IMY (Sweden) - 2022-1032: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=2022-1032 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https://www.imy.se/contentassets/4a448ecb94804740b8e4389d771d1732/beslut-tillsyn-lensway-group-ab.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Origi...") |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 74: | Line 74: | ||
These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR. | These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR. | ||
Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent. The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller. | Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent. | ||
The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller. Indeed, the customer relationship could be established on two ways: either by making a purchase, or by creating an account. | |||
=== Holding === | === Holding === | ||
Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under [[Article 12 GDPR#6|Article 12(6) GDPR]] additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA considered that in the present case, the controller had not demonstrated that there were reasonable grounds to doubt the data subjects’ identity. | Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under [[Article 12 GDPR#6|Article 12(6) GDPR]] additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA considered that in the present case, the controller had not demonstrated that there were reasonable grounds to doubt the data subjects’ identity. | ||
The DPA also examined if the information requested was necessary to confirm the data subjects’ identity. The IMY considered that providing a copy of an ID is an intrusive measure and is only appropriate when alternative less intrusive verification methods are inappropriate. The DPA found that in the present case, the controller did not demonstrate that a copy of an ID or a signature were absolutely necessary or appropriate. | The DPA also examined if the information requested was necessary to confirm the data subjects’ identity. The IMY considered that providing a copy of an ID is an intrusive measure and is only appropriate when alternative less intrusive verification methods are inappropriate. In the present case for example, data subjects could have logged into their accounts. The DPA found that in the present case, the controller did not demonstrate that a copy of an ID or a signature were absolutely necessary or appropriate. | ||
Therefore, the DPA concluded that the controller breached [[Article 12 GDPR#6|Article 12(6) GDPR]]. | Therefore, the DPA concluded that the controller breached [[Article 12 GDPR#6|Article 12(6) GDPR]]. | ||
| Line 85: | Line 87: | ||
Secondly, regarding the sending of the documents by mail, under [[Article 12 GDPR#2|Article 12(2) GDPR]], the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]]. | Secondly, regarding the sending of the documents by mail, under [[Article 12 GDPR#2|Article 12(2) GDPR]], the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]]. | ||
Thus, the DPA issued a reprimand to the controller for breaching Articles 12(2) and 12(6) GDPR. | Thus, the DPA issued a reprimand to the controller for breaching [[Article 12 GDPR#2|Articles 12(2)]] and [[Article 12 GDPR#6|12(6) GDPR.]] | ||
== Comment == | == Comment == | ||
Latest revision as of 08:16, 24 April 2024
| IMY - 2022-1032 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(2) GDPR Article 12(6) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 19.01.2023 |
| Published: | 09.04.2024 |
| Fine: | n/a |
| Parties: | Lensway Group AB |
| National Case Number/Name: | 2022-1032 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | nzm |
The DPA issued a reprimand against a controller for asking data subjects to provide a copy of their ID as well as signed documents by post, when there were no reasonable grounds to doubt the identity of the data subjects.
English Summary
Facts
A data subject in Finland contacted Lensway Group AB (“controller”) and made an erasure request. The controller replied that the data subject needed to send them his postal address so that they could send him documents related to the request, which should be signed and returned by him. The controller also asked the data subject to verify his identity by sending a copy of his ID by email. The data subject refused to provide this information. The data subject therefore lodged a complaint with the Finnish DPA.
Another data subject, in Denmark, contacted the same controller, also for an erasure request. To comply with the request, the controller asked the data subject to provide his social security number and a copy of his ID. The data subject questioned the need for the controller to collect personal data in order to delete his personal data and suggested that it could confirm his identity by sending an email to the address it had registered for him. The controller refused.
These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR.
Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent.
The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller. Indeed, the customer relationship could be established on two ways: either by making a purchase, or by creating an account.
Holding
Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA considered that in the present case, the controller had not demonstrated that there were reasonable grounds to doubt the data subjects’ identity.
The DPA also examined if the information requested was necessary to confirm the data subjects’ identity. The IMY considered that providing a copy of an ID is an intrusive measure and is only appropriate when alternative less intrusive verification methods are inappropriate. In the present case for example, data subjects could have logged into their accounts. The DPA found that in the present case, the controller did not demonstrate that a copy of an ID or a signature were absolutely necessary or appropriate.
Therefore, the DPA concluded that the controller breached Article 12(6) GDPR.
Secondly, regarding the sending of the documents by mail, under Article 12(2) GDPR, the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated Article 12(2) GDPR.
Thus, the DPA issued a reprimand to the controller for breaching Articles 12(2) and 12(6) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(8)
Lensway Group AB
Diary number:
IMY-2022-1032 Decision after supervision according to
data protection regulation - Lensway
Date:
2023-01-19 Group AB
The Privacy Protection Authority's decision
The Privacy Protection Authority states that Lensway Group AB when handling
the deletion request made on February 20, 2020 by the complainant in complaint 1,
and on June 25, 2020 by the complainant in complaint 2, has processed personal data in violation
with:
• article 12.6 of the data protection regulation by requesting a copy of
identity document and signature when this was not necessary to confirm
the identities of the complainants as well
• Article 12.2 of the Data Protection Regulation by requiring the complainants at
requests for deletion must submit data to confirm their identities
via post, which did not facilitate the appellants' exercise of their right to
deletion.
The Privacy Protection Authority gives Lensway Group AB a reprimand according to article
58.2 b of the data protection regulation for violation of articles 12.2 and 12.6 of
data protection regulation.
Account of the supervisory matter
Handling
The Swedish Privacy Protection Agency (IMY) has started supervision of Lensway Group AB
(the company) due to two complaints, mainly to investigate the Lensway Group
AB has received and handled the complainant's request for deletion in a correct manner
according to articles 12 and 17 of the data protection regulation. The complaints have been handed over to
IMY, in its capacity as responsible supervisory authority pursuant to Article 56 i
Postal address: data protection regulation. The handover has taken place from the supervisory authorities in that country
Box 8114 where the complainants have filed their complaints (Finland and Denmark) pursuant to
104 20 Stockholm Regulation's provisions on cooperation in cross-border processing.
Website:
www.imy.se
E-mail:
imy@imy.se 1
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free flow of such data and on
08-657 61 00 repeal of directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2022-1032 2(8)
Date: 2023-01-19
The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies
cross-border treatment, IMY has used the mechanisms for cooperation
and uniformity found in Chapter VII of the Data Protection Regulation. Affected
supervisory authorities have been the data protection authorities in Denmark, Norway and Finland.
The complaints
The complaints essentially state the following.
Complaint 1 (Complaint from Finland with national diary number 1576/153/2020)
The complainant has been in contact with the company on 20 February 2020 and requested deletion.
The company has replied to the complainant that he needs to send his postal address to them so that they
may send documents relating to his request to him. These actions would
appellant sign and return. Furthermore, the company has requested that the complainant should
verify their identity by sending a copy of their identity document via e-mail. Of
for security reasons, the appellant has not been willing to submit what was requested of
him.
Complaint 2 (Complaint from Denmark with national diary number 2020-31-3616)
The complainant has requested deletion of his information on lensway.dk. To accommodate
request, the company has requested that he provide his social security number and
submit a copy of their identity document. However, the company cannot tell
the appellant why they need this information other than they need it to
able to confirm his identity. The appellant disputes that the company needs to collect
personal data to delete personal data. The complainant suggested that the company instead
could confirm his identity by sending an email to the address that
was registered to him but they refused.
What the company has stated
The company has in its opinion from 20 April, 12 May and 11 August 2022 in
essentially stated the following. The company is responsible for the processing of personal data
to which the complaints relate.
Complaint 1
The company has received the complainant's request for deletion, but the complainant has not followed through
the company's verification process applicable at the time. The company has requested that the complainant should
send in a copy of your identity document. It is the only way that the company so far
have been able to ensure the customer's identity on The copy would be sent via ordinary
mail aisle. The company has also requested that the complainant submit a signed
request for deletion. The company has so far not been able to receive this data digitally.
To ensure that they have received original documents, they have asked the complainant to send them in
this via regular mail.
Complaint 2
The company has received the request for deletion on June 25, 2020, but the complainant has not
completed the company's verification process applicable at the time. It is true that the company
requested the appellant's social security number in the written record but it has
was voluntary in providing this information. As an addition to the information in the written
basis, the company has requested that the complainant submit a copy of his
identity document. The company has so far not been able to identify the complainant in any other way.
Date: 2023-01-19
way. The appellant has been asked to submit the information via ordinary post in order to
ensure that the company has received documents in original.
Regarding both complaints, the company has stated the following
As regards the written request that both appellants would submit, states
the company follows regarding which personal data was mandatory to provide and
why the information was necessary.
• Name is a mandatory information that is requested in order to confirm it
data subject's identity.
• E-mail address is a mandatory information requested to be used as
a unique identifier of customers in the company's system.
• Signature is a mandatory task for the company to ensure that
the registrant has read the information and given his consent.
The company states that they should always ensure that it is the right person who contacts them then
it concerns requests to exercise a right under the Data Protection Regulation. Then
the company was previously unable to identify the customer in a good and safe way when they
contacted the company via customer service has the manual process via regular mail
been the one they used. In this way, they have achieved a two-step verification.
Functionality to enable confirmation of the customer's identity via customer service has
not been in place.
The customer relationship with the company can be established in two ways, either the customer implements one
buy or the customer logs in to My Pages. When the customer creates an account on Mina
Pages provide the customer with their email address and a confirmation email
sent to the customer. The customer can then access one via the link in the email
web page where he links a password to the e-mail address. The customer account is then
created and the company thus receives a two-step verification. The appellants have used
of the other means by which the customer relationship can be established.
The complainants have made purchases with the company and they have then been identified via the company's
payment service provided by Klarna. For most payment options, Klarna requires that
the customer verifies himself via bankID. For certain payment methods, for example payment with
credit card, the customer can choose not to have to verify themselves via bankID through
Klarna's app.
The company's existing digital contact route is Mina Sidor. However, there has been none
functionality to handle requests to exercise a right under
the data protection regulation on My Pages. Since April 2022, the company's customers can now
request to be deleted or receive a copy of their personal data directly via My Pages.
The customer's identity is then verified via regular login.
Justification of the decision
Applicable regulations, etc.
According to Article 17.1, the data subject shall have the right to the personal data controller without
unnecessary delay have their personal data deleted and the personal data controller
shall be obliged to delete personal data about any of them without undue delay
prerequisites listed in the article exist, for example if the information is not
Date: 2023-01-19
are no longer necessary for the purposes for which they have been collected or consented to
treatment is withdrawn.
According to Article 12.2, the personal data controller must facilitate its exercise
data subject's rights in accordance with Articles 15–22.
Article 12.6 states that, without prejudice to the application of Article 11, it may
personal data controller, if he has reasonable grounds to doubt its identity
natural person who submits a request under Articles 15-21, request that additional
information necessary to confirm the identity of the data subject is provided.
2
In the European Data Protection Board's (EDPB) Guidelines 01/2022 on access is stated among
other following.
65. If the data controller requests additional information that is
necessary to confirm the identity of the data subject it shall
personal data controller each time assess which information will
enable the personal data controller to confirm the data subject
identity and possibly ask additional questions of the requesting person or
request the data subject to provide additional identifying information, if any
proportionately (see section 3.3). Such additional information should not be more than
the information originally needed to control it was recorded
identity (authentication). In general, the fact that the
the controller may request additional information to assess it
data subject's identity does not lead to excessive demands and to the collection of
personal data that is not relevant or necessary to strengthen the connection
between the individual and the personal data requested. 3
[…]
73. It should be emphasized that the use of a copy of an identity document as a
part of the authentication process poses a risk to the security of personal data and
may lead to unauthorized or illegal processing, and therefore should be considered inappropriate,
unless absolutely necessary, appropriate and in accordance with national
legislation. In such cases, the personal data controllers should have systems that
ensures a level of security suitable to reduce the higher risks of
the freedom and rights of the data subject to receive such data. It is also
important to note that identification using an identity card not necessarily
helps in an online context (e.g. when using pseudonyms) about it
the person concerned cannot provide any other evidence, e.g. further
4
properties that match the user account.
2EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 1.0 (EDPB's Guidelines 01/2022 on
the right of access). The guidelines have been out for public consultation and are awaiting final adoption.
3IMY's translation, original: In cases where the controller requests the provision of additional information necessary
to confirm the identity of the data subject, the controller shall each time assess what information will allow it to confirm
the data subject's identity and possibly ask additional questions to the requesting person or request the data subject
to present some additional identification elements, if it is proportionate (see section 3.3). Such additional information
should not be more than the information initially needed for the verification of the data subject's identity
(authentication). In general, the fact that the controller may request additional information to assess the data subject's
identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary
4o strengthen the link between the individual and the personal data requested.
IMY's translation, original: It should be emphasized that using a copy of an identity document as a part of the
authentication process creates a risk for the security of personal data and may lead to unauthorized or unlawful
processing, and as such it should be considered inappropriate, unless it is strictly necessary, suitable, and in line with
national law. In such cases the controllers should have systems in place that ensure a level of security appropriate to
Date: 2023-01-19
The Swedish Privacy Protection Authority's assessment
Based on the current complaints in the case, IMY has reviewed the company's
action in these two individual cases.
Has the company acted in accordance with 12.6 of the data protection regulation when the company
requested current information from the complainants?
Did Lensway Group have reasonable grounds to doubt the identity of the complainants?
It is only when the personal data controller has reasonable grounds to doubt the identity
with the person who made the request who receives additional information to confirm the identity
is requested. What constitutes "reasonable grounds" in Article 12.6 of the Data Protection Regulation should
assessed based on the circumstances of the individual case. The assessment of whether there is
reasonable grounds to doubt in an individual case the identity of the person making the request is made
normally in light of the information provided in connection with the request. The
applies especially in situations where the person in charge of personal data lacks further knowledge
about this person. However, the fact that an individual assessment is required does not preclude that
routines are established for how the person in charge of personal data normally verifies it
data subject's identity.
The company has been given the opportunity to justify the individual assessment based on which it was made
the appellants' situation if they considered that they had reasonable grounds to doubt the identity of
the appellants when they presented their requests. Regarding both appellants, the company has i
mainly stated the following. The company should always ensure that it is the right person who
contacts them regarding requests to exercise a right under
data protection regulation. The customer has not previously been able to be identified in a good and
secure way when they contacted the company via Customer Service. Functionality for management of
requests to exercise a right under the Data Protection Regulation have never existed
at Customer Service or on My Pages.
IMY states that it is not clear from the investigation in the case which data are
the appellants submitted in connection with their request and if based on these there were any
reason for the company to doubt their identity. However, IMY considers that against the background
from what has emerged in the case, there is no reason to question the company's statement
that the company had reason to doubt the identity of the complainants. In the assessment
does the IMY consider the fact that the obligation to ensure the identity of the person making a
the request also has the purpose of protecting data subjects against someone else doing it incorrectly
requests in their name, which may lead to negative consequences for it
registered. The risks of these negative consequences in case of false requests are
particularly evident when it comes to more intrusive measures, such as the exercise of
the right to erasure. IMY therefore finds that it has not been shown other than that the company in the relevant
the cases had reasonable grounds to doubt the identity of the appellants.
Has the information requested by Lensway Group been necessary to confirm
the identity of the complainants?
Even if the personal data controller has reasonable grounds to doubt the identity of those
complainant, the personal data controller shall not collect more personal data than what
which is necessary to enable identification of the requesting data subject.
mitigate the higher risks for the rights and freedoms of the data subject to receive such data. It is also important to
note that identification by means of an identity card does not necessarily help in the online context (e.g. with the use
of pseudonyms) if the person concerned cannot contribute any other evidence, e.g. further characteristics matching to
the user account. The Swedish Data Protection Agency Diary number: IMY-2022-1032 6(8)
Date: 2023-01-19
The company has essentially stated the following regarding the necessity of that information
those requested by both appellants. A copy of the identity document has been requested when it was
the only way the company has so far been able to ensure the customer's identity. In addition to
copy of identity document, the appellants should submit a written document. The
information that has been requested in the written documentation and why it was necessary,
is reported by the company essentially as follows. The name has been requested to confirm it
data subject's identity. The email address has been requested to be used as a unique
identifier of customers in the company's system. The signature has also been requested and is as per
the company a necessary information in order for the company to be able to ensure that it
registrant has read through the information and given his consent to the handling of
request.
Regarding whether the identity of the complainants has been verified, the company has stated that both
the complainant has made purchases where they have been identified via the company's payment service as
provided by Klarna.
It appears from the company's opinion that it was not required that the company itself verified
the true identity of the appellants when the customer relationship was established, i.e. upon purchase. IMY
notes that the company cannot demand more personal data when the complainant wants to use it
their rights than what was required when establishing the customer relationship. Copy of
identity document and signature are information that the company has not requested
the establishment of the customer relationship in these two current cases. Furthermore, IMY considers that according to
The EDPB's guidelines on the right of access should the use of a copy of an identity document
as part of the authentication process is considered inappropriate, unless it is absolute
necessary, appropriate and in accordance with national legislation. IMY considers that the requirement to
providing the personal data controller with a copy of their identity document is one
interventional measure, which is only appropriate when the personal data controller previously has
ensured the actual identity of the registered and then alternative less
intrusive verification methods are inappropriate. IMY assesses that it has not emerged
some circumstances that speak against other, less intrusive,
verification methods could have been used in the current cases, for example login
via My Pages or control questions. IMY notes that in the case it therefore does not
emerged that the request for the copy of the identity document or the signature would have been
absolutely necessary or appropriate.
In light of this, IMY assesses that the copy of the identity document and the signature
thus cannot be considered to have been necessary to confirm the identity of the appellants
in accordance with Article 12.6 of the Data Protection Regulation.
Has the company acted in accordance with 12.2 of the data protection regulation when the company
requested that the complainants send the information by post?
The next question is whether it has been permissible to require the appellants to send them
the requested information to the company via ordinary post.
In light of the requirements to facilitate the exercise of the data subject's rights i
article 12.2 of the data protection regulation, it can only be accepted in exceptional cases that a
personal data controller as the only contact means refers individuals to regular mail
they must submit information to ensure their identities,
for example if it is justifiable with regard to security reasons. The starting point should
be that alternative ways of submitting requested information must be offered. The company has the Swedish Data Protection Agency Diary number: IMY-2022-1032 7(8)
Date: 2023-01-19
this part essentially stated that they have demanded that the data be sent via ordinary
post office to ensure that they have received the original written documentation.
IMY assesses that sending a copy of an identity document can indeed
involve special risks which may justify requiring that the act
sent by post. This is provided that it is a necessary task in order to
confirm the identity of the data subject.
In the current cases, IMY assesses above that there was no copy of the identity document
necessary to confirm the identity of the complainants. By demanding of
the complainants that the information must also be sent via regular mail, IMY considers that
the company has not made it easier for the complainants to exercise their right to erasure. IMY assesses
thereby that the company thereby acted in violation of Article 12.2 of the data protection regulation.
Choice of intervention
From articles 58.2 i and 83.2 of the data protection regulation, it appears that IMY has the authority
to impose administrative penalty fees in accordance with Article 83. Subject to
the circumstances of the individual case, administrative penalty fees must be imposed
in addition to or instead of the other measures referred to in Article 58.2, such as
injunctions and prohibitions. Furthermore, Article 83.2 states which factors must
taken into account when deciding whether administrative penalty charges are to be imposed and at
determining the size of the fee. If it is a question of a minor violation, IMY gets
as set out in recital 148 instead of imposing a penalty charge issue one
reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors
circumstances of the case, such as the nature, severity and duration of the infringement
as well as previous violations of relevance.
IMY notes the following relevant circumstances. It has of the investigation in the matter
found that a copy of the identity document and signature are no longer requested by
Lensway Group AB in the event of requests from registered users to exercise their right to
deletion according to the data protection regulation. Furthermore, the established violations have
occurred relatively far back in time (2020) and has affected two registrants. Against this one
background, IMY finds that it is a question of such minor violations in that sense
as referred to in reason 148 which means that Lensway Group AB must be given a reprimand according to
Article 58.2 b of the Data Protection Regulation for the identified violations.
__________________________________________________
This decision has been taken by the special decision-maker lawyer Evelin Palmér after
presentation by the lawyer Anna Mlynska.
Evelin Palmér, 2023-01-19 (This is an electronic signature) The Swedish Privacy Agency Diary number: IMY-2022-1032 8(8)
Date: 2023-01-19
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
