IMY (Sweden) - DI-2019-6523: Difference between revisions

From GDPRhub
(Hi Inzel, thank you so much for the summary! I just edited a few minor spelling mistakes, made the short summary a bit more exciting for the NL and just gave the holding a bit more information and streamlined it with the last DPA cases that also issued reprimands.)
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 61: Line 61:
}}
}}


The DPA issued a reprimand against the controller for violating Article 13(1)(c) due to stating an incorrect legal basis for the processing of personal data on their website.
The DPA reprimanded a controller for not appropriately clarifying whether its processing operations were based on consent or a contract.  


== English Summary ==
== English Summary ==
Line 68: Line 68:
The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with [[Article 6 GDPR#1|Article 6(1) GDPR.]]  
The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with [[Article 6 GDPR#1|Article 6(1) GDPR.]]  


Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity on [[Article 6 GDPR|Article 6(1)(b) GDPR]] or legitimate interest on [[Article 6 GDPR|Article 6(1)(f) GDPR]] instead of consent when registering for a subscripttion of the controller's magazine, Bonnier. However, the controller accidentally missed updating the registration flow of one of the company's webshop, Magasinshoppen, accordingly. The webshop had a checkbox on its webpage along with the text "I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group." The controller also did not update the subscription terms which stated: “When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes." Furthermore, in the same place, information was provided on the conditions for consent including the right to withdraw consent.
Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity under [[Article 6 GDPR|Article 6(1)(b) GDPR]] or legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] instead of consent when subscribing for the controller's magazine. However, the controller accidentally missed updating the registration form of one of the company's webshop, Magasinshoppen. The webshop had a checkbox on its webpage along with the text "''I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group.''" The controller also did not update the subscription terms which stated: “''When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes.''" Furthermore, information was provided on the the right to withdraw consent.


After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy.
After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy.


=== Holding ===
=== Holding ===
When collecting personal data from a data subject, the controller is obligated under [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] to provide information regarding the legal bases for processing. [[Article 12 GDPR#1|Article 12(1) GDPR]] requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain language. The DPA held that the text next to the tick box of the controller’s website gave the data subject the impression that the controller’s legal basis for processing personal data was consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. This was reinforced by the text on the subscription terms and the provided information on the conditions for consent. As the controller did not base its processing of data subjects’ personal data on consent but on the legal grounds of contract ([[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]) and legitimate interests ([[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]), the DPA found that the controller violated [[Article 13 GDPR|Article 13(1)(c) GDPR]] by indicating an incorrect legal basis.  
When collecting personal data from a data subject, the controller is obliged under [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] to provide information regarding the legal bases of the processing. [[Article 12 GDPR#1|Article 12(1) GDPR]] requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain language. The DPA held that the text next to the tick box of the controller’s website gave the data subject the impression that the controller’s legal basis for processing personal data was consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. This was reinforced by the text on the subscription terms and the provided information on the right to withdraw consent. As the controller did not base its processing on consent but on the legal grounds of contract ([[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]) and legitimate interests ([[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]), the DPA found that the controller violated [[Article 13 GDPR|Article 13(1)(c) GDPR]] by indicating an incorrect legal basis.  


The DPA found that the violations were a minor infringement pursuant to [https://gdpr-text.com/read/recital-148/ Recital 148], because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] against the controller for violating [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]].
The DPA found that the violations were a minor infringement pursuant to [https://gdpr-text.com/read/recital-148/ Recital 148], because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] against the controller for violating [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]].

Latest revision as of 09:02, 8 May 2024

IMY - DI-2019-6523
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 13(1)(c) GDPR
[[Article 58 GDPR#2b|]] [[Category:]]
Type: Investigation
Outcome: Violation Found
Started: 04.06.2019
Decided: 26.06.2023
Published: 29.04.2024
Fine: n/a
Parties: Expressen Lifestyle AB
National Case Number/Name: DI-2019-6523
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (Sweden) (in SV)
Initial Contributor: inkg

The DPA reprimanded a controller for not appropriately clarifying whether its processing operations were based on consent or a contract.

English Summary

Facts

The Swedish DPA ("IMY") initiated an investigation against Expressen Lifestyle AB ("the controller") on 2019 to check whether consent was obtained in compliance with Article 6(1) GDPR.

Following the implementation of the GDPR in 2018, the controller reassessed its legal basis for processing personal data, and started relying mainly on contractual necessity under Article 6(1)(b) GDPR or legitimate interest under Article 6(1)(f) GDPR instead of consent when subscribing for the controller's magazine. However, the controller accidentally missed updating the registration form of one of the company's webshop, Magasinshoppen. The webshop had a checkbox on its webpage along with the text "I accept the subscription terms. By doing so, I consent to the processing of personal data within the Bonnier Group." The controller also did not update the subscription terms which stated: “When ordering, you agree that your personal data, including email address, mobile phone number for calls and text messages and any other digital addresses, may be stored and used within Bonnier for digital services, marketing, and for statistical and analytical purposes." Furthermore, information was provided on the the right to withdraw consent.

After the DPA's inspection began, the controller took immediate action to correct the information provided in their webshop's registration process. Now, instead of being presented with either a consent request or consent information text, the data subject is asked to agree to the subscription terms (i.e. the terms of purchase) and to confirm to have read the controller’s data protection policy.

Holding

When collecting personal data from a data subject, the controller is obliged under Article 13(1)(c) GDPR to provide information regarding the legal bases of the processing. Article 12(1) GDPR requires the controller to take steps to provide this information to the data subject in a concise, clear, intelligible and easily accessible form, using clear and plain language. The DPA held that the text next to the tick box of the controller’s website gave the data subject the impression that the controller’s legal basis for processing personal data was consent under Article 6(1)(a) GDPR. This was reinforced by the text on the subscription terms and the provided information on the right to withdraw consent. As the controller did not base its processing on consent but on the legal grounds of contract (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR), the DPA found that the controller violated Article 13(1)(c) GDPR by indicating an incorrect legal basis.

The DPA found that the violations were a minor infringement pursuant to Recital 148, because the website was not the main website that was used by the data subjects to subscribe to the controller and thus the affected data subjects were limited and the violation did not result in serious consequences to the data subjects, Moreover, the DPA recognised that it was a mistake of the controller to not update the website after reviewing its procedures. The DPA also took into account that the controller took immediate action to update the registration of its webshop after the DPA initiated supervision. Therefore, the DPA issued a reprimand under Article 58(2)(b) GDPR against the controller for violating Article 13(1)(c) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(3)






                                                                     Expressen Lifestyle AB

                                                                     105 44 Stockholm







Diary number:
DI-2019-6523


                               Supervision according to the data protection regulation
Date:
2023-06-26
                               – Expressen Lifestyle AB


                               The Privacy Protection Authority's decision


                               The Privacy Protection Authority states that Expressen Lifestyle AB (556025-4525),
                               has processed personal data in violation of Article 13.1 c of the data protection regulation
                               by stating an incorrect legal basis for the processing of the data subject
                               personal data during May 2018 until 4 June 2019.


                               The Privacy Protection Authority gives Expressen Lifestyle AB a reprimand according to article
                               58.2 b of the data protection regulation for violation of 13.1 c of the data protection regulation.


                               Account of the supervisory matter


                               On June 4, 2019, the Swedish Privacy Protection Authority (IMY) began an investigation against Bonnier
                               Magazine and Brands AB. The supervision was not prompted by any complaint but aimed at

                               to review the consents obtained to fulfill the obligation to have one
                               legal basis according to Article 6.1 of the data protection regulation met the requirements of
                               the data protection regulation on voluntariness, information and clarity and that the legal
                               the basis clearly appears. Bonnier Magazine and Brands AB was in charge

                               introducing a checkbox on their web page along with the text. "I approve
                               the subscription terms. I hereby consent to the processing of personal data within
                               The Bonnier Group.”


                               In its statement to IMY, Bonnier Magazines and Brands has stated that the information in
                               the registration flow in the company's webshop, Magasinshoppen, was accidentally not updated
                               in the same way as on other web pages. In accordance with the data protection regulation

                               coming into force in 2018, Bonnier Magazine and Brands AB carried out an extensive
                               work which meant, among other things, that the company reassessed its legal basis for
                               Processing of personal data. Instead of consent, Bonnier Magazine founded and
                               Brands AB's processing of customers' personal data mainly on legal grounds

Postal address: the grounds in Article 6.1 b of the Data Protection Regulation, agreement, or in Article 6.1 f i
Box 8114 data protection regulation, legitimate interest. In the normal registration flow that
104 20 Stockholm is used on Bonnier Magazine and Brands AB's web pages, the customer is asked to

Website: agree to the subscription terms and confirm that he has taken part in Bonnier
www.imy.se Magazine and Brands AB's data protection policy. Bonnier Magazines and Brands AB has
E-mail: stated that immediately when IMY started the supervision measures were taken to
imy@imy.se update the Magasinshoppen with correct information in the registration flow.

Phone:
08-657 61 00 The Swedish Privacy Agency Diary number: DI-2019-6523 2(3)
                                Date: 2023-06-26






                                Bonnier Magazines and Brands AB has been dissolved by merger on June 1, 2022 and
                                joined Expressen Lifestyle AB (556025-4525).


                                Justification of the decision


                                Of ch. 23 Section 1 of the Companies Act (2005:551) follows that the effects of a merger mean that
                                all assets and liabilities are taken over by another company at the time of the merger. The
                                The acquiring company is therefore responsible for the obligations that existed in the company that

                                taken over. In light of this, IMY makes the assessment that the acquiring company
                                after the time of the merger is a party to IMY's supervision matter and this supervision is therefore aimed at
                                against Expressen Lifestyle AB.


                                When a personal data controller collects personal data from a registered person shall
                                information regarding the legal basis for the processing appears, according to Article 13.1

                                c in the data protection regulation. The person in charge of personal data must, according to Article 12.1 i
                                data protection regulation take measures to provide this to the data subject
                                information in a concise, clear and clear, comprehensible and easily accessible form, with
                                the use of clear and unambiguous language. IMY considers that the text next to the checkbox on

                                the company's website "I accept the subscription terms. I hereby agree
                                personal data processing within the Bonnier Group", gives the registered impression that
                                the company's legal basis for processing personal data is consent according to article

                                6.1. a in the data protection regulation. The information text that was under the link with
                                the text of the subscription terms further reinforces this through wording
                                "When ordering, you agree that your personal data including email address,

                                mobile number for calls and text messages and any other digital
                                addresses, may be stored and used within Bonnier for digital services, marketing,
                                as well as for statistical and analysis purposes.”. Furthermore, information is provided in the same place

                                about the terms of consent including the right to withdraw consent.

                                The company has stated that the company does not base its processing on customers' personal data
                                on consent but mainly on the legal grounds agreement or justified

                                interest according to Article 6.1 b and f of the data protection regulation.

                                Against this background, IMY notes that the company has processed personal data in violation of

                                Article 13.1 c of the Data Protection Regulation by stating the wrong legal basis for
                                the processing of data subjects' personal data.


                                Choice of intervention

                                From article 58.2 and article 83.2 of the data protection regulation, it appears that IMY has

                                power to impose administrative penalty charges in accordance with Article 83.
                                Depending on the circumstances of the individual case, the administrative sanction
                                fees are imposed in addition to or instead of the other measures referred to in Article 58(2), which
                                for example injunctions and prohibitions. Furthermore, Article 83.2 states which factors

                                which must be taken into account when deciding whether administrative penalty charges must be imposed and at
                                determining the size of the fee. If it is a question of a minor violation, IMY gets
                                as set out in recital 148 instead of imposing a penalty charge issue one

                                reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors
                                circumstances of the case, such as the nature, severity and duration of the infringement
                                as well as previous violations of relevance.


                                IMY notes the following relevant circumstances. Bonnier Magazines and Brands
                                AB immediately took measures when IMY began its supervision to update the Privacy Protection Agency Diary number: DI-2019-6523 3(3)
                                Date: 2023-06-26






                                the information in the registration flow on its website so that it registered accordingly
                                neither met with a consent request nor informational text about consent. Instead
                                the data subject is asked to accept the subscription terms (ie the terms of purchase)

                                and confirm that he has read the company's data protection policy. The website has not been
                                the page through which most of the company's customers signed their subscriptions.
                                The use of the web shop has therefore been limited, which is why only 1372 customers
                                signed their subscriptions via this website during the current time period. Further where

                                it was a mistake that the website was not updated in connection with the company's review
                                its routines in connection with the entry into force of the data protection association. IMY assesses that
                                the shortcoming in question did not have serious consequences for the data subjects. Against this one

                                background, IMY assesses that it is a question of such a minor violation in that sense
                                which is referred to in reason 148 which results in Expressen Lifestyle AB being given a reprimand
                                according to article 58.2 b of the data protection regulation for the identified deficiency.


                                This decision has been taken by the unit manager Catharina Fernquist after a presentation by
                                lawyer Ulrika Bergström.


                                Catharina Fernquist, 2023-06-26 (This is an electronic signature)








                                How to appeal


                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm

                                examination.

                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain

                                any privacy-sensitive personal data or information that may be covered by
                                secrecy. The authority's contact details appear on the first page of the decision.