IMY (Sweden) - DI-2020-10538

From GDPRhub
IMY - DI-2020-10538
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(3) GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 22.01.2021
Published: 22.01.2021
Fine: None
Parties: n/a
National Case Number/Name: DI-2020-10538
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: Integritetsskyddsmyndigheten (in SV)
Initial Contributor: Elisavet Dravalou

The Swedish DPA held that a controller has violated article 12(3) GDPR, because, although they complied with an erasure request, they did not subsequently notify the data subject.

English Summary


A data subject made an erasure request at MAG Interactive AB on the 29th of November 2018. Since the request came from an email address that wasn't linked with the data subject's account, the controller asked for proof of identity. The data subject provided proof of identity on the 29th of May 2019. MAG Interactive AB complied with the request and deleted the personal data concerned 16 days upon the reception of the request, but out of negligence, they did not informed the data subject regarding the action taken. The reason why the data subject wasn't notified was that the second request with the proof of identity came by regular post and MAG Interactive AB normally handles requests in a system where notifications of actions taken are sent automatically.



The Swedish DPA held that MAG Interactive AB in first place, had the right to verify the identity of the data subject. Upon the reception of the proof of the data subject's identity, MAG Interactive AB deleted the personal data concerned in compliance with article 17 GDPR. Despite that, they did not notify the data subject about the action taken (deletion of his personal data) and therefore they violated article 12.3. As MAG Interactive AB reassured the DPA that they will take appropriate organisational measures to ensure that this will not occur again, the DPA closed the case and no fine was issued.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                             1 (3)

                                                                MAG Interactive AB
                                                                Drottninggatan 95A
                                                                113 60 Stockholm

Record number:
DI-2020-10538 Decision after supervision according to

Date: Data Protection Regulation - MAG

                             Interactive AB

                             The decision of the Integrity Protection Authority

                             The Privacy Protection Authority states that MAG Interactive AB has processed
                             personal data in breach of Article 12 (3) of the Data Protection Regulation by not without

                             unnecessary delay informed the complainant of the outcome of the complainant's request for
                             deletion pursuant to Article 17 of 29 May 2019 until 6 November 2020.

                             The case is closed without action.

                             Report on the supervisory matter

                             The Privacy Protection Authority (IMY) has initiated supervision regarding MAG Interactive AB
                             (the company) in connection with a complaint. The complaint has been submitted to IMY, i
                             as the supervisory authority responsible for the company's activities in accordance with Article 56

                             the Data Protection Regulation, from the supervisory authority of the country where the complainant has left
                             lodged its complaint in accordance with the provisions of the Regulation on cooperation in
                             cross-border cases.

                             The complaint alleges that the company has not handled the complainant's request
                             deletion of the complainant's personal data in accordance with Article 17 of the Data Protection Regulation.

                             MAG Interactive AB has mainly stated the following. The company first received a request
                             on deletion of the complainant's account on the company's services on 29 November 2018 (on

                             first request). Because the request came from a different email address than the one that
                             linked to the account, the company requested that the complainant return with evidence to
                             proof of his identity, which the complainant did not do. On May 29, 2019, a new one was added

                             request for deletion of the complainant's account, but then by post and with the required
                             evidence to prove the identity of the complainant (the second request). The company deleted
Postal address: the complainant's information manually on 15 June 2019 in accordance with the request, except those
Box 8114
                             information needed to show that the request has been processed. Due to oversight
104 20 Stockholm, however, the complainant was not informed of the outcome of the request in connection with that

E-mail: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on
08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation). Integrity Protection Authority Record number: DI-2020-10538 2 (3)
                               Date: 2021-01-22

                               request was processed. Instead, it took place only in connection with a review before answers in
                               this supervisory matter, ie on 6 November 2020.

                               The processing has taken place through correspondence. Given that it applies to one

                               cross-border complaints, the IMY has used the mechanisms of cooperation
                               and uniformity contained in Chapter VII of the Data Protection Regulation. Affected
                               regulators have been the data protection authorities in Norway, Ireland, France,

                               Austria, Denmark, Poland and Germany.

                               Justification of decision

                               Applicable regulations

                               According to Article 12 (3) of the Data Protection Regulation, the controller shall:

                               request without undue delay and in any case no later than one month after
                               to have received the request to provide the data subject with information on the measures taken
                               taken in accordance with Article 17. This period may, if necessary, be extended by a further two

                               months, taking into account the complexity of the request and the number received
                               requests. The personal data controller shall notify the data subject of a
                               such extension within one month of receipt of the request and state the reasons

                               to the delay.

                               According to Article 12 (6), the controller may, if he has reasonable grounds for:
                               question the identity of the natural person submitting a request under Article 17;
                               request additional information necessary to confirm the data subject's

                               identity is provided.

                               According to Article 17 (1) (a), the data subject shall have the right to be informed by the controller

                               without undue delay have their personal data deleted and it
                               the person responsible for personal data shall be obliged to delete without undue delay
                               personal data if the personal data are no longer necessary for the purposes for which

                               which they have collected or otherwise treated. According to Article 17 (3) (b), this shall not be the case
                               apply to the extent that the processing is necessary to comply with a legal
                               obligation requiring treatment under Union law.

                               Pursuant to Article 57 (1) (f), each supervisory authority in its territory shall be responsible for:
                               process complaints from a data subject and, where appropriate, investigate the matter

                               to which the complaint relates.

                               The Integrity Protection Authority's assessment

                               Regarding the first request, IMY states that MAG Interactive AB was reasonable

                               reasons to doubt the identity of the appellant and thus justifiable to request that the appellant
                               provided additional evidence, which the appellant did not do. IMY considers against this
                               background that the company has not been obliged to take any further measures

                               due to that request.

                               With regard to the second request, IMY notes that the company deleted the complainant's

                               information, in addition to the information required to demonstrate that the request has been processed, within
                               16 days from the company receiving the request on May 29, 2019. IMY believes that the company has
                               deleted the complainant's information without undue delay within the meaning of Article

                               17 Data Protection Regulation. Furthermore, the company has been justified in retaining the information. The Privacy Protection Agency Record number: DI-2020-10538 3 (3)
                                Date: 2021-01-22

                                needed to demonstrate that the request has been processed in accordance with
                                the Data Protection Regulation.

                                However, the company first informed the complainant of the outcome of the second request
                                6 November 2020. Since the data controller pursuant to Article 12 (3) without

                                unnecessary delay and in any case no later than one month after receipt
                                request, with no exception here, shall inform the data subject of the
                                measures taken pursuant to Article 17, MAG Interactive AB has violated Article 12 (3)

                                the Data Protection Regulation.

                                The company has stated that the reason why the complainant was not informed of the result
                                of the request was due to an oversight. According to the company, this was mainly caused by
                                that the request was handled manually because it was received by mail and that the company normally

                                handles requests in a system where notifications of actions taken are sent
                                automatically. Due to what happened, the company has stated that it will see

                                over their routines so that what happened is not repeated. The company will, among other things, put
                                set up a separate log for manual cases to ensure that all steps are followed, including
                                that the user is notified in the manner he has requested.

                                IMY states that it is of course important that the person responsible for personal data notifies

                                the data subject on what measures have been taken in connection with his
                                request, even in cases where the request is fully complied with to the extent that may be required.

                                In light of the circumstances regarding the infringement that the company has highlighted
                                - and the measures that the company has stated that it has taken and will take - considers
                                however, IMY that the substance of the complaint has been investigated to the extent appropriate

                                Article 57 (1) (f) of the Data Protection Regulation.

                                Against this background, the case is closed without action.

                                This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by

                                lawyer Olle Pettersson.

                                Catharina Fernquist, 2021-01-22 (This is an electronic signature)