IMY (Sweden) - DI-2021-10263

From GDPRhub
IMY - DI-2021-10263
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(a) GDPR
Article 15 GDPR
Article 15(1)(c) GDPR
Article 19 GDPR
Article 56 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 11.05.2022
Published:
Fine: n/a
Parties: Klarna Bank AB
National Case Number/Name: DI-2021-10263
European Case Law Identifier: EDPBI:SE:OSS:D:2022:366
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In a procedure under Article 60 GDPR, the Swedish DPA reprimanded Klarna Bank AB for not providing information on the recipients to which personal data had been disclosed when replying to an access request under Article 15 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject complained that a bank (controller) violated Article 15 GDPR, because it did not provide all information he initially requested. The controller did not provide information regarding recipients to whom personal data of the data subject had been disclosed. The controller did not provide this additional information even after the data subjects specifically asked for it in a follow-up request.

The data subject filed his complaint with the DPA in Germany. A German DPA transferred the complaint to the Swedish DPA, which was the Lead Supervisory Authority (Article 56 GDPR) in this case. The Swedish DPA used the mechanisms for cooperation and consistency (Chapter VII GDPR), because this complaint regarded cross-border processing. The CSAs (Concerned Supervisory Authorities) were located in Germany, Denmark, Austria, Italy, Poland and Finland.

The controller stated that it did not have the obligation to provide access in the way the data subject requested and that it had acted in a GDPR compliant way. To support this argument, the controller also stated that the EDPB Guidelines 01/2022 on Access were adopted on 18 January 2022, two years after the data subject's case regarding access was closed. These Guidelines state that the controller should provide the actual recipients unless it would only be possible to indicate the category of recipients. It already followed from Articles 13 and 14 GDPR that the recipients or categories of recipients of personal data should be as concrete as possible in respect of the principles of transparency and fairness. These Guidelines also state that storing information about the actual recipients is also necessary to comply with Article 5(2) GDPR.

Holding[edit | edit source]

The DPA determined that the controller violated Article 15 GDPR. The DPA stated that Article 15(1)(c) GDPR must be interpreted as a right to obtain information from the controller about the actual recipients to whom the personal data have been - or will be disclosed, unless this proves impossible or involves disproportionate effort. The controller should especially provide this data when the data subject is specifically asking for it. The DPA reached this conclusion by interpreting Article 15(1)(c) GDPR together with Articles 19 and Article 5(1)(a) GDPR, the principles of fairness and transparency.

The DPA held that in the present case, the data subject had explicitly requested information about recipients of his personal data. The controller did not prove that providing this information was impossible or would involve disproportionate effort.

The DPA also clarified that it did not claim that the controller had an obligation to comply with the EDPB Guidelines, which were not yet available at the time of the violation. The DPA stated that its reason for citing the Guidelines was to prove that there was wide support for the DPA's opinion, which also followed from the wording of Article 19 GDPR.

The DPA held that the violation constituted a minor infringement (Recital 148). The violation only affected one data subject. Also, no sensitive data was involved. Furthermore, the controller otherwise complied with the access request. Therefore, the DPA only reprimanded the controller (Article 58(2)(b) GDPR).

Comment[edit | edit source]

The document from the EDPB website is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) decision 2022-05-11, no. DI-2021-10263. Only the Swedish version of the decision is deemed authentic.

In the text of the decision, it was not clarified which German DPA transferred the decision to the Swedish DPA. Looking at the code used in the registration number for this decision (LDA-1085.1-1399/20-F), it is most likely the decision seems to have been transferred by the Brandenburg DPA (LDA: Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

1(4)









                                                                        Notice: This document is an unofficial translation of
                                                                        the Swedish Authority for Privacy Protection’s (IMY)
                                                                        decision 2022-05-11, no. DI-2021-10263. Only the
                                                                        Swedish version of the decision is deemed authentic.



Registration number:
                                Decision under the General Data
DI-2021-10263, IMI case no.
185203,
LDA-1085.1-1399/20-F            Protection Regulation — Klarna Bank

Date of decision:               AB
2022-05-11




                                Decision of the Swedish Authority for Privacy

                                Protection (IMY)


                                The Authority for Privacy Protection (IMY) finds that Klarna Bank AB is processing
                                personal data in breach of Article 15 of the General Data Protection Regulation
                                        1
                                (GDPR) by not complying with the complainant’s request of 22 December 2019 for
                                information about the recipients to whom his personal data have been disclosed.

                                The Authority for Privacy Protection issues Klarna Bank AB a reprimand pursuant to

                                Article 58(2)(b) of the GDPR for the infringement of Article 15 of the GDPR.


                                Report on the supervisory case


                                The case handling
                                The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna
                                Bank AB (Klarna) due to a complaint. The complaint has been submitted to IMY, in its

                                capacity as lead supervisory authority under Article 56 of the General Data Protection
                                Regulation (GDPR). The handover has been made by the supervisory authority of the
                                country where the complainant has lodged his complaint (Germany) in accordance

                                with the Regulation’s provisions on cooperation concerning cross-border processing.

                                The investigation in the case has been carried out through correspondence. Since the
                                complaint regards cross-border processing, IMY has used the mechanisms for

                                cooperation and consistency contained in Chapter VII of the GDPR. The supervisory
                                authorities concerned have been the data protection authorities in Germany, Denmark,
                                Austria, Italy, Poland, and Finland.


                                The complaint
Postal address:                 The complainant mainly states the following.
Box 8114
104 20 Stockholm
Website:                        He has requested access to his personal data under Article 15 of the GDPR. The
www.imy.se                      information he obtained from Klarna did not include all the information that he had

E-mail:
imy@imy.se                      1
Telephone:                       Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
                                and repealing Directive 95/46/EC (General Data Protection Regulation).nd on the free movement of such data,
08-657 61 00Integritetsskyddsmyndigheten    Diarienummer: DI-2021-10263                                                               2(4)
                                Datum: 2022-05-11






                                asked for since it lacked information about the recipients to whom his personal data
                                had been disclosed. Even though the complainant came back with a request to know
                                exactly which recipients his data had sent to, Klarna has not complied with this

                                request.

                                Due to the complaint, IMY has initiated supervision in order to examine if the

                                complainant’s request has been complied with in accordance with Article 15 of the
                                GDPR.


                                What Klarna has stated
                                Klarna states that it is the controller for the processing to which the complaint relates.

                                                                                     th
                                The information sent to the complainant on the 24 of January 2020 is in accordance
                                with the obligations of the GDPR. Klarna has no duty to reply to the complainant’s
                                access request in any other way that it did. The EDPB Guidelines 01/2022 on access
                                                         th
                                was adopted on the 18 of January 2022, i.e. two years after the complainant’s case
                                regarding access request was closed.


                                Justification of the decision


                                Applicable provisions, etc.


                                Article 15 of the GDPR provides that he data subject shall have the right to obtain from
                                the controller confirmation as to whether or not personal data concerning him or her
                                are being processed, and, where that is the case, access to the personal data. The

                                data subject shall also have the right to information about the recipients or categories
                                of recipient to whom the personal data have been or will be disclosed (Article 15(1)(c)).


                                Article 19 of the GDPR requires the controller to communicate any rectification or
                                erasure of personal data or restriction of processing carried out in accordance with
                                Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data
                                have been disclosed, unless this proves impossible or involves disproportionate effort.

                                The controller shall inform the data subject about those recipients if the data subject
                                requests it.


                                According to Article 5 the controller shall be responsible for, and be able to
                                demonstrate compliance with, inter alia the obligation to processes personal data fairly
                                and in a transparent manner in relation to the data subject.


                                EDPB Guidelines 01/2022 on access state that concerning the question, if the
                                controller is free to choose between information on recipients or on categories of

                                recipients, it has to be recalled, that, already under Art. 13 and 14 GDPR information
                                on the recipients or categories of recipients should be as concrete as possible in
                                respect of the principles of transparency and fairness. The controller should therefore

                                generally name the actual recipients unless it would only be possible to indicate the
                                category of recipients. Nevertheless, sometimes naming the actual recipients is not yet
                                possible at the time of the information under Art. 13 and 14 GDPR but only in a later

                                stage, for example when an access request is made. The EDPB recalls in this regard,Integritetsskyddsmyndigheten     Diarienummer: DI-2021-10263                                                              3(4)
                                 Datum: 2022-05-11






                                 that storing information relating to the actual recipients is necessary inter alia to be
                                 able to comply with the controller’s obligations under Art. 5(2) and 19 GDPR.     2


                                 Assessment of the Authority for Privacy Protection


                                 The wording of Article 15(1)(c) of the GDPR does clarify if the controller is free to
                                 choose between information on actual recipients or on only categories of recipients.


                                 However, IMY concludes that Article 15(1)(c), read together with Article 19 and in light
                                 of the principles of fairness and transparency (Article 5(1)(a)) cannot be interpreted

                                 any other way than as a right of the data subject to, especially when explicitly
                                 requested, obtain from the controller information about the actual recipients to whom
                                 the personal data have been or will be disclosed, unless this proves impossible or

                                 involves disproportionate effort.

                                 IMY notes that the complainant has explicitly requested information about actual

                                 recipients. Klarna has not proved that this has proven   impossible or to involve
                                 disproportionate effort. Klarna has thus processed the complainant’s personal data in
                                 violation of Article 15 of the GDPR.


                                 What Klarna has stated about that the EDPB Guidelines on access was adopted after

                                 the access request was complied with, does not lead to any other conclusion. IMY
                                 does not claim that Klarna has an obligation to comply with guidelines that was not
                                 available to Klarna at the time of the violation. IMY’s reason for citing the guidelines is

                                 to prove that there is wide support for IMY’s opinion, which follows from the wording of
                                 Article 19.


                                 Choice of corrective measure


                                 It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
                                 power to impose administrative fines in accordance with Article 83. Depending on the

                                 circumstances of the case, administrative fines shall be imposed in addition to or in
                                 place of the other measures referred to in Article 58(2), such as injunctions and
                                 prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into

                                 account when deciding on administrative fines and in determining the amount of the
                                 fine.


                                 In the case of a minor infringement, as stated in recital 148, IMY may, instead of
                                 imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
                                 the aggravating and mitigating circumstances of the case, such as the nature, gravity

                                 and duration of the infringement and past relevant infringements.


                                 IMY notes that the violation has affected one person and has not involved sensitive
                                 data. Furthermore, Klarna has otherwise complied with the complainant’s request for
                                 access. Against this background IMY considers that it is a minor infringement within

                                 the meaning of recital 148 and that Klarna Bank AB must be given a reprimand
                                 pursuant to Article 58(2)(b) of the GDPR for the established infringement.






                                 2EDPB Guidelines 01/2022 on data subject rights -access, Version 1.0, adopted for public consultation on
                                 18 January 2022, paragraph 115.Integritetsskyddsmyndigheten    Diarienummer: DI-2021-10263                                                               4(4)
                                Datum: 2022-05-11






                                This decision has been approved by the specially appointed decision-maker
                                            after presentation by legal advisor


                                How to appeal


                                If you want to appeal the decision, you should write to the Authority for Privacy
                                Protection. Indicate in the letter which decision you appeal and the change you
                                request. The appeal must have been received by the Authority for Privacy Protection

                                no later than three weeks from the day you received the decision. If the appeal has
                                been received at the right time, the Authority for Privacy Protection will forward it to the
                                Administrative Court in Stockholm for review.


                                You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                confidentiality. The authority’s contact information is shown in the first page of the
                                decision.