - DI-2021-10263
| IMY - DI-2021-10263 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5 GDPR Article 15 GDPR Article 19 GDPR Article 58(2)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 11.05.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | Klarna Bank AB |
| National Case Number/Name: | DI-2021-10263 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
Pursuant to the Article 60 cooperation mechanism, the Swedish DPA reprimanded a controller for processing personal data in violation of Article 15 GDPR by failing to inform a data subject about to whom their personal data has been disclosed despite explicitly requesting it.
English Summary
Facts
The data subject requested access to their personal data under Article 15 of the GDPR from Klarna Bank AB, the controller. The information he obtained from the controller did not include all the information that they had asked for since it lacked information about the recipients to whom his personal data had been disclosed. Even though the complainant came back with a request to know exactly which recipients his data had sent to, the controller has not complied with this request.
Subsequently, the data subject complaint to the DPA. The controller stated that the information sent to the complainant on the 24th of January 2020 is in accordance with the obligations of the GDPR. It has no duty to reply to the complainant’s access request in any other way that it did.
Holding
Firstly, the DPA pointed out the applicable GDPR provisions.
Article 15 of the GDPR provides that he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The data subject shall also have the right to information about the recipients or categories of recipient to whom the personal data have been or will be disclosed (Article 15(1)(c)).
Article 19 of the GDPR requires the controller to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Additionally, according to Article 5 the controller shall be responsible for, and be able to demonstrate compliance with, inter alia the obligation to processes personal data fairly and in a transparent manner in relation to the data subject.
In conclusion, the DPA held based on the presented GDPR provisions that Article 15(1)(c), read together with Article 19 and in light of the principles of fairness and transparency pursuant to Article 5(1)(a) cannot be interpreted any other way than as a right of the data subject to obtain from the controller information about the actual recipients to whom the personal data have been or will be disclosed, unless this proves impossible or involves disproportionate effort. This is especially the case when it is explicitly requested. The controller has not proved that this has proven impossible or to involve disproportionate effort and, thus, processed the complainant’s personal data in violation of Article 15 GDPR.
Considering mitigating circumstances, the DPA decided to reprimand the controller pursuant to Article 58(2)(b) GDPR instead of fining them.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(4)
Notice: This document is an unofficial translation of
the Swedish Authority for Privacy Protection’s (IMY)
decision 2022-05-11, no. DI-2021-10263. Only the
Swedish version of the decision is deemed authentic.
Registration number:
Decision under the General Data
DI-2021-10263, IMI case no.
185203,
LDA-1085.1-1399/20-F Protection Regulation — Klarna Bank
Date of decision: AB
2022-05-11
Decision of the Swedish Authority for Privacy
Protection (IMY)
The Authority for Privacy Protection (IMY) finds that Klarna Bank AB is processing
personal data in breach of Article 15 of the General Data Protection Regulation
1
(GDPR) by not complying with the complainant’s request of 22 December 2019 for
information about the recipients to whom his personal data have been disclosed.
The Authority for Privacy Protection issues Klarna Bank AB a reprimand pursuant to
Article 58(2)(b) of the GDPR for the infringement of Article 15 of the GDPR.
Report on the supervisory case
The case handling
The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna
Bank AB (Klarna) due to a complaint. The complaint has been submitted to IMY, in its
capacity as lead supervisory authority under Article 56 of the General Data Protection
Regulation (GDPR). The handover has been made by the supervisory authority of the
country where the complainant has lodged his complaint (Germany) in accordance
with the Regulation’s provisions on cooperation concerning cross-border processing.
The investigation in the case has been carried out through correspondence. Since the
complaint regards cross-border processing, IMY has used the mechanisms for
cooperation and consistency contained in Chapter VII of the GDPR. The supervisory
authorities concerned have been the data protection authorities in Germany, Denmark,
Austria, Italy, Poland, and Finland.
The complaint
Postal address: The complainant mainly states the following.
Box 8114
104 20 Stockholm
Website: He has requested access to his personal data under Article 15 of the GDPR. The
www.imy.se information he obtained from Klarna did not include all the information that he had
E-mail:
imy@imy.se 1
Telephone: Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
and repealing Directive 95/46/EC (General Data Protection Regulation).nd on the free movement of such data,
08-657 61 00Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 2(4)
Datum: 2022-05-11
asked for since it lacked information about the recipients to whom his personal data
had been disclosed. Even though the complainant came back with a request to know
exactly which recipients his data had sent to, Klarna has not complied with this
request.
Due to the complaint, IMY has initiated supervision in order to examine if the
complainant’s request has been complied with in accordance with Article 15 of the
GDPR.
What Klarna has stated
Klarna states that it is the controller for the processing to which the complaint relates.
th
The information sent to the complainant on the 24 of January 2020 is in accordance
with the obligations of the GDPR. Klarna has no duty to reply to the complainant’s
access request in any other way that it did. The EDPB Guidelines 01/2022 on access
th
was adopted on the 18 of January 2022, i.e. two years after the complainant’s case
regarding access request was closed.
Justification of the decision
Applicable provisions, etc.
Article 15 of the GDPR provides that he data subject shall have the right to obtain from
the controller confirmation as to whether or not personal data concerning him or her
are being processed, and, where that is the case, access to the personal data. The
data subject shall also have the right to information about the recipients or categories
of recipient to whom the personal data have been or will be disclosed (Article 15(1)(c)).
Article 19 of the GDPR requires the controller to communicate any rectification or
erasure of personal data or restriction of processing carried out in accordance with
Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data
have been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform the data subject about those recipients if the data subject
requests it.
According to Article 5 the controller shall be responsible for, and be able to
demonstrate compliance with, inter alia the obligation to processes personal data fairly
and in a transparent manner in relation to the data subject.
EDPB Guidelines 01/2022 on access state that concerning the question, if the
controller is free to choose between information on recipients or on categories of
recipients, it has to be recalled, that, already under Art. 13 and 14 GDPR information
on the recipients or categories of recipients should be as concrete as possible in
respect of the principles of transparency and fairness. The controller should therefore
generally name the actual recipients unless it would only be possible to indicate the
category of recipients. Nevertheless, sometimes naming the actual recipients is not yet
possible at the time of the information under Art. 13 and 14 GDPR but only in a later
stage, for example when an access request is made. The EDPB recalls in this regard,Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 3(4)
Datum: 2022-05-11
that storing information relating to the actual recipients is necessary inter alia to be
able to comply with the controller’s obligations under Art. 5(2) and 19 GDPR. 2
Assessment of the Authority for Privacy Protection
The wording of Article 15(1)(c) of the GDPR does clarify if the controller is free to
choose between information on actual recipients or on only categories of recipients.
However, IMY concludes that Article 15(1)(c), read together with Article 19 and in light
of the principles of fairness and transparency (Article 5(1)(a)) cannot be interpreted
any other way than as a right of the data subject to, especially when explicitly
requested, obtain from the controller information about the actual recipients to whom
the personal data have been or will be disclosed, unless this proves impossible or
involves disproportionate effort.
IMY notes that the complainant has explicitly requested information about actual
recipients. Klarna has not proved that this has proven impossible or to involve
disproportionate effort. Klarna has thus processed the complainant’s personal data in
violation of Article 15 of the GDPR.
What Klarna has stated about that the EDPB Guidelines on access was adopted after
the access request was complied with, does not lead to any other conclusion. IMY
does not claim that Klarna has an obligation to comply with guidelines that was not
available to Klarna at the time of the violation. IMY’s reason for citing the guidelines is
to prove that there is wide support for IMY’s opinion, which follows from the wording of
Article 19.
Choice of corrective measure
It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
power to impose administrative fines in accordance with Article 83. Depending on the
circumstances of the case, administrative fines shall be imposed in addition to or in
place of the other measures referred to in Article 58(2), such as injunctions and
prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
account when deciding on administrative fines and in determining the amount of the
fine.
In the case of a minor infringement, as stated in recital 148, IMY may, instead of
imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
the aggravating and mitigating circumstances of the case, such as the nature, gravity
and duration of the infringement and past relevant infringements.
IMY notes that the violation has affected one person and has not involved sensitive
data. Furthermore, Klarna has otherwise complied with the complainant’s request for
access. Against this background IMY considers that it is a minor infringement within
the meaning of recital 148 and that Klarna Bank AB must be given a reprimand
pursuant to Article 58(2)(b) of the GDPR for the established infringement.
2EDPB Guidelines 01/2022 on data subject rights -access, Version 1.0, adopted for public consultation on
18 January 2022, paragraph 115.Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 4(4)
Datum: 2022-05-11
This decision has been approved by the specially appointed decision-maker
after presentation by legal advisor
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.
