FiS - 7679-22
| FiS - 7679-22 | |
|---|---|
 | |
| Court: | FiS (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 13(1)(c) GDPR Article 17 GDPR Article 18 GDPR Article 20 GDPR Article 21 GDPR Article 22(1) GDPR |
| Decided: | 14.04.2023 |
| Published: | |
| Parties: | Klarna Bank AB |
| National Case Number/Name: | 7679-22 |
| European Case Law Identifier: | |
| Appeal from: | IMY (Sweden) DI-2019-4062 |
| Appeal to: | Appealed - Overturned KamR Stockholm (Sweden) 2829-23 |
| Original Language(s): | Swedish Swedish |
| Original Source: | Sveriges Domstolar (in Swedish) (in Swedish) |
| Initial Contributor: | Izel |
A court reduced a fine issued against Klarna from €730,000 to €600,000, finding that the Swedish DPA erroneously relied on nonbinding guidelines in finding certain violations of disclosure obligations.
English Summary
Facts
On 28 March 2022, the Swedish DPA (IMY) fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. IMY found that the controller violated the GDPR in the following respects:
- It did not provide information about the purpose and the legal basis for data processing relating to the service "My economy",
- It provided incomplete and misleading information about the recipients of different categories of personal data when they were shared with Swedish and foreign credit reference agencies.
- It did not provide information about which countries outside the EU/EEA personal data was transferred to, and where and how data subjects can access or obtain documents regarding safeguards that applied to the applicable transfer.
- It provided incomplete information about retention periods and the criteria to determine these periods.
- It provided inadequate information about the data subjects' rights which did not comply with the principle of transparency, in particular the rights to request from the controller the erasure of personal data under Article 17 GDPR, to restrict processing of personal data Article 18 GDPR, to data portability under Article 20 GDPR and to object to the processing under Article 21 GDPR
- Its privacy policy lacked meaningful information about the logic, significance and foreseen consequences of automated decision-making, including profiling, under Article 22(1) GDPR.
The controller appealed the decision to the administrative court, challenging the basis of IMY's decision. It claimed, in particular, that IMY relied heavily on non-binding guidelines. The controller argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, the controller claimed that it has been fined too heavily for violating non-binding guidelines. The controller also argued that the fined should be reduced as a result of IMY's failure to adequately process the case, which weakened the controller's ability to defend itself. It claimed that it took IMY approximately three years to process the case, with two years of inactivity.
Holding
The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The Court began by noting that Article 29 WP's Guidelines on transparency, which were formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It stated that the guidelines are not binding, but may have some significance for guidance. Still, it held that there is no possibility to impose sanctions based on guidelines without any support in GDPR.
The Court considered each of the violations identified by IMY. It disagreed with the IMY's findings of GDPR breaches in two instances, holding that the controller did not breach Articles 12(1) and 13(1)(e) GDPR. On the other hand, it upheld IMY's findings that the controller was deficient in providing information to data subjects and violated the principle of transparency Article 5(1)(a) GDPR.
In assessing the fine, the Court considered that these violations, in conjunction with the extent of data processing, led to GDPR breaches that cannot be considered to cause limited harm. At the same time, it considered that the controller's violations were not intentional and acknowledged that the controller had continuously improved its information. It rejected the controller's arguments that IMY's investigation was unreasonably long.
Detailed Summary of the Court's Assessment of IMY's Findings
Information about processing related to "My economy" service: The Court concluded that the controller did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient, upholding IMY's finding that the controller violated Article 13(1)(c) GDPR. The controller informed the data subjects at the time of registration that it collects and uses data based on consent and for the purpose of provision of the service. Some additional purposes of collection were listed only in the privacy notice, but the privacy notice failed to indicate their legal basis.
Information about the recipients of personal data: Contrary to IMY's finding, the Court held that the controller did not breach Article 13(1)(e) GDPR. While it acknowledged the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the Court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency.
Information about transfers to third countries: The Court affirmed IMY's determination that the controller violated Article 13(1)(f) GDPR by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines.
Information about retention of personal data: The Court ruled that the controller's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet Article 13(2)(a) GDPR transparency requirements. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose.
Information about data subjects' rights: The Court found that the controller failed to provide sufficient information about data subjects' rights and thereby violated Article 13(2)(b) GDPR, affirming IMY's finding. Specifically, the controller did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing.
Information about profiling and automated decision-making: The Court found that the controller's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or about the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision. The court disagreed in part with IMY's reasoning, stating that the controller does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. Nonetheless, the Court ruled that the controller breached Article 13(2)(f) GDPR and Article 14(2)(g) GDPR for not disclosing its use of a scoring model and the information it processes.
Disclosure of information: The Court ruled in favor of the controller, stating that IMY did not sufficiently prove that the controller had violated Article 12(1) GDPR. The court explained that Article 13 GDPR and Article 14 GDPR detail the information that needs to be disclosed to data subjects, while Article 12(1) GDPR outlines the manner in which this information should be delivered. Therefore, it held, a breach of Article 13 GDPR and Article 14 GDPR does not inherently result in a breach of Article 12(1) GDPR, and that in this case IMY failed to prove a violation of Article 12(1) GDPR specifically.
Principle of transparency: The Court ruled that the controller's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, was incomplete. As a result, the controller violated the obligations on transparency as required by Articles 5(1)(a), 13 and 14 GDPR. However, the court did not agree with the IMY's claim that the controller violated principles of lawfulness and fairness under Articles 5(1)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
The administrative court in Stockholm assesses that Klarna Bank AB has not violated the data protection regulation to the extent claimed by the Privacy Protection Authority. The court has therefore decided that the penalty fee should be reduced. The Privacy Protection Authority (IMY) decided on March 28, 2022 to impose a penalty fee of SEK 7.5 million on Klarna Bank AB because the company has breached its information obligation. Klarna Bank AB has appealed the decision and believes, among other things, that the company has been notified of a penalty fee for violating non-binding guidelines and that it is in violation of basic Swedish and European law. According to the company, there is therefore no support for imposing a penalty fee. Judgment of the court The administrative court in Stockholm shares IMY's assessment that the registered did not receive sufficient information about how and for what purposes certain personal data is processed. Those registered have also not received sufficient information about their rights. Support for imposing a penalty fee on Klarna Bank AB due to this can be found in the data protection regulation. However, there is not sufficient support that Klarna Bank AB has breached its obligation to provide information to the same extent as IMY claims. - The court considers that Klarna Bank AB has violated the data protection regulation. However, the violation is not as serious as IMY has assessed in the appealed decision and the penalty fee must therefore be reduced from SEK 7.5 million to SEK 6 million, says councilor Gustav Forsberg.
