IMY (Sweden) - IMY-2023-4559

From GDPRhub
Revision as of 08:38, 10 April 2024 by Mg (talk | contribs) (→‎Facts)
IMY - IMY-2023-4559
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 06.12.2023
Published: 03.04.2024
Fine: n/a
Parties: Nordea Bank
National Case Number/Name: IMY-2023-4559
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: Integritetsskydds myndigheten (in SV)
Initial Contributor: ec

The DPA held that a requested copy of personal data of the data subject does not include the personal data of the controller’s employee.

English Summary

Facts

The data subject requested access from the controller, the Swedish branch of the Nordea Bank. The data subject requested a recording of a conversation between one of the controller’s employees and the data subject himself. The data subject only received a copy of the conversation without the voice of the controller’s employee.

The data subject filed a complaint at the Swedish DPA (Integritetsskydds myndigheten, IMY) for a violation of the right of access under Article 15 GDPR as the data subject did not receive a copy of the conversation that included the voice of the controller’s employee.

The controller argued that it had complied with the request by allowing the data subject to listen to the recording on site at the controller’s branch. The data subject had also been offered a transcript of the phone conversation and a copy of the audio file with the recording in which the controller’s employee’s voice had been edited out.

Holding

According to the DPA, the right of access under Article 15 GDPR implies that the controller is obliged to provide a data subject with the requested copy of the processed personal data. However, the DPA notes that this right to a copy must not adversely affect the rights and freedoms of others. The DPA explains that the purpose of the right of access is to ensure that the data subject is aware that the processing is taking place and can verify its lawfulness. The right to obtain a copy of personal data includes a right for the data subject to obtain an accurate and intelligible reproduction of all personal data that the controller processes about them.

The DPA held that the data subject’s voice in the telephone conversation is personal data of the data subject and thus the data subject is entitled to receive a copy of this telephone conversation. However, the DPA also held that the voice of the controller's employee does not constitute personal data concerning the data subject. Therefore, a transcript of the telephone conversation is sufficient according to the DPA.

The DPA concluded that the controller satisfied the data subject’s request for access and therefore rejected the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(3)






                                                                     Nordea Bank Abp, branch in Sweden
                                                                     Sent via e-mail








Diary number:
IMY-2023-4559 Decision after supervision according to

Date: data protection regulation – Nordea
2023-06-12
                               Bank Abp, branch in Sweden





                               The Privacy Protection Authority's decision


                               The Swedish Data Protection Authority states that Nordea Bank Plc, branch in Sweden has
                               granted the appellant's request for access. Against this background finds
                               The Privacy Protection Authority has no reason to take any further action in the case.


                               The case is closed.


                               Account of the supervisory matter

                               The Swedish Privacy Protection Agency (IMY) has started supervision regarding Nordea Bank Abp,

                               branch in Sweden (hereinafter Nordea or the bank) for the purpose of investigating a complaint about the right to
                               access according to Article 15 of the Data Protection Regulation.

                               The appellant has essentially stated the following. The complainant has requested access from Nordea

                               regarding a recording of a conversation between the complainant and one of Nordeas
                               coworker. The complainant has not received a copy of the conversation between Nordea's employees
                               vote appears, which the appellant has requested.


                               Nordea has essentially stated the following. The appellant has requested to be informed of
                               the recording of the current call. Nordea has complied with the request by the appellant
                               have been able to listen to the recording on site at Nordea. The appellant has further been offered

                               transcription of the conversation as well as a copy of the audio file with recording there Nordeas
                               employee's voice is edited out, as it has been judged to have a negative impact on
                               the employee's rights to disclose his vote.


                               Justification of the decision


Postal address: Applicable regulations, etc.
Box 8114
104 20 Stockholm The right to access is regulated in Article 15 of the data protection regulation. Of the right of access

Website: follows i.a. that the person in charge of personal data is obliged to a registered person, i.e. one
www.imy.se identified or identifiable natural person, who requests it to provide confirmation of
E-mail:
imy@imy.se
                               1 Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC. The Swedish Privacy Agency Diary number: IMY-2023-4559 2(3)
                                 Date: 2023-06-12






                                 personal data relating to the registered person is processed or not. Treated as such

                                 data, the personal data controller must e.g. provide the data subject with a copy
                                 on the personal data that is being processed. This right to a copy shall not, however
                                                                                      4
                                 adversely affect the rights and freedoms of others.


                                 The purpose of the right of access is for the data subject to become aware that
                                 the processing takes place and be able to check that it is legal. The right to receive a copy of

                                 personal data includes a right for the data subject to receive an accurate and comprehensible
                                 reproduction of all personal data processed by the personal data controller
                                                          5
                                 about him or her.


                                 IMY's assessment

                                 The complainant's voice, appearing in a telephone conversation, constitutes personal data about him

                                 the appellant, which the appellant is thus entitled to receive a copy of in an audio file. Nordeas
                                 however, the employee's voice does not constitute personal data about the complainant. As for that part

                                 of the current telephone conversation which consists of statements from Nordea's employees is
                                 therefore sufficient that the data, to the extent that they constitute personal information about

                                 the appellant, provided by a transcript of the conversation.


                                 In the case, it has emerged that Nordea has provided access by offering the audio file
                                 containing the complainant's voice and transcription of the conversation. IMY states

                                 thus that Nordea has satisfied the complainant's request for access. Against this one
                                 background, the Swedish Privacy Authority finds no reason to take any further action

                                 action in the matter.

                                 The case must therefore be closed.


                                 ------------------------------


                                 This decision has been made by the acting head of unit Nidia Nordenström after

                                 presentation by lawyer Fredrik Löfgren.


                                 Nidia Nordenström, 2023-06-12 (This is an electronic signature)



                                 Copy to

                                 The appellant


















                                 2
                                 3Article 15.1 of the data protection regulation.
                                 4Article 15.3 of the data protection regulation.
                                  Article 15.4 of the data protection regulation.
                                 5 The judgment of the EU Court of Justice of 4 May 2023 in case C-487/21. Data Protection Agency Diary number: IMY-2023-4559 3(3)
                                Date: 2023-06-12






                                How to appeal


                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time, send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.