IMY (Sweden) - DI-2020-10696
| IMY - DI-2020-10696 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(3) GDPR Article 12(6) GDPR Article 15 GDPR Article 17 GDPR Article 58(2)(c) GDPR Article 58(2)(d) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 27.06.2022 |
| Published: | 23.01.2023 |
| Fine: | n/a |
| Parties: | Nordax Bank AB |
| National Case Number/Name: | DI-2020-10696 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Swedish DPA reprimanded Nordax Bank for violations of Articles 12(3), 12(6), 15 and 17 GDPR. The bank had not complied with several requests of the data subject. The DPA also ordered the bank to comply with these requests.
English Summary
Facts
Nordax (controller) is a Swedish bank. The bank entrusted a processor, Iper Direct AB (Iper), to manage its customers' address register. According to Nordax, this processor was the controller in all matters regarding this register and was also responsible for answering data subjects requests related to any processing of this register's personal data. Iper's task was to provide another processor of Nordax a selection of e-mail addresses, which were used by this second processor for direct marketing purposes on behalf of Nordax. The selection of addresses from Iper's address register was also carried out on behalf of Nordax and was based on selection criteria determined by Nordax.
It is not explicitly mentioned in this decision whether or not the data subject used to be a (former) customer of the controller. It is also not explicitly stated that the data subject received direct marketing e-mails from the controller. The latter is however most likely, looking at the objection of the data subject against direct marketing, which was eventually granted by the controller (will be further discussed below).
Round 1 (Access 1 and Erasure 1)
On 5 December 2018, the data subject filed an access request and an erasure request at Nordax, which were answered by the controller on 6 December 2018.
The access request inquired on all data relating to him and the way Nordax used it. The controller replied to the access request that it did not process and/or store the personal data of the data subject and was therefore unable to comply with the request. Rather, the controller informed the data subject of the fact that personal data was processed by its appointed processor, Iper, which was responsible for the address register of the bank and for managing data subject rights related to any processing regarding this register. Furthermore, Nordax also did not classify the request of the data subject as an access request at first, but as an objection to processing. Based on information in the data subject's e-mail, Nordax determined that the data subject's primary wish was to be blocked from the controller's direct marketing e-mails. In its reply, the controller only provided information on how the data subject could block himself from the direct marketing of the controller. In order to block the data subject from direct marketing, Nordax requested the data subject's name and address.
On the same day, 5 December 2018, the data subject also submitted an erasure request. The scope of the erasure request was not specified in this decision. In its reply to the erasure request, and along the lines of the answer to the access request, the controller stated that it did not store the data subject's personal data. It was therefore also not able to erase it, since it was stored in Iper's register.
Round 2 (Access 2, Erasure 2 and Objection 1)
Around two months later, on 11 February 2019, the data subject submitted new requests for erasure and access. This time, the data subject also specifically objected to the controller's direct marketing operations for the first time. The controller answered all off these requests on 12 February 2019.
In its reply to the access request, Nordax referred to its earlier reply of 6 December 2018 to the data subject's first access request. The same was true for the controller's response to the erasure request.
In its reply to the data subject's objection, the controller stated that the request for objection had now been granted and that the controller had taken measures to block the data subject from direct marketing. Besides the fact that Nordax did not specify what specific measures it had taken, this also turned out to be incorrect information. Nordax had not yet taken any measures to block the data subject from direct marketing. According to Nordax, this incorrect information was provided because of human error.
Round 3 (Objection 2)
Another four months later, on 9 July 2019, Nordax received another objection against the controller's marketing operation from the data subject.
In its reply to the second objection, the controller reiterated again how the data subject could block himself from the direct marketing operation of the controller, just like it did when answering the first access request (which it had mistaken for an objection). The controller also repeated its request for additional information from the data subject in order to block the data subject from its direct marketing. Strangely enough, the controller then blocked the data subject from its direct marketing without the requested information. The controller also did not inform the data subject that it had finally complied with his objection to processing.
Data subject files complaint
Even after three rounds of requests, Nordax had failed to comply with the data subject's requests for access and erasure, and did not inform the data subject that his objection to processing had been granted.
The data subject filed a complaint at the Norwegian DPA (date not disclosed), which transferred the complaint to the Swedish DPA, the supervisory authority in this decision. The concerned authorities were the DPA's of Norway, Denmark, Finland and Germany. In this complaint, the data subject stated that the controller did not respect his rights by not responding to his requests.
During the investigation of the DPA, Nordax already acknowledged that it was the controller in this case and that it should have complied with the data subject's request for access, by requesting the help of its processor, according to Article 28 GDPR.
Holding
First, the DPA confirmed that Nordax Bank was the controller because it decided both the purposes and the means of the processing. The processing in question was the selection of addresses from Iper's address register for direct marketing purposes. This selection was carried out on behalf of Nordax and was based on selection criteria determined by Nordax. Because Nordax Bank was the controller, it was also responsible for handling the data subject's requests. The fact that Nordax claimed that Iper was responsible for the address register did not change this. Also, the fact that Nordax only received de-identified data from Iper was also irrelevant for its responsibility for the processing.
Second, the DPA held that the controller violated Article 15 GDPR by failing to handle the data subject's request for access. It should have given the personal data and information to the data subject with the assistance of its processor Iper. It also should have recognised the data subject's initial request as an access request.
Third, the DPA determined that the controller violated Article 17 GDPR by not handling the data subject's request for erasure. None of the exceptions in Article 17(3) GDPR were applicable. Nordax therefore violated Article 17(1) GDPR.
Fourth, The DPA determined that the controller violated Article 12(3) GDPR because the controller had provided incorrect information. The controller had incorrectly informed the data subject on 12 February 2019 that he was blocked from the controller's direct marketing operation, while this was not the case at the time.
Fifth; The DPA determined that the controller violated Article 12(6) GDPR by requesting additional information of the data subject before complying with the data subject's second objection request on 9 July 2019. Nordax already had access to all the information necessary to comply with the objection of the data subject.
Lastly, the DPA concluded that the controller violated Article 12(3) GDPR once more by not informing the data subject that, in accordance with his second objection request of 9 July 2019, he would no longer be subject to the controller's direct marketing operation.
The DPA held that this was a minor infringement and reprimanded the controller pursuant of Article 58(2)(b) GDPR. The DPA further ordered the controller to comply with the access request pursuant of Article 58(2)(c) GDPR and to deal with the erasure request pursuant of Article 58(2)(d) GDPR. Also, the DPA ordered the controller pursuant of Article 58(2)(d) GDPR to provide the data subject information on the measures taken to comply with the data subject's objection to the processing in accordance with Article 12(3) GDPR.
Comment
Regarding the violation of Article 15 GDPR, the DPA states that the controller should have complied with the data subject's request for access. It is not clear to which of the two access requests the DPA is referring. It could be that this is the second request of 11 February 2019, since the controller had mistaken the first request to be an objection to processing. This is however speculative.
In contrast, regarding the violation of Article 17 GDPR, the DPA states that the controller should have complied with the data subject's requests for erasure. So in this case, the DPA does determine a violation for both requests of the data subject.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(11)
Notice: This document is an unofficial translation of the
Swedish Authority for Privacy Protection’s (IMY) decision
2022-06-27, no. DI-2020-10696. Only the Swedish version
of the decision is deemed authentic.
Ref no:
2020-10696, Decision under the General Data
IMI case no. 134903
Protection Regulation – Nordax Bank
Date of decision:
AB
2022-06-27
Date of translation:
2022-06-27
Decision of the Swedish Authority for Privacy
Protection (IMY)
The Swedish Authority for Privacy Protection (IMY) finds that Nordax Bank AB has
processed personal data in breach of:
- Article 15 of the General Data Protection Regulation (GDPR) by failing to
handle the complainant’s requests of access made on 5 December 2018 and
11 February 2019.
- Article 17 by not without undue delay handle the complainant’s requests for
erasure made on 5 December 2018 and 11 February 2019.
- Article 12(3) by not without undue delay provide information to the
complainant on the measures taken, namely that the complainant was
blocked from direct marketing mailings, in response to the complainant’s
objection to direct marketing made on 9 July 2019.
The Swedish Authority for Privacy Protection finds that Nordax Bank AB has
processed personal data in breach of:
- Article 12(6) by requesting the complainant to submit further information in
order to comply with the request to object to direct marketing on 9 July 2019,
even though the data provided in the request was sufficient to actually
complete the request.
The Authority for Privacy Protection issues Nordax Bank AB a reprimand pursuant to
Postal address: Article 58(2)(b) of the GDPR for the infringement of the Articles 12(3), 12(6), 15, 17 of
Box 8114
the GDPR.
104 20 Stockholm
Website: In accordance with Article 58(2)(c) of the GDPR, IMY orders Nordax Bank AB to:
www.imy.se
E-mail:
imy@imy.se 1
Phone: protection of natural persons with regard to he processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation).
08-657 61 00Privacy Protection Authority Our ref: 2020-10696 2(11)
Date:2022-06-27
- Comply with the complainant’s request to exercise its right of access under
Article 15 of the GDPR, with exception for information which is subject to any
applicable derogation provided for in Article 15(4). This is done by providing
the complainant access to all personal data that Nordax process regarding the
complainant by providing the complainant with a copy of the personal data
referred to in Article 15(3) and provide information pursuant to points (a) to (h)
of Article 15(1) and 15.2. The measures shall be implemented no later than
two weeks after this decision has become final.
In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to:
- Handle the complainant’s request of erasure of all of his personal data
according to Article 17 by assessing whether there is personal data that the
company in accordance with Article 17 is obliged to erase and, if so, to do so,
and to inform the complainant in accordance with Article 12(3) or (4). The
measures must be implemented no later than two weeks after this decision
has become final.
In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to:
- In accordance with Article 12(3), provide the complainant with information on
the measures which have been taken in response to the complainant’s
request to exercise his right of objection to processing for direct marketing
purposes. The measures shall be implemented no later than two weeks after
this decision has become final.
Report on the supervisory matter
The Authority for Privacy Protection (IMY) has initiated supervision regarding Nordax
Bank AB (Nordax or the company) due to a complaint. The complaint has been
submitted to IMY, as responsible supervisory authority for the company’s operations
pursuant to Article 56 of the General Data Protection Regulation (GDPR). The
handover has been made from the supervisory authority of the country where the
complainant has lodged their complaint (Norway) in accordance with the Regulation’s
provisions on cooperation in cross-border processing.
The investigation in the case has been carried out through correspondence. In the light
of a complaint relating to cross-border processing, IMY has used the mechanisms for
cooperation and consistency contained in Chapter VII of the GDPR. The supervisory
authorities concerned have been the data protection authorities in Norway, Denmark,
Finland and Germany.
The complaint
The complaint states the following. The complaint alleges that the company has not
dealt with the complainant’s requests to exercise the complainant’s rights under the
GDPR in relation to the right of access pursuant to Article 15, the right of erasure
pursuant to Article 17 and objection to obtaining personal data processed for direct
marketing purposes as referred to in Article 21(2). E-mail correspondence with the
company is attached to the complaint.
What Nordax has stated
Nordax has mainly stated the following.Privacy Protection Authority Our ref: 2020-10696 3(11)
Date:2022-06-27
Nordax is the data controller for the processing to which the complaint relates. The
processing is carried out by Nordax personal data processor Iper Direkt AB (Iper) on
behalf of Nordax and for direct marketing purposes, which is regulated in agreements
between Nordax and Iper. Nordax determines the purposes and means of the
processing. The relationship can be compared to the example set out in the EDPB
Guidelines 07/2020 on the terms “controller” and “processor” in GDPR, (“Example:
market research”). 2
Iper is responsible and the controller of the address register and responsible for
managing the rights of data subjects whose personal data are available in this address
register. Based on these, Iper makes, on behalf of Nordax, a selection from its address
register and provides the addresses to another data processor that Nordax uses to
carry out the marketing mailings. Nordax does not process or store any personal data
since the data provided by Iper to Nordax is de-identified.
Right of access
Nordax Bank AB originally received a request for access from the complainant on 5
December 2018. The request concerned "information on all data relating to me as you
have stored and what the data is used for". The complainant’s request was answered
by email on 6 December 2018 with the information that the complainant’s personal
data are not processed by Nordax why a request for access (or erasure) could not be
handled. Nordax states that, as a data controller, however, the company should have
interpreted this as a request under Article 15 of the GDPR and provided the
complainant with access to personal data with the help of the personal data processor
Iper in accordance with the provisions of Article 28 of the GDPR. Nordax took the view
that the complainant´s main request was not a request of access to personal data
pursuant to Article 15. In the light of the information in the complainant’s email and that
the complainant did not contact Nordax after a block on direct marketing was
established in respect of the complainant on 9 July 2019, Nordax considered that the
complainant’s primary wish was to be blocked against addressed direct marketing from
the company. Nordax believes that the complainant considers that the request for
objection has been dealt with but can definitely comply with the complainant’s request
for access if the complainant still wishes to exercise its right to access to the personal
data.
Right to erasure
The complainant´s request for erasure was received on 5 December 2018 and Nordax
replied to it on 6December 2018. It was clear from the reply that the company did not
consider that it stored the complainant´s personal data, why any erasure of data at
Nordax could not be done. It is the address provider Iper, Nordax data processor, who
is reported to have stored the complainant’s personal data at the time of the
complainant’s request. Iper is controller of the address register for which Nordax
receives addresses for direct marketing mailings. Nordax does not have the ability to
erase personal data in Iper’s register. It is against this background that Nordax has not
complied with the complainant’s request for erasure.
Furthermore, Nordax states that the company is currently processing personal data
regarding the complainant in order to maintain a block on addressed direct marketing,
which is necessary to comply with a legal obligation. Nordax has by e-mail on 6
December 2018 and 16July 2019 provided general information to the complainant that
Nordax may process the complainant’s personal data in order to maintain a block on
addressed direct marketing. Personal data of the complainant is also being processed
to deal with the ongoing supervisory case which will be discontinued when the
enforcement case is closed. The company has not interpreted the complainant´s
2 EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.Privacy Protection Authority Our ref: 2020-10696 4(11)
Date:2022-06-27
request for erasure in such a way that it would have included these ongoing processes
of personal data.
Right of objection
The complainant submitted a request for access and deletion on 5December 2018
which Nordax replied on 6December 2018. In the light of the information in
the complainant´s request Nordax presumed that the complainant had received
addressed direct marketing mailings of Nordax products. Therefore, Nordax provided
information on how the complainant should proceed with a block against further direct
marketing mailings of Nordax products. In order to block an individual against
addressed direct marketing Nordax needs information about the individual’s pre- and
surname and full address which the company informed the complainant about. Nordax
never received additional information from the complainant and could not therefore
block the complainant from the addressed direct marketing mailings. On 11February
2019, the complainant submitted a further request for access and erasure and
objection to receiving direct marketing mailings. Nordax responded to the
complainant´s request on 12 February 2019 by referring to an earlier reply to the
request for access and erasure and stated that Nordax has grant the complainant´s
request to object to receiving further direct marketing. However, the complainant was
wrongly informed on that occasion that Nordax had taken measures to prevent the
complainant from receiving further direct marketing mailings. Nordax believes that the
handling of the case in question has failed due to the human factor and the company
reviews its procedures for individuals who wish to object to direct marketing mailings
because of this, to ensure that incorrect information is not sent again.
The complainant´s lodged a further complaint on 9July 2019, which Nordax once
again replied with information on how the complainant should proceed in order to block
himself against addressed direct marketing mailings. At the time of receipt of this
objection, the complainant was also finally blocked against further addressed direct
marketing mailing from Nordax products. However, Nordax has not informed that
complainant was blocked from such further direct marketing mailings of Nordax
products. Nor did the complainant contact Nordax after 9July 2019.
Justification of the decision
Applicable provisions, etc.
Data controller
The controller, as defined in Article 4(7) of the GDPR, means the natural or legal
person which alone or jointly with others determines the purposes and means of
the processing of personal data.
In the European Data Protection Board (EDPB) Guidelines 07/2020 on the concepts
data controller and processor in the General Data Protection Regulation
the following is mentioned concerning the respective roles of processors and
controllers in the exercise of data subjects’ rights:
“It is crucial to bear in mind that, although the practical management ofPrivacy Protection Authority Our ref: 2020-10696 5(11)
Date:2022-06-27
individual requests can be outsourced to the processor, the controller bears the
responsibility for complying with such requests. Therefore, the assessment as to
whether requests by data subjects are admissible and/or the requirements
set by the GDPR are met should be performed by the controller, either on a case-by-
case basis or through clear instructions provided to the processor in the contract
before the start of the processing. Also, the deadlines set out by Chapter III cannot be
extended by the controller based on the fact that the necessary information must be
provided by the processor.” 3
It also states the following in an example, to which Nordax refers to concerning
the relationship between Nordax and Iper:
“Example: Market research 1 Company ABC wishes to understand which types of
consumers are most likely to be interested in its products and contracts a service
provider, XYZ, to obtain the relevant information. Company ABC instructs XYZ on what
type of information it is interested in and provides a list of questions
to be asked to those participating in the market research. Company ABC receives only
statistical information (e.g., identifying consumer trends per region) from XYZ and does
not have access to the personal data itself. Nevertheless, Company ABC decided that
the processing should take place, the processing is carried out for its purpose and its
activity and it has provided XYZ with detailed instructions on what information to
collect. Company ABC is therefore still to be considered a controller with respect of the
processing of personal data that takes place in order to deliver the information it has
requested. XYZ may only process the data for the purpose given by Company ABC
and according to its detailed instructions and is therefore to be regarded as
processor.” 4
In the literature, Öman points out the following.
“The legal person which engages any other legal person to process personal data, e.g.
for storing and disseminating or for collecting and processing the personal data, is
normally considered to be the data controller and the hired as a personal data
processor. This applies even if it is the hired company and not the company who hires
who has the knowledge of how to best process the personal data, such as how to
store, collect, disseminate and process them, and the resources to do it. In fact, the
company who hires has decided the means of processing of the personal data by
employing a company that can use certain methods. This may involve outsourcing IT
operations or to hire a company to collect personal data within the framework of a
market research."
Rights of the data subject
According to Article 12(3) of the GDPR, the controller shall provide information on
action taken on a request under Articles 15 to 22 to the data subject without undue
delay and in any event within one month of receipt of the request. That period may be
extended by two further months where necessary, taking into account the complexity
and number of the requests. The controller shall inform the data subject of any such
extension within one month of receipt of the request, together with the reasons for the
delay.
Pursuant to Article 12(6), where the controller has reasonable doubts concerning the
identity of the natural person making the request referred to in Articles 15 to 21, the
controller may request the provision of additional information necessary to confirm the
identity of the data subject.
3EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.
4EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.Privacy Protection Authority Our ref: 2020-10696 6(11)
Date:2022-06-27
Under Article 15(1), the data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or her are being
processed, and, where that is the case, access to the personal data from the
controller.
Pursuant to Article 17(1), the data subject shall have the right to obtain from the
controller the erasure of personal data concerning him or her without undue delay and
the controller shall have the obligation to erase personal data without undue delay
under certain conditions set out in the current article.
Under Article 21(2) and (3), the data subject shall have the right to object at any time
to processing of personal data for direct marketing purposes concerning him
or her. Where the data subject objects to processing for direct marketing purposes, the
personal data shall no longer be processed for such purposes.
Assessment of the Authority for Privacy Protection (IMY)
On the basis of the complaint in this case, IMY examined the company’s conduct in the
individual case. Therefore IMY will not consider whether the company’s current
procedure for processing requests is compatible with the GDPR, but may take into
account possible improvements when considering choice of corrective measures.
Is Nordax’s data controller for the processing in question and has the company
been obliged to deal with the complainant´s requests to exercise his rights?
The question in this case is whether Nordax has had an obligation to comply with the
complainant’s requests for access, erasure and objection under the GDPR and in in
that case, if the company handled the complainant´s requests correctly. In order to
investigate this, IMY first needs to consider whether Nordax is the controller of
personal data for the processing of personal data in this case.
Nordax has stated that the company is the data controller for the processing.
The processing consists of the fact that the company Iper — on behalf of Nordax and
based on selection criteria that Nordax determines — makes a selection from Iper’s
address register and provides addresses for the sending of direct marketing to a third
company that Nordax hires to make the mailings. Nordax argues that the company
itself does not deal with any data, as the data provided by Iper to Nordax are de-
identified.
The investigation shows that Nordax initially failed to comply with the complainanat´s
first requests for access and erasure pursuant to Articles 15 and 17 on the grounds
that the Company does not process or store the complainant’s personal data and that
instead the complainant should refer directly to Iper. IMY notes, however, that it is not
required to have access to or store personal data in order to be considered to be data
controller for a particular processing operation. What matters is who decides
the purposes and means of the processing.
Since the processing consisting of the selection from Iper´s address register for direct
marketing is carried out on behalf of Nordax and based on the selection criteria that
Nordax has decided, IMY believes that Nordax determines the purpose and means of
the processing and is therefore the controller for the processing. This means that
Nordax is responsible for handling the complainant’s requests, either by handling the
request itself or to give clear instructions to for example a data processor, in order forPrivacy Protection Authority Our ref: 2020-10696 7(11)
Date:2022-06-27
the data processor to be able to do so. Nordax’s argument that it is not responsible for
Iper’s address register does not alter that.
What Nordax has stated that Nordax receives only de-identified data from Iper is
irrelevant for the company’s responsibility to deal with the complainant´s requests.
Nordax is responsible for the processing of personal data carried out by Iper namely
the selection of the advertising received by the complainant to which the complaint
relates.
There is therefore no need to consider whether the data received by Nordax are
de-identified in such a way that they are not personal data. IMY points out that even
information that can directly or indirectly identify a natural person is personal data,
including information that has been encoded, encrypted or pseudonymised but which
can be linked to a natural person with help of additional information.
Since IMY has found that Nordax is the data controller for the processing that
the complaint concerns and is therefore responsible for ensuring that the
complainant’s requests to exercise its rights under the GDPR are dealt with, IMY goes
on to investigate whether Nordax handled the requests correctly under the Regulation.
Has Nordax handled the complainant’s requests to exercise its rights been in
compliance with the GDPR?
Request for access
It is apparent from the investigation that the complainant submitted its first request to
access to the company on 5December 2018. The request was worded in such a way
that the complainant would like to receive access to all data stored by the company on
the complainant and information about what the data was used for. Nordax did not
take any action other than to inform the complainant that the complainant´s personal
data were not being processed by the company and that the request could therefore
not be met. At the same time, Nordax informed of its process for selection and
dispatch of addressed direct marketing and which address provider Nordax uses for
selection of addresses. The complainant subsequently submitted its second request
for access on 11February 2019, to which Nordax replied on 12February by referring to
its previous reply to the complainant.
During the investigation Nordax stated that it should have interpreted the
complainant´s requests as a request to exercise their right of access under Article 15
of the GDPR and provided the complainant with the data and information
to which the complainant was entitled too with the assistance of Iper. IMY shares this
assessment. IMY notes in that regard that it is true that, in its request, the complainant
referred to the storage data, but that nevertheless, it should have been clear to Nordax
that the complainant intended to exercise its full right of access and that it is Nordax
responsibility, such as data controller for the processing, to ensure that the request
was handled.
Furthermore, IMY notes that Nordax has still not complied with the request even
though the company now admits that the company is obliged to do so. Nordax has
stated that it can comply with the complainant’s request for access if the complainant
so wishes. IMY notes, however, that there has been no evidence to suggest that the
request still wouldn’t be relevant, such as the fact that the complainant would have
5EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.Privacy Protection Authority Our ref: 2020-10696 8(11)
Date:2022-06-27
withdrawn it. By failing to comply with the applicant’s request for access Nordax has
processed personal data in violation of Article 15 of the GDPR.
Request for deletion
It is apparent from the investigation that, on 5December 2018, the complainant also
submitted his first request for deletion. Nordax did not take any action other than to
inform the complainant that the complainant´s personal data were not processed by
the company and that the request could therefore not be met. At the same time,
Nordax informed of its process for selection and dispatch of addressed direct
marketing and which address provider Nordax uses for selection of addresses. The
complainant subsequently submitted its second request for deletion on 11February
2019, to which Nordax replied on 12February by referring to its previous reply to the
complainant.
Article 17(3) of the GDPR provides for an exhaustive demonstration of the
grounds on which a request for erasure may be rejected. That the controller
not storing the data being processed is not such a basis. As IMY has stated above, the
company is obliged to deal with the complainant’s requests, which the company
haven't done. Nordax thus processes personal data in violation of Article 17 of the
GDPR by not without undue delay handle the complainant’s requests for erasure.
Request for objection
The investigation shows that Nordax perceived that, on 5December 2018, the
complainant also submitted an objection to the processing of personal data for
direct marketing purposes pursuant to Article 21(2) GDPR. Nordax informed the
complainant how the complainant could proceed to object to further direct marketing
and requested additional information from the complainant in order to be able to fulfil
that right. However, the complainant did not return with additional information.
IMY considers that, as the request was worded, the complainant had not invoked its
right of objecting to direct marketing. IMY therefore notes that Nordax did not have
any obligation to deal with it as such a request, but welcomes the fact that
Nordax nevertheless provided information on how the complainant could proceed to
block further direct marketing.
However, the complainant lodged its first actual request of objection to further direct
marketing on 11February 2019. Nordax provided information that the complainant had
been blocked against further direct marketing, but the information at this point was
incorrect. Because Nordax left incorrect information to the complainant on 12February
2019 on the measures taken on the basis of the complainant´s request for objection
meaning that the complainant´s information was blocked for further direct marketing
mailings Nordax has acted in violation of article 12.3.
The complainant lodged its second objection on 9July 2019. Nordax
replied to the complainant on 16July 2019 referring to previous replies on how
the complainant could try to block him or herself from further marketing. The company
however blocked, the complainant against further addressed direct marketing on 9July
2019, but did not inform the complainant of this measure.
Against this background, IMY takes the view that Nordax has satisfied the
complainant´s second request of objection pursuant to Article 21(2) of the GDPR.Privacy Protection Authority Our ref: 2020-10696 9(11)
Date:2022-06-27
In Nordax reply to the second request, the company asked the complainant to submit
additional information in order to comply with the request, even though the existing
information in the request according to Nordax, was sufficient to actually satisfy the
request directly. For this reason Nordax has requested additional information that has
not been necessary to confirm the identity of the data subject in violation of 12(6).
Furthermore, Nordax did not inform the complainant that, in accordance with its
second requests for objection the complainant was blocked against further addressed
direct marketing. By doing so, Nordax has failed to fulfil its obligation under Article
12(3) to provide the data subject with information on the measures taken under
Article 21 and thus processed personal data in breach of Article 12(3) of
the GDPR.
Choice of corrective measure
It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
power to impose administrative fines in accordance with Article 83. Depending on the
circumstances of the case, administrative fines shall be imposed in addition to or in
place of the other measures referred to in Article 58(2), such as injunctions and
prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
account when deciding on administrative fines and in determining the amount of the
fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of
imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
the aggravating and mitigating circumstances of the case, such as the nature, gravity
and duration of the infringement and past relevant infringements.
IMY notes the following relevant facts. Nordax have stated that they have taken action
by reviewing their procedures to ensure that incorrect information should not be
sent again and reviewing how the company handles data subjects’ rights regarding
processing carried out on the company’s behalf by the company’s processor.
According to IMY the noted infringements found occurred relatively far back in time,
partly due to the human factor and has affected one person. In addition, the company
has not previously acted in breach of the GDPR.
Against this background IMY considers that it is a minor infringement within the
meaning of recital 148 and that Nordax Bank AB must be given a reprimand pursuant
to Article 58(2)(b) of the GDPR.
Since the company has not handled the complainat´s request for access even though
the company is obliged to do so, IMY considers that there is reason in accordance with
Article 58(2)(c) to order the company to comply with the complainant´s request to
exercise its right of access under Article 15 with exception for information which is
subject to any applicable derogation provided for in Article 15(4).This is done by
providing the complainant access to all personal data that Nordax process regarding
the complainant by arranging a copy to the complainant of the personal data referred
to in Article 15(3) and provide information pursuant to points (a) to (h) of Article 15(1)
and 15.2. The measures shall be implemented no later than two weeks after this
decision has become final.
The company has also failed to deal with the complainant’s request for erasure even
though the company is obliged to do so. IMY therefore considers that it is appropriate,
on the basis of Article 58.2(d) to order the company to deal with the complainant’s
request for erasure of all personal data referred to in Article 17 by considering whetherPrivacy Protection Authority Our ref: 2020-10696 10(11)
Date:2022-06-27
there is personal data which the company is obliged to erase in accordance with
Article 17 and, if so, erase the information and inform the complainant in accordance
with Article 12(3) or (4). Measures shall be completed no later than two weeks after the
date on which this decision has become final.
Furthermore, Nordax did not inform the complainant about the measure which been
taken, namely that the complainant been blocked for further addressed direct
marketing, in response to the complainant’s second request to exercise the right of
objection to process for direct marketing purposes. IMY considers that it is appropriate,
pursuant to Article 58(2)(d), to order the company to in accordance with Article 12(3),
provide the complainant with information on the measures which been taken in
response to the complainant’s request to exercise his right of objection to processing
for direct marketing purposes. The measures shall be implemented no later than two
weeks after this decision has become final.
_________________________________________________________
This decision has been approved by the specially appointed decision-maker
after presentation by legal advisorPrivacy Protection Authority Our ref: 2020-10696 11(11)
Date:2022-06-27
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.
