FiS - 7679-22: Difference between revisions

From GDPRhub
(This is a wonderful summary -- thank you so much for your work on this! I reformatted information & on occasion reordered things to provide a clear summary. For the most part, though, I left the substance untouched. Extremely clear & well-written-- thank you : ))
mNo edit summary
Line 17: Line 17:
|Original_Source_Language__Code_1=SV
|Original_Source_Language__Code_1=SV
|Original_Source_Name_2=
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Link_2=https://www.domstol.se/forvaltningsratten-i-stockholm/
|Original_Source_Language_2=
|Original_Source_Language_2=Swedish
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=SV


|Date_Decided=14.04.2023
|Date_Decided=14.04.2023

Revision as of 15:29, 19 April 2024

FiS - 7679-22
Courts logo1.png
Court: FiS (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 13(1)(c) GDPR
Article 17 GDPR
Article 18 GDPR
Article 20 GDPR
Article 21 GDPR
Article 22(1) GDPR
Decided: 14.04.2023
Published:
Parties: Klarna Bank AB
National Case Number/Name: 7679-22
European Case Law Identifier:
Appeal from: IMY (Sweden)
DI-2019-4062
Appeal to: Appealed - Overturned
KamR Stockholm (Sweden)‎
2829-23
Original Language(s): Swedish Swedish
Original Source: Sveriges Domstolar (in Swedish) (in Swedish)
Initial Contributor: Izel

The Administrative Court of Stockholm reduced Klarna's fine to €600,000, finding fewer GDPR breaches than initially assessed by the Swedish DPA, while taking Klarna's continuous improvement in information provision into account

English Summary

Facts

On 28 March 2022, the Swedish DPA (IMY) fined Klarna AB (the controller) €730,000 (SEK 7,300,000) for not providing data subjects with adequate information related to their processing activities. IMY found that the controller violated the GDPR in the following respects:

  • It did not provide information about the purpose and the legal basis for data processing relating to service "My economy",
  • It provided incomplete and misleading information about the recipients of different categories of personal data when they were shared with Swedish and foreign credit reference agencies.
  • It did not provide information about which countries outside the EU/EEA personal data was transferred to, and where and how data subjects can access or obtain documents regarding safeguards that applied to the applicable transfer.
  • It provided incomplete information about retention periods and the criteria to determine these periods.
  • It provided inadequate information about the data subjects' rights which did not comply with the principle of transparency, in particular the rights to request from the controller the erasure of personal data under Article 17 GDPR, to restrict processing of personal data Article 18 GDPR, to data portability under Article 20 GDPR and to object to the processing under Article 21 GDPR
  • Its privacy policy lacked meaningful information about the logic, significance and foreseen consequences of automated decision-making, including profiling, under Article 22(1) GDPR.


The controller appealed the decision to the administrative court challenging the basis of IMY's decision, claiming in particular that it relied heavily on non-binding guidelines. The controller argued that both Swedish and European administrative law fundamentally require that an intervention (especially fines) against an individual may only take place if there is clear support in binding statute. Despite this, the controller claimed that it has been fined too heavily for violating non-binding guidelines. The controller also argued that the fined should be reduced as a result of IMY's failure to adequately process the case, which weakened the controller's ability to defend itself. It claimed that it took IMY approximately three years to process the case, with two years of inactivity.

Holding

The Administrative Court upheld the controller's appeal in part and lowered the administrative fine to €600,000 (SEK 6,000,000). The Court began by noting that Article 29 WP's Guidelines on transparency, which were formally endorsed by EDPB, have the purpose to promote an efficient and uniform application of GDPR. It stated that the guidelines are not binding, but may have some significance for guidance. Still, it held that there is no possibility to impose sanctions based on guidelines without any support in GDPR.

The Court considered each of the violations identified by IMY. It disagreed with the IMY's findings of GDPR breaches in two instances, holding that the controller did not breach Articles 12(1) and 13(1)(e) GDPR. On the other hand, it upheld IMY's findings that the controller was deficient in providing information to data subjects and violated the principle of transparency Article 5 (1)(a) GDPR.

In assessing the fine, the Court considered that these violations, in conjunction with the extent of data processing, led to GDPR breaches that cannot be considered to cause limited harm. At the same time, it considered that the controller's violations were not intentional and acknowledged that the controller had continuously improved its information. It rejected the controller's arguments that IMY's investigation was unreasonably long.

Further Details: Administrative Court Assessment of IMY Findings

Information about processing related to "My economy" service: The Court concluded that the controller did not provide the legal basis for all purposes of processing activities and the information provided was therefore insufficient, upholding IMY's finding. The controller informed the data subjects at the time of registration that it collects and uses data based on consent and for the purpose of provision of the service. Some additional purposes of collection were listed only in the privacy notice. However, while the information provided during registration included the legal basis for data processing, the controller's privacy notice only mentioned the additional processing purposes, not their legal basis. As a result, the controller did not meet the requirements of Article 13(1)(c) GDPR.

Information about the recipients of personal data: Contrary to IMY's finding, the Court held that the controller did not breach Article 13(1)(e) GDPR. While it acknowledged the Article 29 WP's guidelines on transparency, which state that controllers must provide data subjects with information about recipients based on the fairness principle, including the recipients' locations, the Court determined that the GDPR requires only the naming of recipients or categories of recipients, not whether the recipient is a Swedish or a foreign credit agency.

Information about transfers to third countries: The Court affirmed IMY's determination that the controller violated Article 13(1)(f) GDPR by not providing data subjects with necessary information regarding transfers of their personal data to third countries, including whether an EU Commission adequacy decision exists. The Court ruled that naming the specific third countries is required for the information to be meaningful and to comply with the GDPR and Article 29 WP's transparency guidelines.

Information about retention of personal data: The Court ruled that the controller's practice of stating that personal data will be stored as long as necessary for each respective purpose, while providing examples of retention periods for some processing activities, failed to meet the transparency requirements of Article 13(2)(a) GDPR. It noted the Article 29 WP's transparency guidelines, which call for information to be specified in a way to enable data subjects to assess, based on their own situations, the retention periods for specific data or purpose.

Information about data subjects' rights: The Court found that the controller has failed to provide sufficient information about data subjects' rights and thereby violated Article 13(2)(b) GDPR, affirming IMY's finding. Specifically, the controller did not adequately describe the rights to request erasure, restriction, and data portability, nor did they provide information about the right to object to certain processing. The Court stated that it is the controller's responsibility to provide information about the specific rights that allow the data subject to understand the meaning of their rights.

Information about profiling and automated decision-making: The Court found that the controller's privacy notice did not include details about the use of its own internal scoring model based on internal and external financial information, or about the specific types of data included in the financial information such as debts to other lenders. It also lacked information about which circumstances could be crucial for a negative credit decision. The court disagreed in part with IMY's reasoning, stating that the controller does not have to disclose all the specific circumstances that always lead to a rejection as this is not explicitly required by GDPR. However, the Court ruled that the controller breached Article 13(2)(f) GDPR and Article 14(2)(g) GDPR for not disclosing its use of a scoring model and the information it processes.

Disclosure of information: The Court ruled in favor of the controller, stating that IMY did not sufficiently prove that the controller had violated Article 12(1) GDPR. The court explained that Article 13 GDPR and Article 14 GDPR detail the information that needs to be disclosed to data subjects, while Article 12(1) GDPR outlines the manner in which this information should be delivered. Therefore, it held, a breach of Article 13 GDPR and Article 14 GDPR does not inherently result in a breach of Article 12(1) GDPR, and that in this case IMY failed to prove a violation of Article 12(1) GDPR specifically.

Principle of transparency: The Court ruled that the controller's information regarding the legal basis for personal data processing in the service "My Economy", data retention period, transfer of personal data to third countries, as well as information about the logic behind the company's profiling and automated decision-making, was incomplete. As a result, the controller violated the obligations on transparency as required by Articles 5(1)(a), 13 and 14 GDPR. However, the court did not agree with the IMY's claim that the controller violated principles of lawfulness and fairness under Articles 5(1)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

The administrative court in Stockholm assesses that Klarna Bank AB has not violated the data protection regulation to the extent claimed by the Privacy Protection Authority. The court has therefore decided that the penalty fee should be reduced.

The Privacy Protection Authority (IMY) decided on March 28, 2022 to impose a penalty fee of SEK 7.5 million on Klarna Bank AB because the company has breached its information obligation. Klarna Bank AB has appealed the decision and believes, among other things, that the company has been notified of a penalty fee for violating non-binding guidelines and that it is in violation of basic Swedish and European law. According to the company, there is therefore no support for imposing a penalty fee.
Judgment of the court
The administrative court in Stockholm shares IMY's assessment that the registered did not receive sufficient information about how and for what purposes certain personal data is processed. Those registered have also not received sufficient information about their rights. Support for imposing a penalty fee on Klarna Bank AB due to this can be found in the data protection regulation. However, there is not sufficient support that Klarna Bank AB has breached its obligation to provide information to the same extent as IMY claims.
- The court considers that Klarna Bank AB has violated the data protection regulation. However, the violation is not as serious as IMY has assessed in the appealed decision and the penalty fee must therefore be reduced from SEK 7.5 million to SEK 6 million, says councilor Gustav Forsberg.