IMY (Sweden) - DI-2021-10488

From GDPRhub
IMY - DI-2021-10488
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(3) GDPR
Article 17 GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 18.03.2022
Published:
Fine: n/a
Parties: Klarna Bank AB
National Case Number/Name: DI-2021-10488
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

The Swedish DPA reprimanded a controller for violating Article 12(3) GDPR by not informing a data subject about a delay of their erasure request within a month of receiving it.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant requested erasure under Article 17 GDPR. It took two months before they received a reply from the controller. After two months, the data subject received a reply which stated that her request will be handled but that her request for erasure may take another 90 days to be completed. The complainant considered it unreasonable that it takes a total of five months for the controller to handle her request.

The controller stated that the initial delays were due to issues on its side in verifying the data subject's identity. The erasure was delayed due to lower staffing during the Christmas and New Year holidays. The controller holds that it has handled the complainants request without undue delay considering the Christmas and New Year holidays and the individual error concerning the confirmation.

Holding[edit | edit source]

The DPA pointed out that Article 12(3) GDPR requires the controller to provide the data subject, upon request, without undue delay and in any event no later than one month after receiving the request, with information on the actions taken pursuant to Article 17 GDPR. Moreover, the one-month time limit may be extended by a further two months where the request is particularly complex or the number of requests received is high. In this case, the controller shall inform the data subject of the extension and indicate the reasons for the delay.

The investigation found that the controller did not inform the data subject until approximately two months after the request was received and the identity of the complainant was verified, that the erasure process was initiated and that it can take up to 90 days for the erasure to be completed nor did the controller state the reasons for the delay.

Consequently, the DPA held that controller did not dealt with the complainant’s request without undue delay within the meaning of Article 12(3) GDPR. In light of the this, the DPA concluded that the controller has processed the complainant’s personal data in violation of Article 12(3) GDPR. Since the violation occurred due to human error and only affected one person, the DPA limited its corrective measures to giving a reprimand pursuant to Article 58(2)(b) GDPR.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                                                                                        1(4)






                                                                      Notice: This document is an unofficial translation of the
                                                                      Swedish Authority for Privacy Protection’s (IMY) decision

                                                                      2022-03-18, no. DI-2021-10488. Only the Swedish version
                                                                      of the decision is deemed authentic.





Ref no:
DI-2021-10488                   Decision under the General Data

Date of decision:               Protection Regulation – Klarna Bank
2022-03-18

Date of translation:            AB

2022-03-18



                                Decision of the Swedish Authority for Privacy

                                Protection (IMY)


                                The Authority for Privacy Protection (IMY) finds that Klarna Bank AB has processed
                                personal data in breach of Article 12(3) of the General Data Protection Regulation
                                (GDPR) by not without undue delay complying with the complainant’s request for
                                erasure pursuant to Article 17 of 25 November 2020 only on 24 January 2020.


                                The Authority for Privacy Protection issues Klarna Bank AB a reprimand pursuant to
                                Article 58(2)(b) of the GDPR for the infringement of Article 12(3) of the GDPR.


                                Report on the supervisory report


                                The Authority for Privacy Protection (IMY) has initiated supervision regarding Klarna
                                Bank AB (Klarna or the company) due to a complaint. The complaint has been

                                submitted to IMY, as responsible supervisory authority pursuant to Article 56 of the
                                General Data Protection Regulation (GDPR) from the supervisory authority in the
                                Netherlands where the complainant has lodged their complaint in accordance with the

                                Regulation’s provisions on cooperation in cross-border processing.

                                The investigation in the case has been carried out through correspondence. In the light
                                of a complaint relating to cross-border processing, IMY has used the mechanisms for

                                cooperation and consistency contained in Chapter VII GDPR. The supervisory
                                authorities concerned have been the data protection authorities in Germany, Denmark,
                                Austria, Italy, Poland, and Finland.


                                The complaint
Postal address:                 The complainant has mainly stated she requested erasure under Article 17 of the
Box 8114                        GDPR, but that it took two months before she received a reply from Klarna. After two
104 20 Stockholm
Website:                        months, she has received a reply which states that her request will be handled and
www.imy.se                      that her request for erasure may take another 90 days to be completed. The

E-mail:
imy@imy.se
Phone:                          1
                                 Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
08-657 61 00                    protection of natural persons with regard to he processing of personal data and on he free movement of such data,
                                and repealing Directive 95/46/EC (General Data Protection Regulation).Integritetsskyddsmyndigheten    Diarienummer: DI-2021-10488                                                             2(4)
                                Datum: 2022-03-18






                                complainant considers it unreasonable that it takes a total of five months for Klarna to
                                handle her request.


                                What Klarna has stated
                                Klarna has mainly stated the following.


                                Klarna is the data controller for the processing to which the complaint relates.


                                The complainant’s request for erasure was received by Klarna on 18 November 2020,
                                after which Klarna verified the applicant’s identity on 25 November 2020 and on 26
                                November 2020 requested a confirmation of the initiation of the erasure process. On

                                27 November 2020 the complainant submitted a confirmation, but this has not been
                                brought to the attention of the case handler. Klarna sent a further request for
                                confirmation on December 202020. On 24 January 2021, Klarna informed the

                                complainant that the erasure process had been initiated and that the processing was
                                delayed due to lower staffing during the Christmas and New Year holidays. On the
                                same date, the process of erasure of the complainant’s personal data was completed.


                                Klarna holds that it has handled the complainants request without undue delay
                                considering the Christmas and New Year holidays and the individual error concerning

                                the confirmation. Pursuant to Article 12(3) of the GDPR, Klarna informed the
                                complainant of the maximum period allowed for carrying out a deletion. The reason for
                                this was that the number of incoming cases was sometimes very high and the

                                processing during these times could take more than a month. Klarna further states that
                                it has further developed the processes concerning data subjects’ rights in order to
                                ensure that the deadlines set are met and that the data subject is clearly informed. In

                                addition, the responsible case officer in the case in question, as well as the other case
                                officers, have received additional information on the importance of careful and
                                expeditious handling of these cases.



                                Justification of the decision


                                Applicable provisions, etc.

                                Article 12(3) of the GDPR requires the controller to provide the data subject, upon
                                request, without undue delay and in any event no later than one month after receiving

                                the request, with information on the actions taken pursuant to, inter alia, Article 17. The
                                one-month time limit may be extended by a further two months where the request is

                                particularly complex or the number of requests received is high. If the time limit of one
                                month is extended, the controller shall inform the data subject of the extension.
                                Notification of the extension of the deadline shall take place within one month of

                                receipt of the request. The controller shall also indicate the reasons for the delay.

                                European Data Protection Board (EDPB) Guidelines 01/2022 on access state that the

                                time limit starts when the controller has received a request. However, when the
                                controller needs to communicate with the data subject due to the uncertainty as to the
                                identity of the person making the request, there may be a suspension in time until the

                                controller has obtained the information needed from the data subject, provided the
                                controller has asked for additional information without undue delay.  2



                                2EDPB Guidelines 01/2022 on data subject rights - Right of access, Version 1.0, adopted for public consulta ion on
                                18 January 2022Integritetsskyddsmyndigheten    Diarienummer: DI-2021-10488                                                             3(4)
                                Datum: 2022-03-18






                                Article 17(1)(a) provides that the data subject shall have the right to have his or her
                                personal data erased without undue delay from the controller and the controller shall
                                be obliged to erase personal data without undue delay if they are no longer necessary

                                for the purposes for which they were collected or otherwise processed. Article 17(3)
                                lists exhaustively the exceptions to this right.


                                Assessment of the Authority for Privacy Protection (IMY)

                                The investigation shows that the complainant’s request for erasure was received by
                                Klarna on 18 November 2020. Since Klarna had to communicate with the complainant

                                in order to secure their identity and requested additional information without undue
                                delay, IMY considers that the time limit to start again once the identity of the
                                complainant has been verified on 25 November 2020. According to Klarna, the request

                                has been fully met on 24 January 2021, which IMY does not find any reason to call into
                                question.


                                Klarna did not inform the complainant until 24 January 2021, i.e. approximately two
                                months after the request was received and the identity of the complainant was verified,
                                that the erasure process was initiated and that it can take up to 90 days for the erasure

                                to be completed as well as stated the reasons for the delay. IMY therefore concludes
                                that Klarna has not dealt with the complainant’s request without undue delay within the
                                meaning of Article 12(3) of the GDPR.


                                In light of the above, IMY concludes that Klarna has processed the complainant’s
                                personal data in violation of Article 12(3) of the GDPR.


                                Choice of corrective measure

                                It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the

                                power to impose administrative fines in accordance with Article 83. Depending on the
                                circumstances of the case, administrative fines shall be imposed in addition to or in
                                place of the other measures referred to in Article 58(2), such as injunctions and

                                prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
                                account when deciding on administrative fines and in determining the amount of the
                                fine.


                                In the case of a minor infringement, as stated in recital 148, IMY may, instead of
                                imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
                                the aggravating and mitigating circumstances of the case, such as the nature, gravity

                                and duration of the infringement and past relevant infringements.

                                IMY notes the following relevant facts. The handling of the complainant’s request has

                                been delayed mainly due to an individual procedural error. The violation is due to
                                human error and has affected only one person. Against this background IMY considers
                                that it is a minor infringement within the meaning of recital 148 and that Klarna Bank

                                AB must be given a reprimand pursuant to Article 58(2)(b) of the GDPR.




                                This decision has been made by the specially appointed decision-maker
                                            after presentation by legal advisor                 .Integritetsskyddsmyndigheten     Diarienummer: DI-2021-10488                                                               4(4)
                                 Datum: 2022-03-18






                                 How to appeal


                                 If you want to appeal the decision, you should write to the Authority for Privacy
                                 Protection. Indicate in the letter which decision you appeal and the change you

                                 request. The appeal must have been received by the Authority for Privacy Protection
                                 no later than three weeks from the day you received the decision. If the appeal has
                                 been received at the right time, the Authority for Privacy Protection will forward it to the
                                 Administrative Court in Stockholm for review.


                                 You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
                                 any privacy-sensitive personal data or information that may be covered by

                                 confidentiality. The authority’s contact information is shown in the first page of the
                                 decision.