Förvaltningsrätten - Mål nr 11453-22

From GDPRhub
Revision as of 17:17, 10 January 2023 by SR (talk | contribs) (→‎Facts)
FiS - Mål nr 11453-22
Courts logo1.png
Court: FiS (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(a) GDPR
Article 15(1)(c) GDPR
Article 19 GDPR
Decided: 22.12.2022
Published: 22.01.2023
Parties: Klarna Bank AB
Integritetsskyddsmyndigheten (IMY)
National Case Number/Name: Mål nr 11453-22
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): Swedish
Original Source: Förvaltningsrätten i stockholm (in Swedish)
Initial Contributor: Pantalaimon1337

The Stockholm Administrative Court an IMY decision and held that Article 15(1)(c) GDPR obliges the controller to disclose information regarding the specific recipients of personal data to the best of its abilities if a data subject expressly asks for it.

English Summary

Facts

A data subject submitted an access request to Klarna Bank AB (the controller). However, the controller did not provide all the requested personal data, including information regarding recipients to whom personal data of the data subject had been disclosed. After an unsuccessful follow-up request, the data subject filed a complaint with a German DPA. The complaint was transferred to the Swedish DPA in an Article 60 GDPR procedure.

The Swedish DPA held in decision DI-2021-10263 that the controller should provide information about the actual recipients, not only categories of recipients, when the data subject expressly requests it. The DPA reached this conclusion by interpreting Article 15(1)(c) GDPR in light of the principles of fairness and transparency (Article 5(1)(a) GDPR) as well as the provision under Articles 19 GDPR. Thus, the DPA reprimanded the controller for a violation of Article 15 GDPR.

The controller appealed this decision before the Stockholm Administrative Court. The controller argued, among others, that Article 15(1)(c) GDPR should be interpreted as allowing the controller to choose whether to give access to categories of recipients or specific recipients in a manner similar to the information requirements in Articles 13(1)(e) and 14(1)(e) GDPR.

Holding

The Stockholm Administrative Court (the Court) recalled that Article 15 GDPR gives an individual the right to be informed as to whether a controller is processing personal data relating to them and, if so, to be provided with tailored information about the processing. The Court stated that it is up to the data subject to make the choice whether to exercise their right to know the recipients or categories of recipients to whom personal data were disclosed.

The Court held that Article 15(1)(c) GDPR must be interpreted as obliging the controller to satisfy the data subject's request to the best of its abilities. If the data subject expressly requests access to information regarding the actual recipients of personal data, there is an obligation for the controller to disclose the data. In this case, the Court established that the case file did not show that the controller lacked the ability to provide the requested information, or that doing so would entail a disproportionate effort. Therefore, the Swedish DPA was justified in its decision to reprimand the controller for a violation of Article 15 GDPR.

The Court dismissed the appeal.

Comment

There has been a discussion in recent court cases about the interpretative role of guidelines issued by the EDPB. The Swedish DPA usually cites the guidelines which can be seen as giving the guidelines legal force. In this case, the Court stated that "although the EDPB Guidelines are not legally binding, the Administrative Court agrees with IMY's assessment that the Guidelines are, in view of their purpose, indicative for the interpretation of the Articles of the GDPR."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.


On 11 May 2022, the Privacy Authority (IMY) decided to issue a reprimand to
Klarna under Article 58(2)(b) of Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free
movement of such data and repealing Directive 95/46/EC (GDPR) for breach
of Article 15. The reasons for the decision are set out in Annex 1.
Klarna claims that the decision should be annulled and submits, inter alia, the
following. It has provided information on the categories of recipients to whom
personal data have been disclosed as required by Article 15(1)(c) of the GDPR.
It follows from the wording of that Article that the data subject has the right to
obtain, in the event of a request for access, information on 'the recipients or
categories of recipients' to whom the personal data have been or are to be
disclosed. Controllers thus have a choice between providing information on
individual recipients or categories of recipients. This is also reflected in the so-
called Article 29 Working Party guidelines on transparency, which state, inter
alia, that 'if controllers choose to indicate categories of recipients, the
information should be as specific as possible'.
It further contests IMY's assertion that the obligation in Article 15(1)(c) should
be read in the light of, and given the same meaning as, Article 19 of the Data
Protection Regulation. There is no basis for such an interpretation as the
wording, and hence the obligations, are different. It is closer to read the
wording of Article 15(1)(c) in the light of Articles 13(1)(e) and 14(1)(e), and it
should be undisputed that these Articles imply that controllers have the right to
freely choose between the two options. The fact that Article 15(1)(c), like
Articles 13(1)(e) and 14(1)(e), has one wording regarding the obligation to
provide information, while Article 19 has another, suggests that the former
gives the controller the option of providing information on either

recipients of personal data or the categories of recipients of personal data,
which is contrary to what IMY claims.
The European Data Protection Board (EDPB) guidelines referred to by IMY in
its decision do not support IMY's view that the controller lacks the right to
choose between providing information on recipients or categories of recipients
under Article 15(1)(c) of the GDPR. In the Guidance, the EDPB states that the
controller "should in general name the recipients, unless it is only possible to
indicate the category of recipients". It is therefore a recommendation.
Furthermore, the EDPB guidelines are not legally binding. Moreover, the
guideline on access referred to by IMY was not published at the time of its
alleged breach. There was therefore no opportunity to rely on the non-binding
recommendations set out in the guidelines. The alleged infringement of Article
15 therefore lacks any legal basis.
In the exercise of authority by means of a reprimand, the principle of legality
of no punishment without law applies. IMY's reprimand is a clear departure
from the generally accepted requirements of legality and foreseeability, since
the supervisory decision imposes requirements that are not laid down in the
Constitution. The exercise of public authority involving action against
individuals must be foreseeable. This means that even if the administrative
court were to find that it was obliged to provide information on individual
recipients to whom personal data have been disclosed under Article 15 of the
GDPR, no reprimand should have been issued. Furthermore, the principle of
proportionality must be taken into account. The measure must not go beyond
what is necessary and may only be taken if the intended result is proportionate
to the likely inconvenience to the person against whom the measure is directed.
Account must be taken here of the damage to reputation which reprimands
may cause and of the fact that a reprimand may be taken into account as an
aggravating factor in determining the penalties for any future infringements.

IMY considers that the appeal should be dismissed and submits, inter alia, the
following. It is part of the EDPB's tasks to deal with questions on the
application of the data protection regulation and to issue guidelines,
recommendations and practices with a view to promoting the uniform
application of the data protection regulation. The guidelines should therefore
be given great weight in the interpretation of the provisions of the GDPR, even
if they are not legally binding. If a controller processes personal data without
taking into account the positions set out in the EDPB Guidelines, the controller
risks being found to be in breach of the provisions of the GDPR and, as a
consequence, being subject to corrective action by the supervisory authority. A
different approach would mean that the EDPB Guidelines would be largely
irrelevant.
As regards the choice of sanction, the starting point for infringements of the
Articles at issue in the case is the imposition of a fine. However, instead of a
fine, a reprimand may be imposed for a minor infringement. This was a minor
infringement. Therefore, in accordance with the principle of proportionality, it
has been possible to stop at issuing a reprimand.
THE REASONS FOR THE DECISION
Legal points of departure
Article 1 of the GDPR states that the Regulation lays down rules on the
protection of natural persons with regard to the processing of personal data and
on the free flow of personal data. Article 5(1)(a) states that personal data must
be processed lawfully, fairly and transparently in relation to the data subject.
These principles must be respected in all processing of personal data and the
controller is responsible for ensuring that the principles are respected. This
follows from Article 5(2) of the GDPR.

According to Article 15(1)(c) of the GDPR, the data subject shall have the
right to obtain confirmation from the controller as to whether personal data
relating to him or her are being processed and, if so, to have access to the
personal data and the recipients or categories of recipients to whom the
personal data have been or are to be disclosed, in particular recipients in third
countries or international organisations.
Under Article 58(2)(b), any supervisory authority may issue a reprimand to a
controller for processing operations in breach of the provisions of the
Regulation.
Assessment by the Administrative Court
The EDPB is tasked with ensuring that the General Data Protection Regulation
is applied uniformly. This role is governed by the GDPR. For example, in
cases where national supervisory authorities cannot agree on the application of
the GDPR to the cross-border processing of personal data, the EDPB can take
decisions that are binding on supervisory authorities (see Articles 65 and 70).
Therefore, although the EDPB Guidelines are not legally binding, the
Administrative Court agrees with IMY's assessment that the Guidelines are, in
view of their purpose, indicative for the interpretation of the Articles of the
GDPR.
Klarna has argued that it has not been able to comply with these guidelines
because they were not published at the time of the alleged infringement.
However, it should be noted that IMY has stated in the decision that it does
not claim that Klarna should have been obliged to comply with the guidelines.
Nor did the Guidelines form the basis of the assessment in the contested
decision.

As stated in Article 1(2), one of the objectives of the GDPR is to protect the
fundamental rights and freedoms of natural persons, and in particular their
right to the protection of personal data. In view of this objective, the Articles of
the Regulation should be read in the light of the individual's right to such
protection.
Article 15 of the Regulation gives an individual the right to be informed as to
whether a controller is processing personal data relating to him or her and, if
so, to be provided with information about the processing. In light of this and
the purpose of the Regulation, the Administrative Court considers that it is up
to the data subject to make the choice whether to exercise his or her right to
know the recipients or categories of recipients to whom his or her personal data
have been or are to be disclosed. It is then up to the controller to perform to the
best of its ability.
In the light of the above, Article 15(1)(c) should, in the view of the
Administrative Court, be interpreted as meaning that the data processor has an
obligation to meet the needs of the individual to the best of its ability.
Therefore, if the individual explicitly requests access to information regarding
the recipients to whom personal data have been or are to be disclosed, there is
an obligation on the data processor to disclose the information, if available.
The case file has not shown that Klarna lacked the ability to provide the
requested information, or that doing so would entail a disproportionate effort.
IMY was therefore justified in its decision. The Administrative Court agrees
with IMY's assessment that Klarna should be reprimanded for the
infringement.
The appeal must therefore be dismissed.