BlnBDI (Berlin) - 521.14730 / 631.410

From GDPRhub
Revision as of 14:18, 18 October 2022 by Fz (talk | contribs)
BlnBDI - 521.14730 / 631.410
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 12(3) GDPR
Article 12(6) GDPR
Article 15 GDPR
Article 60(8) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: n/a
Parties: Klarna Bank AB
National Case Number/Name: 521.14730 / 631.410
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

Pursuant to the Article 60 GDPR cooperation mechanism, the Berlin DPA adopted a draft decision by a Swedish DPA which rejected a complaint on the basis of Article 15 GDPR as the controller, firstly, had reasonable grounds to doubt the identity of the requester and, secondly, responded in time as the monthly limit pursuant Article 12(3) GDPR pauses while a data subject responds to an authentication request.

English Summary

Facts

The complaint was raised before the Berlin DPA in July 2021. It was transferred to the supervisory authority Sweden, which is the Lead Supervisory Authority (LSA) in accordance with Article 56 GDPR. The LSA Sweden conducted the investigation and the cooperation procedure in accordance with Article 60 GDPR and proposed a Draft Decision which dismissed / rejected the complaint. In accordance with Article 60(8) GDPR, the Berlin DPA, as the supervisory authority with which the complaint was lodged, adopted the Swedish decision as it was agreed upon in the cooperation procedure.

According to the Swedish decision, Klarna, the controller, received an access request by the complainant on 6 June 2021. Klarner's customer service requested the complainant to complete their request with information regarding the complainant’s identity and requested the complainant’s telephone number in order to send a data access verification code. The complainant then provided the information regarding identity without giving a telephone number. On 17 June 2021, the complainant requested that the request be dealt with by 19 June 2021. On 24 June 2021, Klarna’s customer service again asked the complainant to provide a telephone number. The complainant submitted the information on the same day. The register extract with password was sent to the complainant on 12 July 2021. Klarna considers that the extract of the register has been submitted within the time frame set out in Article 12(3) GDPR after the complainant has provided the necessary information regarding their identity. The complainant is of the opinion that Klarna did not follow their duties according to Article 15 GDPR by replying to the request in time.

Holding

The Swedish DPA pointed out that Article 12(3) GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to Article 15 GDPR. Further, the one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. If the time limit of one month is extended, the controller shall inform the data subject of the extension.

Next, under Article 15 GDPR the data subject has the right to obtain from the controller a copy of the personal data processed by the controller.

However, the DPA also noted that, as is clear form Article 12(6) GDPR, where the controller has reasonable grounds to doubt the identity of the natural person making a request pursuant to Articles 15 to 21 GDPR, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

In light of the facts, the DPA considered that Klarna had reasonable grounds to doubt the identity of the appellant and has adequately requested proportionate information without undue delay. Since the complainant did not submit that information until 24 June 2021, the time limit did not start to run again until then. Furthermore, the PDA considered that Klarna has handled the request without undue delay through the total 23 days.

The DPA held against this background that the investigation in the case does not show that the controller has processed the complainant’s personal data in breach of Articles 12(3), 12(6) and 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

521.14730 / 631.410

CR: 134712

Draft Decision IMI A60DD 372925



                                                                               Berlin, 26 April 2022



Final Decision




Preliminary remarks


The complaint (ref. no. 521.14730 / 631.410 ) was raised before the Berlin DPA in July 2021. It

was transferred to the supervisory authority Sweden, which is the Lead Supervisory Authority

(LSA) for the cross-border processing carried out by Klarna Bank AB, in accordance with Article

56 GDPR. The LSA Sweden conducted the investigation and the cooperation procedure with all
concerned supervisory authorities in accordance with Article 60 GDPR. The LSA Sweden pro-

posed the Draft Decision 372925 and thereby the complaint was dismissed /rejected. In ac-

cordance with Article 60 (8) GDPR, the Berlin DPA as the supervisory authority with which the
complaint was lodged, hereby adopts the decision as it was agreed upon in the cooperation

procedure and is included below:



       “ Decision of the Swedish Authority for Privacy Protection (IMY)

       The Authority for Privacy Protection (IMY) finds that Klarna not has processed personal
       data in breach of Articles 12.3, 12.6 and 15 of the General Data Protection Regulation

       (GDPR) 1 .



       The case is hereby closed.




Berlin Commissionerfor Data ProtectioPhone: (030) 13889-0             Mail:mailbox@datenschutz-berlin.de
and Freedom of Information (BlnBDI)  Fax: (030) 215 50 50                 Web: www.datenschutz-berlin.de
Friedrichstr. 219, 10969 Berlin
                                     Officehours: Daily from 10 am to 3 pm,
Visitors‘ entrance: Puttkamerstr. 16–Thursdays from 10 am to 6 pmReport on the supervisory report
The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna Bank

AB (Klarna or the company) due to a complaint. The complaint has been submitted to

IMY, as responsible supervisory authority for the company’s operations pursuant to Article
56 of the General Data Protection Regulation (GDPR). The handover has been made

from the supervisory authority of the country where the complainant has lodged their
complaint (Germany, Berlin) in accordance with the Regulation’s provisions on coopera-

tion in cross-border processing.


The investigation in the case has been carried out through correspondence. In the light of

a complaint relating to cross-border processing, IMY has used the mechanisms for coop-
eration and consistency contained in Chapter VII GDPR. The supervisory authorities con-

cerned have been the data protection authorities in the Czech Republic, Denmark, Ger-

many, Finland, Norway and Poland.


The complaint
The complaint states the following. On 6 June 2021, the complainant requested access to

his personal data pursuant to Article 15 of the GDPR. When Klarna did not reply, a re-

minder of the request for access was sent on 11 June 2021 and 17 June 2021.


What Klarna has stated
Klarna is the data controller for the processing to which the complaint relates. The request

was received by Klarna on 6 June 2021. Klarna has dealt with the request received and

has taken the following steps. On 11 June 2021, Klarna’s customer service requested the
complainant to complete their request with information regarding the complainant’s iden-

tity and requested the complainant’s telephone number in order to send a verification
code(to access the personal data). The complainant then provided the information re-

garding identity without giving a telephone number. On 17 June 2021, the complainant

requested that the request be dealt with by 19 June 2021.


On 24 June 2021, Klarna’s customer service again asked the complainant to provide a
telephone number. The complainant submitted the information on the same day. The reg-

ister extract with password was sent to the complainant on 12 July 2021. Klarna considers




                                                                                       2that the extract of the register has been submitted within the timeframe set out in Article

12(3) of the GDPR after the complainant has provided the necessary information regard-
ing their identity.



Justification of the decision


Applicable provisions, etc.
Article 12(3) of the GDPR requires the controller to provide the data subject, upon re-

quest, without undue delay and in any event no later than one month after receiving the

request, with information on the actions taken pursuant to, inter alia, Article 15. The one-
month time limit may be extended by a further two months where the request is particu-

larly complex or the number of requests received is high. If the time limit of one month is
extended, the controller shall inform the data subject of the extension. Notification of the

extension of the deadline shall take place within one month of receipt of the request. The

controller shall also indicate the reasons for the delay.


Without prejudice to Article 11, where the controller has reasonable grounds to doubt the
identity of the natural person making a request pursuant to Articles 15 to 21, the control-

ler may request the provision of additional information necessary to confirm the identity of

the data subject. This is clear from Article 12(6).


Under Article 15, the data subject has the right to obtain from the controller a copy of the
personal data processed by the controller. The data subject shall also receive other infor-

mation, such as the purpose for which the personal data are processed and to which re-

cipients or categories of recipients the data are disclosed.


The European Data Protection Board (EDPB) Guidelines 01/2022 on access indicate that
the calculation of the one month deadline in Article 12(3) is calculated from the date of

receipt of the request. However, where, following the request, a controller needs to take

measures to ensure the identity of the data subject, the time limit may be suspended until
the controller has received the information necessary to identify the data subject. This

provided that the request for additional information has been made without undue delay.


Assessment of the Authority for Privacy Protection (IMY)




                                                                                           3       The investigation shows that the complainant’s request for access was made on 6 June

       2021 and that Klarna met the request on 12 July 2021, i.e. approximately one month
       later. It is also apparent that Klarna had doubts as to whether it was indeed the appellant

       who made the request and therefore, on 11 June 2021, asked the appellant to supple-
       ment the request with information for the purpose of verifying its identity and reminded it

       on 24 June 2021.


       IMY considers that Klarna had reasonable grounds to doubt the identity of the appellant

       and has adequately requested proportionate information without undue delay. Since the
       complainant did not submit that information until 24 June 2021, the time limit did not start

       to run again until then. Furthermore, IMY considers that Klarna has handled the request

       without undue delay through the total 23 days.


       IMY concludes against this background that the investigation in the case does not show
       Klarna has processed the complainant’s personal data in breach of Articles 12(3), 12(6)

       and 15 of the GDPR.


       The case is hereby closed.”


Appeal Notice


Against this decision a lawsuit before the Verwaltungsgericht Berlin (administrative court of

Berlin), Kirchstraße 7, 10557 Berlin is admissible. The lawsuit needs to be filed in written

form within one month after the announcement of this decision, it can also be filed as an
electronic document with a qualified electronic signature (QES) for the record of the clerk of

the court. Please, note that in case of filing the lawsuit in writing the legal deadline is only
met if the lawsuit reaches the administrative court within the deadline.






The Berlin Commissioner for Data Protection
and Freedom of Information








                                                                                               4