Förvaltningsrätten - Mål nr 11453-22
FiS - Mål nr 11453-22 | |
---|---|
Court: | FiS (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(a) GDPR Article 15(1)(c) GDPR Article 19 GDPR |
Decided: | 22.12.2022 |
Published: | 22.01.2023 |
Parties: | Klarna Bank AB Integritetsskyddsmyndigheten (IMY) |
National Case Number/Name: | Mål nr 11453-22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Swedish |
Original Source: | Förvaltningsrätten i stockholm (in Swedish) |
Initial Contributor: | Pantalaimon1337 |
The Stockholm Administrative Court held that Article 15(1)(c) GDPR obliges the controller to disclose information regarding the specific recipients of personal data to the best of its abilities if a data subject expressly asks for it.
English Summary
Facts
A data subject submitted an access request to Klarna Bank AB (the controller). However, the controller did not provide all the requested personal data, including information regarding recipients to whom personal data of the data subject had been disclosed. After an unsuccessful follow-up request, the data subject filed a complaint with a German DPA. The complaint was transferred to the Swedish DPA in an Article 60 GDPR procedure.
The Swedish DPA held in decision DI-2021-10263 that the controller should provide information about the actual recipients, not only categories of recipients, when the data subject expressly requestes it. The DPA reached this conclusion by interpreting Article 15(1)(c) GDPR together with Articles 19 and Article 5(1)(a) GDPR, the principles of fairness and transparency. The DPA reprimanded the controller for a violation of Article 15 GDPR.
The controller appealed this decision before the Stockholm Administrative Court. The controller argued, among others, that Article 15(1)(c) GDPR should be interpreted as allowing the controller to choose whether to give access to categories of recipients or specific recipients in a manner similar to the information requirements in Articles 13(1)(e) and 14(1)(e) GDPR.
Holding
The Stockholm Administrative Court (the Court) recalled that Article 15 GDPR gives an individual the right to be informed as to whether a controller is processing personal data relating to them and, if so, to be provided with information about the processing. The Court stated that it is up to the data subject to make the choice whether to exercise their right to know the recipients or categories of recipients to whom personal data were disclosed.
The Court held that Article 15(1)(c) GDPR must be interpreted as obliging the controller to satisfy the data subject's request to the best of its abilities. If the data subject expressly requests access to information regarding the actual recipients of personal data, there is an obligation for the controller to disclose the data. In this case, the Court established that the case file did not show that the controller lacked the ability to provide the requested information, or that doing so would entail a disproportionate effort. Therefore, the Swedish DPA was justified in its decision to reprimand the controller for a violation of Article 15 GDPR.
The Court dismissed the appeal.
Comment
There has been a discussion in recent court cases about the interpretative role of guidelines issued by the EDPB. The Swedish DPA usually cites the guidelines which can be seen as giving the guidelines legal force.
In this case, the Court stated that "although the EDPB Guidelines are not legally binding, the Administrative Court agrees with IMY's assessment that the Guidelines are, in view of their purpose, indicative for the interpretation of the Articles of the GDPR."
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
On 11 May 2022, the Privacy Authority (IMY) decided to issue a reprimand to Klarna under Article 58(2)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR) for breach of Article 15. The reasons for the decision are set out in Annex 1. Klarna claims that the decision should be annulled and submits, inter alia, the following. It has provided information on the categories of recipients to whom personal data have been disclosed as required by Article 15(1)(c) of the GDPR. It follows from the wording of that Article that the data subject has the right to obtain, in the event of a request for access, information on 'the recipients or categories of recipients' to whom the personal data have been or are to be disclosed. Controllers thus have a choice between providing information on individual recipients or categories of recipients. This is also reflected in the so- called Article 29 Working Party guidelines on transparency, which state, inter alia, that 'if controllers choose to indicate categories of recipients, the information should be as specific as possible'. It further contests IMY's assertion that the obligation in Article 15(1)(c) should be read in the light of, and given the same meaning as, Article 19 of the Data Protection Regulation. There is no basis for such an interpretation as the wording, and hence the obligations, are different. It is closer to read the wording of Article 15(1)(c) in the light of Articles 13(1)(e) and 14(1)(e), and it should be undisputed that these Articles imply that controllers have the right to freely choose between the two options. The fact that Article 15(1)(c), like Articles 13(1)(e) and 14(1)(e), has one wording regarding the obligation to provide information, while Article 19 has another, suggests that the former gives the controller the option of providing information on either recipients of personal data or the categories of recipients of personal data, which is contrary to what IMY claims. The European Data Protection Board (EDPB) guidelines referred to by IMY in its decision do not support IMY's view that the controller lacks the right to choose between providing information on recipients or categories of recipients under Article 15(1)(c) of the GDPR. In the Guidance, the EDPB states that the controller "should in general name the recipients, unless it is only possible to indicate the category of recipients". It is therefore a recommendation. Furthermore, the EDPB guidelines are not legally binding. Moreover, the guideline on access referred to by IMY was not published at the time of its alleged breach. There was therefore no opportunity to rely on the non-binding recommendations set out in the guidelines. The alleged infringement of Article 15 therefore lacks any legal basis. In the exercise of authority by means of a reprimand, the principle of legality of no punishment without law applies. IMY's reprimand is a clear departure from the generally accepted requirements of legality and foreseeability, since the supervisory decision imposes requirements that are not laid down in the Constitution. The exercise of public authority involving action against individuals must be foreseeable. This means that even if the administrative court were to find that it was obliged to provide information on individual recipients to whom personal data have been disclosed under Article 15 of the GDPR, no reprimand should have been issued. Furthermore, the principle of proportionality must be taken into account. The measure must not go beyond what is necessary and may only be taken if the intended result is proportionate to the likely inconvenience to the person against whom the measure is directed. Account must be taken here of the damage to reputation which reprimands may cause and of the fact that a reprimand may be taken into account as an aggravating factor in determining the penalties for any future infringements. IMY considers that the appeal should be dismissed and submits, inter alia, the following. It is part of the EDPB's tasks to deal with questions on the application of the data protection regulation and to issue guidelines, recommendations and practices with a view to promoting the uniform application of the data protection regulation. The guidelines should therefore be given great weight in the interpretation of the provisions of the GDPR, even if they are not legally binding. If a controller processes personal data without taking into account the positions set out in the EDPB Guidelines, the controller risks being found to be in breach of the provisions of the GDPR and, as a consequence, being subject to corrective action by the supervisory authority. A different approach would mean that the EDPB Guidelines would be largely irrelevant. As regards the choice of sanction, the starting point for infringements of the Articles at issue in the case is the imposition of a fine. However, instead of a fine, a reprimand may be imposed for a minor infringement. This was a minor infringement. Therefore, in accordance with the principle of proportionality, it has been possible to stop at issuing a reprimand. THE REASONS FOR THE DECISION Legal points of departure Article 1 of the GDPR states that the Regulation lays down rules on the protection of natural persons with regard to the processing of personal data and on the free flow of personal data. Article 5(1)(a) states that personal data must be processed lawfully, fairly and transparently in relation to the data subject. These principles must be respected in all processing of personal data and the controller is responsible for ensuring that the principles are respected. This follows from Article 5(2) of the GDPR. According to Article 15(1)(c) of the GDPR, the data subject shall have the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed and, if so, to have access to the personal data and the recipients or categories of recipients to whom the personal data have been or are to be disclosed, in particular recipients in third countries or international organisations. Under Article 58(2)(b), any supervisory authority may issue a reprimand to a controller for processing operations in breach of the provisions of the Regulation. Assessment by the Administrative Court The EDPB is tasked with ensuring that the General Data Protection Regulation is applied uniformly. This role is governed by the GDPR. For example, in cases where national supervisory authorities cannot agree on the application of the GDPR to the cross-border processing of personal data, the EDPB can take decisions that are binding on supervisory authorities (see Articles 65 and 70). Therefore, although the EDPB Guidelines are not legally binding, the Administrative Court agrees with IMY's assessment that the Guidelines are, in view of their purpose, indicative for the interpretation of the Articles of the GDPR. Klarna has argued that it has not been able to comply with these guidelines because they were not published at the time of the alleged infringement. However, it should be noted that IMY has stated in the decision that it does not claim that Klarna should have been obliged to comply with the guidelines. Nor did the Guidelines form the basis of the assessment in the contested decision. As stated in Article 1(2), one of the objectives of the GDPR is to protect the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. In view of this objective, the Articles of the Regulation should be read in the light of the individual's right to such protection. Article 15 of the Regulation gives an individual the right to be informed as to whether a controller is processing personal data relating to him or her and, if so, to be provided with information about the processing. In light of this and the purpose of the Regulation, the Administrative Court considers that it is up to the data subject to make the choice whether to exercise his or her right to know the recipients or categories of recipients to whom his or her personal data have been or are to be disclosed. It is then up to the controller to perform to the best of its ability. In the light of the above, Article 15(1)(c) should, in the view of the Administrative Court, be interpreted as meaning that the data processor has an obligation to meet the needs of the individual to the best of its ability. Therefore, if the individual explicitly requests access to information regarding the recipients to whom personal data have been or are to be disclosed, there is an obligation on the data processor to disclose the information, if available. The case file has not shown that Klarna lacked the ability to provide the requested information, or that doing so would entail a disproportionate effort. IMY was therefore justified in its decision. The Administrative Court agrees with IMY's assessment that Klarna should be reprimanded for the infringement. The appeal must therefore be dismissed.