IMY (Sweden) - DI-2020-10561
Datainspektionen - DI-2020-10561 | |
---|---|
Authority: | Datainspektionen (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(3) GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.03.2021 |
Published: | 26.03.2021 |
Fine: | None |
Parties: | Rebtel Networks AB |
National Case Number/Name: | DI-2020-10561 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | n/a |
The Swedish DPA issued a reprimand on Rebtel Networks AB for violating Article 17 GDPR by not deleting personal data of the complainant without undue delay and Article 23 GDPR by providing incorrect information about deletion of personal data.
English Summary
Facts
The complainant unsuccessfully tried to persuade the company to stop sending unsolicited emails after deleting her account. She requested removal of her data four times and each time the company confirmed that her data had been deleted and that she would not receive any more messages. After each time she then received a new email asking her to provide feedback about the service. She also tried to use the "unregister" link provided in each e-mail but it did not worked either.
The company stated that the complainant's request for deletion was not handled due to the company not perceiving it as a request for deletion.
Dispute
Holding
According to the DPA it has been made clear in the request that the complainant wanted to exercise her right to deletion.
The DPA issued a reprimand on Rebtel Networks AB for violating Article 17 GDPR by not deleting personal data of the complainant without undue delay and Article 23 GDPR by providing incorrect information about deletion of personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (5) Rebtel Networks AB Jakobsbergsgatan 16 111 44 Stockholm Record number: DI-2020-10561 Decision after supervision according to Date: Data Protection Regulation - Rebtel 2021-03-23 Networks AB The decision of the Integrity Protection Authority The Privacy Protection Authority states that Rebtel Networks AB has processed personal data in violation of Article 17 of the Data Protection Regulation by not without undue delay first on 9 November 2020, delete the personal data requested by the complainant deletion of 18 September 2019. Article 12 (3) of the Data Protection Regulation by providing incorrect information on 22 September 2019 that the complainant's information had been deleted due to the complainant's request of 18 September 2019. The Privacy Protection Authority gives Rebtel Networks AB a reprimand according to Article 58 (2) (b) of the Data Protection Regulation. Report on the supervisory matter The Privacy Protection Authority (IMY) has initiated supervision regarding Rebtel Networks AB (the company) in connection with a complaint. The complaint has been submitted to IMY, i as the responsible supervisory authority in accordance with Article 56 of the Data Protection Regulation. The transfer has taken place from the supervisory authority in the country where the complainant has left lodged its complaint (Spain) in accordance with the provisions of the Regulation on cooperation in cross-border treatment. The complaint alleges that the complainant unsuccessfully tried to persuade the company to stop sending unsolicited emails after deleting her account. She has on four occasions requested removal and the company has each time confirmed that her Postal address: information has been deleted and she would not receive any more messages, but she has Box 8114 then each time receive a new email asking her to provide feedback 104 20 Stockholm about the service. She has also tried to use the "unregister" link provided in each e-mail Website: www.imy.se E-mail: imy@imy.se REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on 08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation). Integrity Protection Authority Record number: DI-2020-10561 2 (5) Date: 2021-03-23 mail, but it has not worked either. Against this background, she believes that the company has breached its obligations under Article 17 of the Data Protection Regulation. Rebtel Networks AB has mainly stated the following. The company received a request for deletion from the complainant on September 18, 2019. I subsequently, however, it can be stated that it was not handled as a request for deletion under the Data Protection Regulation, even if certain data were deleted. This is the reason for further e-mail in the form of a reminder of a survey for customer survey has been sent to the complainant. This has happened during the period up to and with effect from 1 October 2019, ie not after the deadline of one month applies under the Data Protection Regulation to comply with a deletion request. Remaining data was deleted on November 9, 2020, except for those that are necessary to be able to handle the current supervisory matter. The company informed complainant about this on 20 November 2020. Due to this supervisory matter, the company has taken special measures to strengthen their established processes and procedures for identifying a request under the Data Protection Regulation. This includes above all that further training of its customer service agents. The company has further improved its so-called data triggers in its customer service tools. The company's investigation of the complainant's case showed that it did not had been flagged as a matter under the Data Protection Regulation as the data application did not perceived any reference to the Data Protection Regulation in Spanish. The processing has taken place through correspondence. Given that it applies cross-border treatment, IMY has used the mechanisms of cooperation and uniformity contained in Chapter VII of the Data Protection Regulation. Affected regulators have been the data protection authorities in Spain, Germany, Norway, Italy and France. Justification of decision Applicable regulations According to Article 12 (3) of the Data Protection Regulation, the controller shall: request without undue delay and in any case no later than one month after to have received the request to provide the data subject with information on the measures taken taken in accordance with Article 17. This period may, if necessary, be extended by a further two months, taking into account the complexity of the request and the number received requests. The personal data controller shall notify the data subject of a such extension within one month of receipt of the request and state the reasons to the delay. According to Article 17 (1) (a), the data subject shall have the right to be informed by the controller without undue delay have their personal data deleted and it the person responsible for personal data shall be obliged to delete without undue delay personal data if the personal data are no longer necessary for the purposes for which which they have collected or otherwise treated. According to Article 17 (3) (b), this shall not be the case apply to the extent that the processing is necessary to comply with a legal obligation requiring treatment under Union law.Integrity Protection Authority Record number: DI-2020-10561 3 (5) Date: 2021-03-23 The Integrity Protection Authority's assessment Has there been a breach of the Data Protection Regulation? The company has stated that the reason for the complainant's request for deletion of the 18th September 2019 was not handled until November 9, 2020 due to the company not perceived it as a request for deletion. In the IMY's view, however, it has been made clear in the request that it registered wanted to exercise their right to deletion. Because some data was deleted only on 9 November 2020 did Rebtel Networks AB process personal data in violation with Article 17 of the Data Protection Regulation by not without undue delay first it 9 November 2020 delete the personal data requested by the complainant on 18 September 2019. However, the company has been justified in retaining the information needed for to be able to show that the request has been handled in accordance with the Data Protection Regulation. The company has stated that no further e-mails have been sent since October 2, 2019 and that this is within the time limit of one month provided for in Article 12 (3) and 17 the Data Protection Regulation. However, the company was incorrect in its reply to the complainant on 22 September 2019 stated that the information had been deleted and that the complainant would not receive a few more mailings. Rebtel Networks AB thereby violates Article 12 (3) Data Protection Regulation provided incorrect information on what measures - that the data had been deleted - which has been taken as a result of the complainant's request. Despite the fact that the company, on 22 September 2019, informed the complainant that no more e- mailing if customer satisfaction should take place, the complainant has received another four such mailings. The four mailings were made on 22 and 25 September and on 1 and 2 October 2019. However, the IMY notes that this is a relatively short time after request for deletion was made and considers that it is within the time limit the company had undertaken to take action if the request had been handled correctly. Choice of intervention Article 58 (2) (i) and Article 83 (2) state that the IMY has the power to impose administrative penalty fees in accordance with Article 83. the circumstances of the individual case, administrative penalty fees shall be imposed in addition to or in place of the other measures referred to in Article 58 (2), such as: injunctions and prohibitions. Furthermore, Article 83 (2) sets out the factors to be taken into account taken into account when deciding whether to impose administrative penalty fees and at determining the amount of the fee. In the case of a minor infringement, IMY as stated in recital 148 instead of imposing a penalty fee issue one reprimand under Article 58 (2) (b). Account shall be taken of aggravating and mitigating circumstances circumstances of the case, such as the nature, severity and duration of the infringement as well as previous violations of relevance. The company has stated that the reason for the complainant's request for deletion is not was handled correctly mainly due to a mistake in the company's customer service and customer service tools. Due to what happened, the company has stated that it has taken action specific organizational and technical measures to strengthen their established processes and procedures for identifying a request under the Data Protection Regulation. In an overall assessment of the circumstances, the IMY finds that it is a question of less infringements within the meaning of recital 148 and that Rebtel Networks AB thereforeIntegrittsskyddsmyndigheten Record number: DI-2020-10561 4 (5) Date: 2021-03-23 shall be reprimanded in accordance with Article 58 (2) (b) of the Data Protection Regulation for those found the infringements. This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by lawyer Olle Pettersson. Catharina Fernquist, 2021-03-23 (This is an electronic signature) Integrity Protection Authority Registration number: DI-2020-10561 5 (5) Date: 2021-03-23 How to appeal If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received part of the decision. If the appeal has been received in time, send The Integrity Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision.