IMY (Sweden) - DI-2021-10263
| IMY - DI-2021-10263 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(a) GDPR Article 15 GDPR Article 15(1)(c) GDPR Article 19 GDPR Article 56 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 11.05.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | Klarna Bank AB |
| National Case Number/Name: | DI-2021-10263 |
| European Case Law Identifier: | EDPBI:SE:OSS:D:2022:366 |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
In a procedure under Article 60 GDPR, the Swedish DPA reprimanded Klarna Bank AB for not providing information on the recipients to which personal data had been disclosed when replying to an access request under Article 15 GDPR.
English Summary
Facts
The data subject complained that a bank (controller) violated Article 15 GDPR, because it did not provide all information he initially requested. The controller did not provide information regarding recipients to whom personal data of the data subject had been disclosed. The controller did not provide this additional information even after the data subjects specifically asked for it in a follow-up request.
The data subject filed his complaint with the DPA in Germany. A German DPA transferred the complaint to the Swedish DPA, which was the Lead Supervisory Authority (Article 56 GDPR) in this case. The Swedish DPA used the mechanisms for cooperation and consistency (Chapter VII GDPR), because this complaint regarded cross-border processing. The CSAs (Concerned Supervisory Authorities) were located in Germany, Denmark, Austria, Italy, Poland and Finland.
The controller stated that it did not have the obligation to provide access in the way the data subject requested and that it had acted in a GDPR compliant way. To support this argument, the controller also stated that the EDPB Guidelines 01/2022 on Access were adopted on 18 January 2022, two years after the data subject's case regarding access was closed. These Guidelines state that the controller should provide the actual recipients unless it would only be possible to indicate the category of recipients. It already followed from Articles 13 and 14 GDPR that the recipients or categories of recipients of personal data should be as concrete as possible in respect of the principles of transparency and fairness. These Guidelines also state that storing information about the actual recipients is also necessary to comply with Article 5(2) GDPR.
Holding
The DPA determined that the controller violated Article 15 GDPR. The DPA stated that Article 15(1)(c) GDPR must be interpreted as a right to obtain information from the controller about the actual recipients to whom the personal data have been - or will be disclosed, unless this proves impossible or involves disproportionate effort. The controller should especially provide this data when the data subject is specifically asking for it. The DPA reached this conclusion by interpreting Article 15(1)(c) GDPR together with Articles 19 and Article 5(1)(a) GDPR, the principles of fairness and transparency.
The DPA held that in the present case, the data subject had explicitly requested information about recipients of his personal data. The controller did not prove that providing this information was impossible or would involve disproportionate effort.
The DPA also clarified that it did not claim that the controller had an obligation to comply with the EDPB Guidelines, which were not yet available at the time of the violation. The DPA stated that its reason for citing the Guidelines was to prove that there was wide support for the DPA's opinion, which also followed from the wording of Article 19 GDPR.
The DPA held that the violation constituted a minor infringement (Recital 148). The violation only affected one data subject. Also, no sensitive data was involved. Furthermore, the controller otherwise complied with the access request. Therefore, the DPA only reprimanded the controller (Article 58(2)(b) GDPR).
Comment
The document from the EDPB website is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) decision 2022-05-11, no. DI-2021-10263. Only the Swedish version of the decision is deemed authentic.
In the text of the decision, it was not clarified which German DPA transferred the decision to the Swedish DPA. Looking at the code used in the registration number for this decision (LDA-1085.1-1399/20-F), it is most likely the decision seems to have been transferred by the Brandenburg DPA (LDA: Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(4)
Notice: This document is an unofficial translation of
the Swedish Authority for Privacy Protection’s (IMY)
decision 2022-05-11, no. DI-2021-10263. Only the
Swedish version of the decision is deemed authentic.
Registration number:
Decision under the General Data
DI-2021-10263, IMI case no.
185203,
LDA-1085.1-1399/20-F Protection Regulation — Klarna Bank
Date of decision: AB
2022-05-11
Decision of the Swedish Authority for Privacy
Protection (IMY)
The Authority for Privacy Protection (IMY) finds that Klarna Bank AB is processing
personal data in breach of Article 15 of the General Data Protection Regulation
1
(GDPR) by not complying with the complainant’s request of 22 December 2019 for
information about the recipients to whom his personal data have been disclosed.
The Authority for Privacy Protection issues Klarna Bank AB a reprimand pursuant to
Article 58(2)(b) of the GDPR for the infringement of Article 15 of the GDPR.
Report on the supervisory case
The case handling
The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna
Bank AB (Klarna) due to a complaint. The complaint has been submitted to IMY, in its
capacity as lead supervisory authority under Article 56 of the General Data Protection
Regulation (GDPR). The handover has been made by the supervisory authority of the
country where the complainant has lodged his complaint (Germany) in accordance
with the Regulation’s provisions on cooperation concerning cross-border processing.
The investigation in the case has been carried out through correspondence. Since the
complaint regards cross-border processing, IMY has used the mechanisms for
cooperation and consistency contained in Chapter VII of the GDPR. The supervisory
authorities concerned have been the data protection authorities in Germany, Denmark,
Austria, Italy, Poland, and Finland.
The complaint
Postal address: The complainant mainly states the following.
Box 8114
104 20 Stockholm
Website: He has requested access to his personal data under Article 15 of the GDPR. The
www.imy.se information he obtained from Klarna did not include all the information that he had
E-mail:
imy@imy.se 1
Telephone: Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
and repealing Directive 95/46/EC (General Data Protection Regulation).nd on the free movement of such data,
08-657 61 00Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 2(4)
Datum: 2022-05-11
asked for since it lacked information about the recipients to whom his personal data
had been disclosed. Even though the complainant came back with a request to know
exactly which recipients his data had sent to, Klarna has not complied with this
request.
Due to the complaint, IMY has initiated supervision in order to examine if the
complainant’s request has been complied with in accordance with Article 15 of the
GDPR.
What Klarna has stated
Klarna states that it is the controller for the processing to which the complaint relates.
th
The information sent to the complainant on the 24 of January 2020 is in accordance
with the obligations of the GDPR. Klarna has no duty to reply to the complainant’s
access request in any other way that it did. The EDPB Guidelines 01/2022 on access
th
was adopted on the 18 of January 2022, i.e. two years after the complainant’s case
regarding access request was closed.
Justification of the decision
Applicable provisions, etc.
Article 15 of the GDPR provides that he data subject shall have the right to obtain from
the controller confirmation as to whether or not personal data concerning him or her
are being processed, and, where that is the case, access to the personal data. The
data subject shall also have the right to information about the recipients or categories
of recipient to whom the personal data have been or will be disclosed (Article 15(1)(c)).
Article 19 of the GDPR requires the controller to communicate any rectification or
erasure of personal data or restriction of processing carried out in accordance with
Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data
have been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform the data subject about those recipients if the data subject
requests it.
According to Article 5 the controller shall be responsible for, and be able to
demonstrate compliance with, inter alia the obligation to processes personal data fairly
and in a transparent manner in relation to the data subject.
EDPB Guidelines 01/2022 on access state that concerning the question, if the
controller is free to choose between information on recipients or on categories of
recipients, it has to be recalled, that, already under Art. 13 and 14 GDPR information
on the recipients or categories of recipients should be as concrete as possible in
respect of the principles of transparency and fairness. The controller should therefore
generally name the actual recipients unless it would only be possible to indicate the
category of recipients. Nevertheless, sometimes naming the actual recipients is not yet
possible at the time of the information under Art. 13 and 14 GDPR but only in a later
stage, for example when an access request is made. The EDPB recalls in this regard,Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 3(4)
Datum: 2022-05-11
that storing information relating to the actual recipients is necessary inter alia to be
able to comply with the controller’s obligations under Art. 5(2) and 19 GDPR. 2
Assessment of the Authority for Privacy Protection
The wording of Article 15(1)(c) of the GDPR does clarify if the controller is free to
choose between information on actual recipients or on only categories of recipients.
However, IMY concludes that Article 15(1)(c), read together with Article 19 and in light
of the principles of fairness and transparency (Article 5(1)(a)) cannot be interpreted
any other way than as a right of the data subject to, especially when explicitly
requested, obtain from the controller information about the actual recipients to whom
the personal data have been or will be disclosed, unless this proves impossible or
involves disproportionate effort.
IMY notes that the complainant has explicitly requested information about actual
recipients. Klarna has not proved that this has proven impossible or to involve
disproportionate effort. Klarna has thus processed the complainant’s personal data in
violation of Article 15 of the GDPR.
What Klarna has stated about that the EDPB Guidelines on access was adopted after
the access request was complied with, does not lead to any other conclusion. IMY
does not claim that Klarna has an obligation to comply with guidelines that was not
available to Klarna at the time of the violation. IMY’s reason for citing the guidelines is
to prove that there is wide support for IMY’s opinion, which follows from the wording of
Article 19.
Choice of corrective measure
It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
power to impose administrative fines in accordance with Article 83. Depending on the
circumstances of the case, administrative fines shall be imposed in addition to or in
place of the other measures referred to in Article 58(2), such as injunctions and
prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
account when deciding on administrative fines and in determining the amount of the
fine.
In the case of a minor infringement, as stated in recital 148, IMY may, instead of
imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
the aggravating and mitigating circumstances of the case, such as the nature, gravity
and duration of the infringement and past relevant infringements.
IMY notes that the violation has affected one person and has not involved sensitive
data. Furthermore, Klarna has otherwise complied with the complainant’s request for
access. Against this background IMY considers that it is a minor infringement within
the meaning of recital 148 and that Klarna Bank AB must be given a reprimand
pursuant to Article 58(2)(b) of the GDPR for the established infringement.
2EDPB Guidelines 01/2022 on data subject rights -access, Version 1.0, adopted for public consultation on
18 January 2022, paragraph 115.Integritetsskyddsmyndigheten Diarienummer: DI-2021-10263 4(4)
Datum: 2022-05-11
This decision has been approved by the specially appointed decision-maker
after presentation by legal advisor
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.
