IMY (Sweden) - DI-2021-10488
IMY - DI-2021-10488 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(3) GDPR Article 17 GDPR Article 58(2)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 18.03.2022 |
Published: | |
Fine: | n/a |
Parties: | Klarna Bank AB |
National Case Number/Name: | DI-2021-10488 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
The Swedish DPA reprimanded a controller for violating Article 12(3) GDPR by not informing a data subject about a delay of their erasure request within a month of receiving it.
English Summary
Facts
The complainant requested erasure under Article 17 GDPR. It took two months before they received a reply from the controller. After two months, the data subject received a reply which stated that her request will be handled but that her request for erasure may take another 90 days to be completed. The complainant considered it unreasonable that it takes a total of five months for the controller to handle her request.
The controller stated that the initial delays were due to issues on its side in verifying the data subject's identity. The erasure was delayed due to lower staffing during the Christmas and New Year holidays. The controller holds that it has handled the complainants request without undue delay considering the Christmas and New Year holidays and the individual error concerning the confirmation.
Holding
The DPA pointed out that Article 12(3) GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to Article 17 GDPR. Moreover, the one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. In this case, the controller shall inform the data subject of the extension and indicate the reasons for the delay.
The investigation found that the controller did not inform the data subject until approximately two months after the request was received and the identity of the complainant was verified, that the erasure process was initiated and that it can take up to 90 days for the erasure to be completed nor did the controller state the reasons for the delay.
Consequently, the DPA held that controller did not dealt with the complainant’s request without undue delay within the meaning of Article 12(3) GDPR. In light of the this, the DPA concluded that the controller has processed the complainant’s personal data in violation of Article 12(3) GDPR. Since the violation occurred due to human error and only affected one person, the DPA limited its corrective measures to giving a reprimand pursuant to Article 58(2)(b) of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(4) Notice: This document is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) decision 2022-03-18, no. DI-2021-10488. Only the Swedish version of the decision is deemed authentic. Ref no: DI-2021-10488 Decision under the General Data Date of decision: Protection Regulation – Klarna Bank 2022-03-18 Date of translation: AB 2022-03-18 Decision of the Swedish Authority for Privacy Protection (IMY) The Authority for Privacy Protection (IMY) finds that Klarna Bank AB has processed personal data in breach of Article 12(3) of the General Data Protection Regulation (GDPR) by not without undue delay complying with the complainant’s request for erasure pursuant to Article 17 of 25 November 2020 only on 24 January 2020. The Authority for Privacy Protection issues Klarna Bank AB a reprimand pursuant to Article 58(2)(b) of the GDPR for the infringement of Article 12(3) of the GDPR. Report on the supervisory report The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna Bank AB (Klarna or the company) due to a complaint. The complaint has been submitted to IMY, as responsible supervisory authority pursuant to Article 56 of the General Data Protection Regulation (GDPR) from the supervisory authority in the Netherlands where the complainant has lodged their complaint in accordance with the Regulation’s provisions on cooperation in cross-border processing. The investigation in the case has been carried out through correspondence. In the light of a complaint relating to cross-border processing, IMY has used the mechanisms for cooperation and consistency contained in Chapter VII GDPR. The supervisory authorities concerned have been the data protection authorities in Germany, Denmark, Austria, Italy, Poland, and Finland. The complaint Postal address: The complainant has mainly stated she requested erasure under Article 17 of the Box 8114 GDPR, but that it took two months before she received a reply from Klarna. After two 104 20 Stockholm Website: months, she has received a reply which states that her request will be handled and www.imy.se that her request for erasure may take another 90 days to be completed. The E-mail: imy@imy.se Phone: 1 Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the 08-657 61 00 protection of natural persons with regard to he processing of personal data and on he free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).Integritetsskyddsmyndigheten Diarienummer: DI-2021-10488 2(4) Datum: 2022-03-18 complainant considers it unreasonable that it takes a total of five months for Klarna to handle her request. What Klarna has stated Klarna has mainly stated the following. Klarna is the data controller for the processing to which the complaint relates. The complainant’s request for erasure was received by Klarna on 18 November 2020, after which Klarna verified the applicant’s identity on 25 November 2020 and on 26 November 2020 requested a confirmation of the initiation of the erasure process. On 27 November 2020 the complainant submitted a confirmation, but this has not been brought to the attention of the case handler. Klarna sent a further request for confirmation on December 202020. On 24 January 2021, Klarna informed the complainant that the erasure process had been initiated and that the processing was delayed due to lower staffing during the Christmas and New Year holidays. On the same date, the process of erasure of the complainant’s personal data was completed. Klarna holds that it has handled the complainants request without undue delay considering the Christmas and New Year holidays and the individual error concerning the confirmation. Pursuant to Article 12(3) of the GDPR, Klarna informed the complainant of the maximum period allowed for carrying out a deletion. The reason for this was that the number of incoming cases was sometimes very high and the processing during these times could take more than a month. Klarna further states that it has further developed the processes concerning data subjects’ rights in order to ensure that the deadlines set are met and that the data subject is clearly informed. In addition, the responsible case officer in the case in question, as well as the other case officers, have received additional information on the importance of careful and expeditious handling of these cases. Justification of the decision Applicable provisions, etc. Article 12(3) of the GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to, inter alia, Article 17. The one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. If the time limit of one month is extended, the controller shall inform the data subject of the extension. Notification of the extension of the deadline shall take place within one month of receipt of the request. The controller shall also indicate the reasons for the delay. European Data Protection Board (EDPB) Guidelines 01/2022 on access state that the time limit starts when the controller has received a request. However, when the controller needs to communicate with the data subject due to the uncertainty as to the identity of the person making the request, there may be a suspension in time until the controller has obtained the information needed from the data subject, provided the controller has asked for additional information without undue delay. 2 2EDPB Guidelines 01/2022 on data subject rights - Right of access, Version 1.0, adopted for public consulta ion on 18 January 2022Integritetsskyddsmyndigheten Diarienummer: DI-2021-10488 3(4) Datum: 2022-03-18 Article 17(1)(a) provides that the data subject shall have the right to have his or her personal data erased without undue delay from the controller and the controller shall be obliged to erase personal data without undue delay if they are no longer necessary for the purposes for which they were collected or otherwise processed. Article 17(3) lists exhaustively the exceptions to this right. Assessment of the Authority for Privacy Protection (IMY) The investigation shows that the complainant’s request for erasure was received by Klarna on 18 November 2020. Since Klarna had to communicate with the complainant in order to secure their identity and requested additional information without undue delay, IMY considers that the time limit to start again once the identity of the complainant has been verified on 25 November 2020. According to Klarna, the request has been fully met on 24 January 2021, which IMY does not find any reason to call into question. Klarna did not inform the complainant until 24 January 2021, i.e. approximately two months after the request was received and the identity of the complainant was verified, that the erasure process was initiated and that it can take up to 90 days for the erasure to be completed as well as stated the reasons for the delay. IMY therefore concludes that Klarna has not dealt with the complainant’s request without undue delay within the meaning of Article 12(3) of the GDPR. In light of the above, IMY concludes that Klarna has processed the complainant’s personal data in violation of Article 12(3) of the GDPR. Choice of corrective measure It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the power to impose administrative fines in accordance with Article 83. Depending on the circumstances of the case, administrative fines shall be imposed in addition to or in place of the other measures referred to in Article 58(2), such as injunctions and prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into account when deciding on administrative fines and in determining the amount of the fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is the aggravating and mitigating circumstances of the case, such as the nature, gravity and duration of the infringement and past relevant infringements. IMY notes the following relevant facts. The handling of the complainant’s request has been delayed mainly due to an individual procedural error. The violation is due to human error and has affected only one person. Against this background IMY considers that it is a minor infringement within the meaning of recital 148 and that Klarna Bank AB must be given a reprimand pursuant to Article 58(2)(b) of the GDPR. This decision has been made by the specially appointed decision-maker after presentation by legal advisor .Integritetsskyddsmyndigheten Diarienummer: DI-2021-10488 4(4) Datum: 2022-03-18 How to appeal If you want to appeal the decision, you should write to the Authority for Privacy Protection. Indicate in the letter which decision you appeal and the change you request. The appeal must have been received by the Authority for Privacy Protection no later than three weeks from the day you received the decision. If the appeal has been received at the right time, the Authority for Privacy Protection will forward it to the Administrative Court in Stockholm for review. You can e-mail the appeal to the Authority for Privacy Protection if it does not contain any privacy-sensitive personal data or information that may be covered by confidentiality. The authority’s contact information is shown in the first page of the decision.