IMY (Sweden) - DI-2021-10448,

From GDPRhub
Revision as of 23:03, 6 February 2023 by Kv (talk | contribs) (Changed NL)
IMY - DI-2021-10448,
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 15 GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.06.2022
Published:
Fine: n/a
Parties: Klarna Bank
National Case Number/Name: DI-2021-10448,
European Case Law Identifier: EDPBI:SE:OSS:D:2022:381
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In this Article 60 GDPR procedure, a data subject filed rectification - and access requests at Klarna Bank AB, a Swedish payment provider. The latter had used incorrect first names in invoices for online purchases made by the data subject and their partner. Despite several rectification requests wich were submitted as well, The Swedish DPA only determined a violation of Article 15 GDPR because the controller only answered to an access request 1 year and 3 months after submission.

English Summary

Facts

The data subject had used the services of the controller, a Swedish payment provider for online services, to shop online. The partner of the data subject received the bills for these internet pruchases. In some instances, these wrongly delivered bills were addressed to the data subject. According to the data subject, he/she had requested the controller to correct the names in the e-mail in December 2018.

In 2020, the partner of the data subject used the controller's services again to shop online. The partner of the data subject again received an e-mail which was addressed to the data subject. On 15 October 2022, the data subject made a second request for rectification.

On 10 October 2020, the data subject had also submitted a request for access, but received no reply from the controller.

The data subject filed a complaint at a German DPA (not clear which DPA and not clear at what date the complaint was filed), which transferred the complaint to the Swedish DPA, which was the lead supervisory authority in this decision. The concerned supervisory authorities were the DPA's of Denmark, Finland, Germany, France, Norway and the Netherlands. The Swedish DPA started an investiagtion into the controller.

During the subsequent investigation of the DPA, the controller stated that it had a system for automatic generation of first names in the initial greeting of an e-mail. According to the controller, both the data subject and their partner used the same e-mail address (email address "y"), to place orders using the controller's service, which was one of the reasons why it put the wrong name in the email.

The controller had also stated that it had rectified the information according to both requests of the data subject. It is not clear at what date the controller did this.

The controller also informed the DPA during its investigation that it had not "recognised" the access request of the data subject. The controller answered and complied with the access request on 21 January 2022, almost 1 year and 3 months after the request was submitted

Holding

First, the DPA determined that the controller did not violate Article 5(1)(d) GDPR by regulary confusing the personal data of both the data subject and their partner by adressing the wrong person in the e-mails. The DPA reitereated that both the data subject and their partner had used 'e-mail address Y' to place online orders using the controller's service. The DPA noted that no other personal data than the first name of the data subject had been disclosed to the wrongly addressed partner. It also stated that the first name of the data subject was quite common. Therefore, this name did not constitute an identifier specific to the data subject.

Second, The DPA held that the controller did not violate Article 16 GDPR for the way it handled the two erasure requests of the data subject. The DPA stated that the data subject had not claimed that their requests for rectification were not met to any extent. It also could not determine ant reason to question the information provided by the controller, which had stated that it complied with the requests of the data subject, although without providing a specific date when the controller did this.

Third, the DPA held that the controller had violated Article 15 GDPR because it only provided a reply to the data subject 1 year and 3 months after the request was submitted. The DPA noted that the time elapsed was 'relatively long'. Therefore, the controller had not handled the access request without undue delay pursuant of Article 12(3) GDPR. Therefore, the controller violated Article 15 GDPR.

The DPA considered this a minor infringement and reprimanded the controller pursuant of Article 58(2)(b) GDPR.

Comment

The data subject stated that in the orginal complaint that she requested the controller to adjust the names in the controller's e-mails in December 2018. However, the controller stated that it received the data subject's first request for rectification on 5 November 2018. Although there is only a difference of around a month between these dates and this difference is inconsequential for the non-violation of Article 16 GDPR, the difference is still there, without any clarification from the parties or the DPA when the first request was submitted.

A similair difference is present for the supossed date when the data subject filed the access request. The data subject stated that the access request was filed on 10 October 2022. According to the controller, the data subject had submitted the request on 15 October 2020.

Also, it is not clear from the decision at what date the original complaint was submitted. It also not clear from the decision which German DPA transferred the complaint to the Swedish DPA, although looking at the German case number ('83.41/20.039'), it is most likely that this was the Berlin DPA, although this is not 100% certain.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

One-Stop-Shop Leaflet
Art. 60 final decisions
Due to national legal restrictions, none or only some of the decisions from the following Supervisory Authorities will be available on this register: DE (Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia), LT, NL and ES SAs.
The decisions from the following Supervisory Authorities will not include personal data of physical persons: BG, DE, CY (Baden-Wurttemberg, Berlin, German Federal, Rhineland - Palatinate, Saxony-Anhalt), DK, EL, ES, HR, LV, NO, RO, SK, SI and SE SAs.
The decisions from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria (Private Sector), Brandenburg, Hesse, Mecklenburg - Western Pomerania, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LU, LV, MT, NL, PL, PT and UK SAs.
The decisions from the following Supervisory Authorities will not be anonymised: HR
Summaries of Art. 60 final decisions
The summaries of Article 60 final decisions were made under the responsibility of the EDPB Secretariat for sole informative purpose and do not intend to create any legal effect or interpretation. Please note that only the national decisions in the official language of the SA are the authentic legal source of information relating to the relevant national decisions.
The summaries from the following Supervisory Authorities will not include personal data of physical persons: BG, CY, DK, DE [Baden - Wuerttemberg, Berlin, Germany Federal, Rhineland-Palatinate, Saxony- Anhalt], EL, ES, NO, RO, SK, SI and SE SAs.
The summaries from the following Supervisory Authorities will not include data of physical and legal persons: AT, BE, CZ, DE [Bavaria Private Sector, Brandenburg, Hesse, Lower Saxony, Mecklenburg - Western Pomerania, North Rhine - Westphalia, Saarland, Saxony, Thuringia], EE, FI, FR, HU, IE, IT, LI, LT, LU, LV, MT, NL, PL, PT and UK SAs.
The summaries from the following Supervisory Authorities will not be anonymised: HR SA.
Privacy Notice
For more information on how we process your personal data in this, please consult the following page: EDPB Specific Privacy Statements