IMY (Sweden) - DI-2021-10448,
IMY - DI-2021-10448, | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 15 GDPR Article 58(2)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 14.06.2022 |
Published: | |
Fine: | n/a |
Parties: | Klarna Bank |
National Case Number/Name: | DI-2021-10448, |
European Case Law Identifier: | EDPBI:SE:OSS:D:2022:381 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In this Article 60 GDPR procedure, a data subject filed two rectification requests and an access request at Klarna Bank AB, a Swedish payment provider. Klarna had used incorrect first names in invoices for online purchases made by the data subject and their partner. The Swedish DPA only determined a violation of Article 15 GDPR because the controller answered to an access request 1 year and 3 months after it was originally submitted.
English Summary
Facts
The data subject and partner had each used a Swedish payment provider (controller) multiple times over the span of a few years for online shopping. However, the controller had made the mistake of addressing the wrong person in the invoice more than once. The controller would use the first name of the data subject, while the partner had made the purchase.
According to the data subject, in December 2018, the first rectification request was filed to request the controller to correct the names in the e-mails, because the partner had received invoices with the name of the data subject. The controller's services were then not used for some time by the data subject and partner. When the data subject's partner started using the controller's service again, he received another e-mail, which was addressed to the data subject (first name only). After this, the data subject filed the second rectification request to request the controller to change the first names in the e-mails.
On 15 October, the data subject also submitted an access request, to which the controller never responded.
The data subject filed a complaint at a German DPA (not clear which German DPA and not clear when the complaint was filed), which transferred the complaint to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Finland, Germany, France, Norway and the Netherlands. The Swedish DPA started an investigation into the controller.
During the investigation of the DPA, the controller informed the DPA that it had an automatic system in place which would generate the first name in the initial greetings of an email, which was apparently based on previous information provided by its clients.
In this context, the controller also provided the DPA with the information that the data subject and partner had both used the same email address ('e-mail address Y'), which contained the partner's name, to use the controller's services. They also lived on the same postal address. According to the controller, 5 purchases in 2018 were made using first name, surname, address and postal address of the data subject, while the data subject claimed that it was the partner who made these purchases. These purchases were made using a certain email address ('e-mail address Y'). Because the personal data of the data subject was provided in combination with this e-mail address, the first e-mail sent to this email address included the first name of the data subject, after which the data subject sent the first rectification request. A similar "mistake" happened again on 22 September 2022, after which the data subject sent the second rectification request.
The controller stated that no other personal data than the first name of the data subject were sent out. It also stated that it had complied with both rectification requests of the data subject, without specifying when it had done so. It also determined that the other personal data of the data subject and partner were not subject to the rectification request of the data subject. However, the controller updated the 'name' category for certain purchases made in the past on its own.
The controller also informed the DPA during its investigation that it had not "recognised" the access request of the data subject as such. The controller complied with the access request on 21 January 2022, almost 1 year and 3 months after the request was submitted.
Holding
First, the DPA determined that the controller did not violate Article 5(1)(d) GDPR by regularly confusing the personal data of both the data subject and their partner by addressing the wrong person in the e-mails. The DPA did not have reason to doubt the controller's statement that both the data subject and their partner had used 'e-mail address Y' to place online orders using the controller's service. The DPA also did not question the notion that no other personal data than the first name of the data subject had been disclosed to the wrongly addressed partner. It also stated that the first name of the data subject was quite common. Therefore, this name did not constitute an identifier specific to the data subject.
Second, The DPA held that the controller did not violate Article 16 GDPR for the way it handled the two erasure requests of the data subject. The DPA stated that the data subject had not claimed that their requests for rectification were not met to any extent. It also could not determine any reason to question the information provided by the controller, which had stated that it complied with the requests of the data subject, although without providing a specific date when the controller did this. Despite this, the DPA held that the controller did not violate Article 16 GDPR.
Third, the DPA held that the controller had violated Article 15 GDPR because it only provided a reply to the data subject 1 year and 3 months after the request was submitted. The DPA noted that the time elapsed was 'relatively long'. Therefore, the controller had not handled the access request without undue delay pursuant to Article 12(3) GDPR. Therefore, the controller violated Article 15 GDPR.
The DPA considered this a minor infringement and reprimanded the controller pursuant to Article 58(2)(b) GDPR.
Comment
The data subject stated that in the original complaint that she requested the controller to adjust the names in the controller's e-mails in December 2018. However, the controller stated that it received the data subject's first request for rectification on 5 November 2018. Although there is only a difference of around a month between these dates and this difference is inconsequential for the assessment of the violation of Article 16 GDPR, the difference is still there, without any clarification from the parties or the DPA when the first request was submitted.
Also, it is not clear from the decision at what date the original complaint was submitted. It also not clear from the decision which German DPA transferred the complaint to the Swedish DPA, although looking at the German case number (83.41/20.039), it is most likely that this was the Berlin DPA, although this is not 100% certain.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
One-Stop-Shop Leaflet Art. 60 final decisions Due to national legal restrictions, none or only some of the decisions from the following Supervisory Authorities will be available on this register: DE (Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia), LT, NL and ES SAs. The decisions from the following Supervisory Authorities will not include personal data of physical persons: BG, DE, CY (Baden-Wurttemberg, Berlin, German Federal, Rhineland - Palatinate, Saxony-Anhalt), DK, EL, ES, HR, LV, NO, RO, SK, SI and SE SAs. The decisions from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria (Private Sector), Brandenburg, Hesse, Mecklenburg - Western Pomerania, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LU, LV, MT, NL, PL, PT and UK SAs. The decisions from the following Supervisory Authorities will not be anonymised: HR Summaries of Art. 60 final decisions The summaries of Article 60 final decisions were made under the responsibility of the EDPB Secretariat for sole informative purpose and do not intend to create any legal effect or interpretation. Please note that only the national decisions in the official language of the SA are the authentic legal source of information relating to the relevant national decisions. The summaries from the following Supervisory Authorities will not include personal data of physical persons: BG, CY, DK, DE [Baden - Wuerttemberg, Berlin, Germany Federal, Rhineland-Palatinate, Saxony- Anhalt], EL, ES, NO, RO, SK, SI and SE SAs. The summaries from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria Private Sector, Brandenburg, Hesse, Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LI, LT, LU, LV, MT, NL, PL, PT and UK SAs. The summaries from the following Supervisory Authorities will not be anonymised: HR SA. Privacy Notice For more information on how we process your personal data in this, please consult the following page: EDPB Specific Privacy Statements