BlnBDI (Berlin) - 521.14730 / 631.410
| BlnBDI - 521.14730 / 631.410 | |
|---|---|
 | |
| Authority: | BlnBDI (Berlin) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 12(3) GDPR Article 12(6) GDPR Article 15 GDPR Article 60(8) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | Klarna Bank AB |
| National Case Number/Name: | 521.14730 / 631.410 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
Following an Article 60 GDPR cooperation procedure with the Swedish DPA as lead supervisory authority, the Berlin DPA rejected a complaint concerning an alleged violation of Article 15 GDPR. First, the controller had reasonable grounds to doubt the identity of the data subject. Second, the response respected the monthly time limit pursuant to Article 12(3) GDPR since the term pauses while the data subject responds to an authentication request.
English Summary
Facts
The complaint was raised before the Berlin DPA in July 2021. It was transferred to the supervisory authority Sweden, which is the Lead Supervisory Authority (LSA) in accordance with Article 56 GDPR. The LSA Sweden conducted the investigation and the cooperation procedure in accordance with Article 60 GDPR and proposed a Draft Decision which dismissed / rejected the complaint. In accordance with Article 60(8) GDPR, the Berlin DPA, as the supervisory authority with which the complaint was lodged, adopted the Swedish decision.
According to the Swedish decision, Klarna, the controller, received an access request by the complainant on 6 June 2021. Klarna's customer service requested the complainant to complete their request with information regarding the complainant’s identity and requested the complainant’s telephone number in order to send a data access verification code. The complainant then provided the information regarding identity without giving a telephone number. On 17 June 2021, the complainant requested that the request be dealt with by 19 June 2021. On 24 June 2021, Klarna’s customer service again asked the complainant to provide a telephone number. The complainant submitted the information on the same day. The register extract with password was sent to the complainant on 12 July 2021.
The complainant is of the opinion that Klarna did not follow their duties according to Article 15 GDPR by replying to the request in time. Klarna was late in responding to the access request. Klarna considers that the extract of the register has been submitted within the time frame set out in Article 12(3) GDPR after the complainant has provided the necessary information regarding their identity.
Holding
The Swedish DPA pointed out that Article 12(3) GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to Article 15 GDPR. Further, the one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. If the time limit of one month is extended, the controller shall inform the data subject of the extension.
However, the DPA also noted that, as is clear form Article 12(6) GDPR, where the controller has reasonable grounds to doubt the identity of the natural person making a request pursuant to Articles 15 to 21 GDPR, the controller may request the provision of additional information necessary to confirm the identity of the data subject. In light of the facts, the DPA considered that Klarna had reasonable grounds to doubt the identity of the appellant and had adequately requested proportionate information without undue delay. Since the complainant did not submit that information until 24 June 2021, the time limit did not start to run again until then. Furthermore, the PDA considered that Klarna has handled the request without undue delay through the total 23 days.
The DPA held against this background that the investigation in the case does not show that the controller has processed the complainant’s personal data in breach of Articles 12(3), 12(6) and 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
521.14730 / 631.410
CR: 134712
Draft Decision IMI A60DD 372925
Berlin, 26 April 2022
Final Decision
Preliminary remarks
The complaint (ref. no. 521.14730 / 631.410 ) was raised before the Berlin DPA in July 2021. It
was transferred to the supervisory authority Sweden, which is the Lead Supervisory Authority
(LSA) for the cross-border processing carried out by Klarna Bank AB, in accordance with Article
56 GDPR. The LSA Sweden conducted the investigation and the cooperation procedure with all
concerned supervisory authorities in accordance with Article 60 GDPR. The LSA Sweden pro-
posed the Draft Decision 372925 and thereby the complaint was dismissed /rejected. In ac-
cordance with Article 60 (8) GDPR, the Berlin DPA as the supervisory authority with which the
complaint was lodged, hereby adopts the decision as it was agreed upon in the cooperation
procedure and is included below:
“ Decision of the Swedish Authority for Privacy Protection (IMY)
The Authority for Privacy Protection (IMY) finds that Klarna not has processed personal
data in breach of Articles 12.3, 12.6 and 15 of the General Data Protection Regulation
(GDPR) 1 .
The case is hereby closed.
Berlin Commissionerfor Data ProtectioPhone: (030) 13889-0 Mail:mailbox@datenschutz-berlin.de
and Freedom of Information (BlnBDI) Fax: (030) 215 50 50 Web: www.datenschutz-berlin.de
Friedrichstr. 219, 10969 Berlin
Officehours: Daily from 10 am to 3 pm,
Visitors‘ entrance: Puttkamerstr. 16–Thursdays from 10 am to 6 pmReport on the supervisory report
The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna Bank
AB (Klarna or the company) due to a complaint. The complaint has been submitted to
IMY, as responsible supervisory authority for the company’s operations pursuant to Article
56 of the General Data Protection Regulation (GDPR). The handover has been made
from the supervisory authority of the country where the complainant has lodged their
complaint (Germany, Berlin) in accordance with the Regulation’s provisions on coopera-
tion in cross-border processing.
The investigation in the case has been carried out through correspondence. In the light of
a complaint relating to cross-border processing, IMY has used the mechanisms for coop-
eration and consistency contained in Chapter VII GDPR. The supervisory authorities con-
cerned have been the data protection authorities in the Czech Republic, Denmark, Ger-
many, Finland, Norway and Poland.
The complaint
The complaint states the following. On 6 June 2021, the complainant requested access to
his personal data pursuant to Article 15 of the GDPR. When Klarna did not reply, a re-
minder of the request for access was sent on 11 June 2021 and 17 June 2021.
What Klarna has stated
Klarna is the data controller for the processing to which the complaint relates. The request
was received by Klarna on 6 June 2021. Klarna has dealt with the request received and
has taken the following steps. On 11 June 2021, Klarna’s customer service requested the
complainant to complete their request with information regarding the complainant’s iden-
tity and requested the complainant’s telephone number in order to send a verification
code(to access the personal data). The complainant then provided the information re-
garding identity without giving a telephone number. On 17 June 2021, the complainant
requested that the request be dealt with by 19 June 2021.
On 24 June 2021, Klarna’s customer service again asked the complainant to provide a
telephone number. The complainant submitted the information on the same day. The reg-
ister extract with password was sent to the complainant on 12 July 2021. Klarna considers
2that the extract of the register has been submitted within the timeframe set out in Article
12(3) of the GDPR after the complainant has provided the necessary information regard-
ing their identity.
Justification of the decision
Applicable provisions, etc.
Article 12(3) of the GDPR requires the controller to provide the data subject, upon re-
quest, without undue delay and in any event no later than one month after receiving the
request, with information on the actions taken pursuant to, inter alia, Article 15. The one-
month time limit may be extended by a further two months where the request is particu-
larly complex or the number of requests received is high. If the time limit of one month is
extended, the controller shall inform the data subject of the extension. Notification of the
extension of the deadline shall take place within one month of receipt of the request. The
controller shall also indicate the reasons for the delay.
Without prejudice to Article 11, where the controller has reasonable grounds to doubt the
identity of the natural person making a request pursuant to Articles 15 to 21, the control-
ler may request the provision of additional information necessary to confirm the identity of
the data subject. This is clear from Article 12(6).
Under Article 15, the data subject has the right to obtain from the controller a copy of the
personal data processed by the controller. The data subject shall also receive other infor-
mation, such as the purpose for which the personal data are processed and to which re-
cipients or categories of recipients the data are disclosed.
The European Data Protection Board (EDPB) Guidelines 01/2022 on access indicate that
the calculation of the one month deadline in Article 12(3) is calculated from the date of
receipt of the request. However, where, following the request, a controller needs to take
measures to ensure the identity of the data subject, the time limit may be suspended until
the controller has received the information necessary to identify the data subject. This
provided that the request for additional information has been made without undue delay.
Assessment of the Authority for Privacy Protection (IMY)
3 The investigation shows that the complainant’s request for access was made on 6 June
2021 and that Klarna met the request on 12 July 2021, i.e. approximately one month
later. It is also apparent that Klarna had doubts as to whether it was indeed the appellant
who made the request and therefore, on 11 June 2021, asked the appellant to supple-
ment the request with information for the purpose of verifying its identity and reminded it
on 24 June 2021.
IMY considers that Klarna had reasonable grounds to doubt the identity of the appellant
and has adequately requested proportionate information without undue delay. Since the
complainant did not submit that information until 24 June 2021, the time limit did not start
to run again until then. Furthermore, IMY considers that Klarna has handled the request
without undue delay through the total 23 days.
IMY concludes against this background that the investigation in the case does not show
Klarna has processed the complainant’s personal data in breach of Articles 12(3), 12(6)
and 15 of the GDPR.
The case is hereby closed.”
Appeal Notice
Against this decision a lawsuit before the Verwaltungsgericht Berlin (administrative court of
Berlin), Kirchstraße 7, 10557 Berlin is admissible. The lawsuit needs to be filed in written
form within one month after the announcement of this decision, it can also be filed as an
electronic document with a qualified electronic signature (QES) for the record of the clerk of
the court. Please, note that in case of filing the lawsuit in writing the legal deadline is only
met if the lawsuit reaches the administrative court within the deadline.
The Berlin Commissioner for Data Protection
and Freedom of Information
4
