Förvaltningsrätten - Mål nr 11453-22: Difference between revisions

From GDPRhub
mNo edit summary
(added a translation of the original decision; fixed translation issues in the summary (eg.'personal data processor' to 'controller'), fixed the reference to GDPR Articles to the Style Guide form (Article 15(1)(c) GDPR instead of article 15.1.c), added more details to the facts about the DPA decision and made reference to the summary of the decision, elaborated on the reasoning of the Court in the Holding. For future summaries, consult:https://gdprhub.eu/index.php?title=GDPRhub_style_guide)
Line 68: Line 68:
}}
}}


The Swedish administrative court held that article 15.1.c obligates the controller to disclose information regarding which recipients' personal data has been provided to if a data subject expressly asks for it.
The Swedish Administrative Court held that [[Article 15 GDPR|Article 15(1)(c) GDPR]] obliges the controller to disclose information regarding the recipients of personal data to the best of its abilities if a data subject expressly asks for it.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Swedish administrative court upheld a decision by the Swedish DPA reprimanding Klarna Bank for not giving explicit information, in accordance with article 15.1.c GDPR, to the data subject regarding the recipients of his personal data. The data subject had specifically asked Klarna to inform him regarding the recipients of his personal data.
A data subject submitted an access request to Klarna Bank AB (the controller). However, the controller did not provide all the requested personal data, including information regarding recipients to whom personal data of the data subject had been disclosed. After an unsuccessful follow-up request, the data subject filed a complaint with a German DPA. The complaint was transferred to the Swedish DPA in an [[Article 60 GDPR]] procedure.  


Klarna Bank have interpreted article 15.1.c to mean that they could chose whether to give categories of recipients or specific recipients in a similar to the information requirements in article 14 and 13 GDPR.
The Swedish DPA held in decision [[IMY (Sweden) - DI-2021-10263|DI-2021-10263]] that the controller should provide information about the actual recipients, not only categories of recipients, when the data subject expressly requestes it. The DPA reached this conclusion by interpreting [[Article 15 GDPR|Article 15(1)(c) GDPR]] together with [[Article 19 GDPR|Articles 19]] and [[Article 5 GDPR|Article 5(1)(a) GDPR]], the principles of fairness and transparency. The DPA reprimanded the controller for a violation of [[Article 15 GDPR]].
 
The controller appealed this decision before the Swedish Administrative Court. The controller argued, among others, that [[Article 15 GDPR|Article 15(1)(c) GDPR]] should be interpreted as allowing the controller to choose whether to give access to categories of recipients or specific recipients in a manner similar to the information requirements in [[Article 13 GDPR|Articles 13(1)(e)]] and [[Article 14 GDPR|14(1)(e) GDPR]].  


=== Holding ===
=== Holding ===
The swedish administrative court held, against the background of what has emerged above, Article 15.1 c, according to
The Swedish Administrative Court recalled that [[Article 15 GDPR]] gives an individual the right to be informed as to whether a controller is processing personal data relating to them and, if so, to be provided with information about the processing. The Court stated that it is up to the data subject to make the choice whether to exercise their right to know the recipients or categories of recipients to whom personal data were disclosed.
the meaning of the administrative court, is interpreted in such a way that the personal data processor has an obligation to satisfy the individual's needs to the best of his ability. If the individual expressly requests access to information relating to which recipient personal data has been provided or is to be provided there is therefore a obligation for the personal data processor to disclose the data, if these are available
 
The Court held that [[Article 15 GDPR|Article 15(1)(c) GDPR]] must be interpreted as obliging the controller to satisfy the data subject's request to the best of its abilities. If the data subject expressly requests access to information regarding the actual recipients of personal data, there is an obligation for the controller to disclose the data. In this case, the Court established that the case file did not show that the controller lacked the ability to provide the requested information, or that doing so would entail a disproportionate effort. Therefore, the Swedish DPA was justified in its decision to reprimand the controller for a violation of [[Article 15 GDPR]].
 
The Court dismissed the appeal. 


== Comment ==
== Comment ==
There has been a discussion in recent court cases about the interpretive role of the issued guidelines by EDPB. The Swedish DPA usually cites the guidelines which can be seen as giving the guidelines legal force.  
There has been a discussion in recent court cases about the interpretative role of guidelines issued by the EDPB. The Swedish DPA usually cites the guidelines which can be seen as giving the guidelines legal force.  


The court has stated in this case that "Despite the fact that the EDPB's guidelines are not legally binding
In this case, the Court stated that "although the EDPB Guidelines are not legally binding, the Administrative Court agrees with IMY's assessment that the Guidelines are, in view of their purpose, indicative for the interpretation of the Articles of the GDPR."
the administrative court (...) agrees with IMY's assessment that the guidelines with
consideration of their purpose is guiding when it comes to the interpretation of
the articles of the data protection regulation."


== Further Resources ==
== Further Resources ==
Line 96: Line 98:


<pre>
<pre>
The administrative court in Stockholm The administrative courts are the first instance among the general administrative courts. The administrative courts settle disputes between individuals and authorities, for example when someone appeals an authority decision. The Administrative Court in Stockholm is Sweden's largest administrative court and one of Sweden's four migration courts.
Page 2
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
YRKANDEN M.M.
On 11 May 2022, the Privacy Authority (IMY) decided to issue a reprimand to
Klarna under Article 58(2)(b) of Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free
movement of such data and repealing Directive 95/46/EC (GDPR) for breach
of Article 15. The reasons for the decision are set out in Annex 1.
Klarna claims that the decision should be annulled and submits, inter alia, the
following. It has provided information on the categories of recipients to whom
personal data have been disclosed as required by Article 15(1)(c) of the GDPR.
It follows from the wording of that Article that the data subject has the right to
obtain, in the event of a request for access, information on 'the recipients or
categories of recipients' to whom the personal data have been or are to be
disclosed. Controllers thus have a choice between providing information on
individual recipients or categories of recipients. This is also reflected in the so-
called Article 29 Working Party guidelines on transparency, which state, inter
alia, that 'if controllers choose to indicate categories of recipients, the
information should be as specific as possible'.
It further contests IMY's assertion that the obligation in Article 15(1)(c) should
be read in the light of, and given the same meaning as, Article 19 of the Data
Protection Regulation. There is no basis for such an interpretation as the
wording, and hence the obligations, are different. It is closer to read the
wording of Article 15(1)(c) in the light of Articles 13(1)(e) and 14(1)(e), and it
should be undisputed that these Articles imply that controllers have the right to
freely choose between the two options. The fact that Article 15(1)(c), like
Articles 13(1)(e) and 14(1)(e), has one wording regarding the obligation to
provide information, while Article 19 has another, suggests that the former
gives the controller the option of providing information on either
Page 3
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
recipients of personal data or the categories of recipients of personal data,
which is contrary to what IMY claims.
The European Data Protection Board (EDPB) guidelines referred to by IMY in
its decision do not support IMY's view that the controller lacks the right to
choose between providing information on recipients or categories of recipients
under Article 15(1)(c) of the GDPR. In the Guidance, the EDPB states that the
controller "should in general name the recipients, unless it is only possible to
indicate the category of recipients". It is therefore a recommendation.
Furthermore, the EDPB guidelines are not legally binding. Moreover, the
guideline on access referred to by IMY was not published at the time of its
alleged breach. There was therefore no opportunity to rely on the non-binding
recommendations set out in the guidelines. The alleged infringement of Article
15 therefore lacks any legal basis.
In the exercise of authority by means of a reprimand, the principle of legality
of no punishment without law applies. IMY's reprimand is a clear departure
from the generally accepted requirements of legality and foreseeability, since
the supervisory decision imposes requirements that are not laid down in the
Constitution. The exercise of public authority involving action against
individuals must be foreseeable. This means that even if the administrative
court were to find that it was obliged to provide information on individual
recipients to whom personal data have been disclosed under Article 15 of the
GDPR, no reprimand should have been issued. Furthermore, the principle of
proportionality must be taken into account. The measure must not go beyond
what is necessary and may only be taken if the intended result is proportionate
to the likely inconvenience to the person against whom the measure is directed.
Account must be taken here of the damage to reputation which reprimands
may cause and of the fact that a reprimand may be taken into account as an
aggravating factor in determining the penalties for any future infringements.
Page 4
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
IMY considers that the appeal should be dismissed and submits, inter alia, the
following. It is part of the EDPB's tasks to deal with questions on the
application of the data protection regulation and to issue guidelines,
recommendations and practices with a view to promoting the uniform
application of the data protection regulation. The guidelines should therefore
be given great weight in the interpretation of the provisions of the GDPR, even
if they are not legally binding. If a controller processes personal data without
taking into account the positions set out in the EDPB Guidelines, the controller
risks being found to be in breach of the provisions of the GDPR and, as a
consequence, being subject to corrective action by the supervisory authority. A
different approach would mean that the EDPB Guidelines would be largely
irrelevant.
As regards the choice of sanction, the starting point for infringements of the
Articles at issue in the case is the imposition of a fine. However, instead of a
fine, a reprimand may be imposed for a minor infringement. This was a minor
infringement. Therefore, in accordance with the principle of proportionality, it
has been possible to stop at issuing a reprimand.
THE REASONS FOR THE DECISION
Legal points of departure
Article 1 of the GDPR states that the Regulation lays down rules on the
protection of natural persons with regard to the processing of personal data and
on the free flow of personal data. Article 5(1)(a) states that personal data must
be processed lawfully, fairly and transparently in relation to the data subject.
These principles must be respected in all processing of personal data and the
controller is responsible for ensuring that the principles are respected. This
follows from Article 5(2) of the GDPR.
Page 5
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
According to Article 15(1)(c) of the GDPR, the data subject shall have the
right to obtain confirmation from the controller as to whether personal data
relating to him or her are being processed and, if so, to have access to the
personal data and the recipients or categories of recipients to whom the
personal data have been or are to be disclosed, in particular recipients in third
countries or international organisations.
Under Article 58(2)(b), any supervisory authority may issue a reprimand to a
controller for processing operations in breach of the provisions of the
Regulation.
Assessment by the Administrative Court
The EDPB is tasked with ensuring that the General Data Protection Regulation
is applied uniformly. This role is governed by the GDPR. For example, in
cases where national supervisory authorities cannot agree on the application of
the GDPR to the cross-border processing of personal data, the EDPB can take
decisions that are binding on supervisory authorities (see Articles 65 and 70).
Therefore, although the EDPB Guidelines are not legally binding, the
Administrative Court agrees with IMY's assessment that the Guidelines are, in
view of their purpose, indicative for the interpretation of the Articles of the
GDPR.
Klarna has argued that it has not been able to comply with these guidelines
because they were not published at the time of the alleged infringement.
However, it should be noted that IMY has stated in the decision that it does
not claim that Klarna should have been obliged to comply with the guidelines.
Nor did the Guidelines form the basis of the assessment in the contested
decision.
Page 6
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
As stated in Article 1(2), one of the objectives of the GDPR is to protect the
fundamental rights and freedoms of natural persons, and in particular their
right to the protection of personal data. In view of this objective, the Articles of
the Regulation should be read in the light of the individual's right to such
protection.
Article 15 of the Regulation gives an individual the right to be informed as to
whether a controller is processing personal data relating to him or her and, if
so, to be provided with information about the processing. In light of this and
the purpose of the Regulation, the Administrative Court considers that it is up
to the data subject to make the choice whether to exercise his or her right to
know the recipients or categories of recipients to whom his or her personal data
have been or are to be disclosed. It is then up to the controller to perform to the
best of its ability.
In the light of the above, Article 15(1)(c) should, in the view of the
Administrative Court, be interpreted as meaning that the data processor has an
obligation to meet the needs of the individual to the best of its ability.
Therefore, if the individual explicitly requests access to information regarding
the recipients to whom personal data have been or are to be disclosed, there is
an obligation on the data processor to disclose the information, if available.
The case file has not shown that Klarna lacked the ability to provide the
requested information, or that doing so would entail a disproportionate effort.
IMY was therefore justified in its decision. The Administrative Court agrees
with IMY's assessment that Klarna should be reprimanded for the
infringement.
The appeal must therefore be dismissed.
</pre>
</pre>

Revision as of 14:25, 9 January 2023

FiS - Mål nr 11453-22
Courts logo1.png
Court: FiS (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(a) GDPR
Article 15(1)(c) GDPR
Article 19 GDPR
Decided: 22.12.2022
Published: 22.01.2023
Parties: Klarna Bank AB
Integritetsskyddsmyndigheten (IMY)
National Case Number/Name: Mål nr 11453-22
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): Swedish
Original Source: Förvaltningsrätten i stockholm (in Swedish)
Initial Contributor: Pantalaimon1337

The Swedish Administrative Court held that Article 15(1)(c) GDPR obliges the controller to disclose information regarding the recipients of personal data to the best of its abilities if a data subject expressly asks for it.

English Summary

Facts

A data subject submitted an access request to Klarna Bank AB (the controller). However, the controller did not provide all the requested personal data, including information regarding recipients to whom personal data of the data subject had been disclosed. After an unsuccessful follow-up request, the data subject filed a complaint with a German DPA. The complaint was transferred to the Swedish DPA in an Article 60 GDPR procedure.

The Swedish DPA held in decision DI-2021-10263 that the controller should provide information about the actual recipients, not only categories of recipients, when the data subject expressly requestes it. The DPA reached this conclusion by interpreting Article 15(1)(c) GDPR together with Articles 19 and Article 5(1)(a) GDPR, the principles of fairness and transparency. The DPA reprimanded the controller for a violation of Article 15 GDPR.

The controller appealed this decision before the Swedish Administrative Court. The controller argued, among others, that Article 15(1)(c) GDPR should be interpreted as allowing the controller to choose whether to give access to categories of recipients or specific recipients in a manner similar to the information requirements in Articles 13(1)(e) and 14(1)(e) GDPR.

Holding

The Swedish Administrative Court recalled that Article 15 GDPR gives an individual the right to be informed as to whether a controller is processing personal data relating to them and, if so, to be provided with information about the processing. The Court stated that it is up to the data subject to make the choice whether to exercise their right to know the recipients or categories of recipients to whom personal data were disclosed.

The Court held that Article 15(1)(c) GDPR must be interpreted as obliging the controller to satisfy the data subject's request to the best of its abilities. If the data subject expressly requests access to information regarding the actual recipients of personal data, there is an obligation for the controller to disclose the data. In this case, the Court established that the case file did not show that the controller lacked the ability to provide the requested information, or that doing so would entail a disproportionate effort. Therefore, the Swedish DPA was justified in its decision to reprimand the controller for a violation of Article 15 GDPR.

The Court dismissed the appeal.

Comment

There has been a discussion in recent court cases about the interpretative role of guidelines issued by the EDPB. The Swedish DPA usually cites the guidelines which can be seen as giving the guidelines legal force.

In this case, the Court stated that "although the EDPB Guidelines are not legally binding, the Administrative Court agrees with IMY's assessment that the Guidelines are, in view of their purpose, indicative for the interpretation of the Articles of the GDPR."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Page 2
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
YRKANDEN M.M.
On 11 May 2022, the Privacy Authority (IMY) decided to issue a reprimand to
Klarna under Article 58(2)(b) of Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free
movement of such data and repealing Directive 95/46/EC (GDPR) for breach
of Article 15. The reasons for the decision are set out in Annex 1.
Klarna claims that the decision should be annulled and submits, inter alia, the
following. It has provided information on the categories of recipients to whom
personal data have been disclosed as required by Article 15(1)(c) of the GDPR.
It follows from the wording of that Article that the data subject has the right to
obtain, in the event of a request for access, information on 'the recipients or
categories of recipients' to whom the personal data have been or are to be
disclosed. Controllers thus have a choice between providing information on
individual recipients or categories of recipients. This is also reflected in the so-
called Article 29 Working Party guidelines on transparency, which state, inter
alia, that 'if controllers choose to indicate categories of recipients, the
information should be as specific as possible'.
It further contests IMY's assertion that the obligation in Article 15(1)(c) should
be read in the light of, and given the same meaning as, Article 19 of the Data
Protection Regulation. There is no basis for such an interpretation as the
wording, and hence the obligations, are different. It is closer to read the
wording of Article 15(1)(c) in the light of Articles 13(1)(e) and 14(1)(e), and it
should be undisputed that these Articles imply that controllers have the right to
freely choose between the two options. The fact that Article 15(1)(c), like
Articles 13(1)(e) and 14(1)(e), has one wording regarding the obligation to
provide information, while Article 19 has another, suggests that the former
gives the controller the option of providing information on either
Page 3
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
recipients of personal data or the categories of recipients of personal data,
which is contrary to what IMY claims.
The European Data Protection Board (EDPB) guidelines referred to by IMY in
its decision do not support IMY's view that the controller lacks the right to
choose between providing information on recipients or categories of recipients
under Article 15(1)(c) of the GDPR. In the Guidance, the EDPB states that the
controller "should in general name the recipients, unless it is only possible to
indicate the category of recipients". It is therefore a recommendation.
Furthermore, the EDPB guidelines are not legally binding. Moreover, the
guideline on access referred to by IMY was not published at the time of its
alleged breach. There was therefore no opportunity to rely on the non-binding
recommendations set out in the guidelines. The alleged infringement of Article
15 therefore lacks any legal basis.
In the exercise of authority by means of a reprimand, the principle of legality
of no punishment without law applies. IMY's reprimand is a clear departure
from the generally accepted requirements of legality and foreseeability, since
the supervisory decision imposes requirements that are not laid down in the
Constitution. The exercise of public authority involving action against
individuals must be foreseeable. This means that even if the administrative
court were to find that it was obliged to provide information on individual
recipients to whom personal data have been disclosed under Article 15 of the
GDPR, no reprimand should have been issued. Furthermore, the principle of
proportionality must be taken into account. The measure must not go beyond
what is necessary and may only be taken if the intended result is proportionate
to the likely inconvenience to the person against whom the measure is directed.
Account must be taken here of the damage to reputation which reprimands
may cause and of the fact that a reprimand may be taken into account as an
aggravating factor in determining the penalties for any future infringements.
Page 4
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
IMY considers that the appeal should be dismissed and submits, inter alia, the
following. It is part of the EDPB's tasks to deal with questions on the
application of the data protection regulation and to issue guidelines,
recommendations and practices with a view to promoting the uniform
application of the data protection regulation. The guidelines should therefore
be given great weight in the interpretation of the provisions of the GDPR, even
if they are not legally binding. If a controller processes personal data without
taking into account the positions set out in the EDPB Guidelines, the controller
risks being found to be in breach of the provisions of the GDPR and, as a
consequence, being subject to corrective action by the supervisory authority. A
different approach would mean that the EDPB Guidelines would be largely
irrelevant.
As regards the choice of sanction, the starting point for infringements of the
Articles at issue in the case is the imposition of a fine. However, instead of a
fine, a reprimand may be imposed for a minor infringement. This was a minor
infringement. Therefore, in accordance with the principle of proportionality, it
has been possible to stop at issuing a reprimand.
THE REASONS FOR THE DECISION
Legal points of departure
Article 1 of the GDPR states that the Regulation lays down rules on the
protection of natural persons with regard to the processing of personal data and
on the free flow of personal data. Article 5(1)(a) states that personal data must
be processed lawfully, fairly and transparently in relation to the data subject.
These principles must be respected in all processing of personal data and the
controller is responsible for ensuring that the principles are respected. This
follows from Article 5(2) of the GDPR.
Page 5
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
According to Article 15(1)(c) of the GDPR, the data subject shall have the
right to obtain confirmation from the controller as to whether personal data
relating to him or her are being processed and, if so, to have access to the
personal data and the recipients or categories of recipients to whom the
personal data have been or are to be disclosed, in particular recipients in third
countries or international organisations.
Under Article 58(2)(b), any supervisory authority may issue a reprimand to a
controller for processing operations in breach of the provisions of the
Regulation.
Assessment by the Administrative Court
The EDPB is tasked with ensuring that the General Data Protection Regulation
is applied uniformly. This role is governed by the GDPR. For example, in
cases where national supervisory authorities cannot agree on the application of
the GDPR to the cross-border processing of personal data, the EDPB can take
decisions that are binding on supervisory authorities (see Articles 65 and 70).
Therefore, although the EDPB Guidelines are not legally binding, the
Administrative Court agrees with IMY's assessment that the Guidelines are, in
view of their purpose, indicative for the interpretation of the Articles of the
GDPR.
Klarna has argued that it has not been able to comply with these guidelines
because they were not published at the time of the alleged infringement.
However, it should be noted that IMY has stated in the decision that it does
not claim that Klarna should have been obliged to comply with the guidelines.
Nor did the Guidelines form the basis of the assessment in the contested
decision.
Page 6
Doc.Id 1564657
ADMINISTRATIVE
COURT IN STOCKHOLM
DOM 11453-22
As stated in Article 1(2), one of the objectives of the GDPR is to protect the
fundamental rights and freedoms of natural persons, and in particular their
right to the protection of personal data. In view of this objective, the Articles of
the Regulation should be read in the light of the individual's right to such
protection.
Article 15 of the Regulation gives an individual the right to be informed as to
whether a controller is processing personal data relating to him or her and, if
so, to be provided with information about the processing. In light of this and
the purpose of the Regulation, the Administrative Court considers that it is up
to the data subject to make the choice whether to exercise his or her right to
know the recipients or categories of recipients to whom his or her personal data
have been or are to be disclosed. It is then up to the controller to perform to the
best of its ability.
In the light of the above, Article 15(1)(c) should, in the view of the
Administrative Court, be interpreted as meaning that the data processor has an
obligation to meet the needs of the individual to the best of its ability.
Therefore, if the individual explicitly requests access to information regarding
the recipients to whom personal data have been or are to be disclosed, there is
an obligation on the data processor to disclose the information, if available.
The case file has not shown that Klarna lacked the ability to provide the
requested information, or that doing so would entail a disproportionate effort.
IMY was therefore justified in its decision. The Administrative Court agrees
with IMY's assessment that Klarna should be reprimanded for the
infringement.
The appeal must therefore be dismissed.