IMY - DI-2020-10518 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(3) GDPR Article 15 GDPR Article 56 GDPR Article 58(2)(b) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 31.03.2021 |
Published: | |
Fine: | None |
Parties: | Klarna Bank AB |
National Case Number/Name: | DI-2020-10518 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish English |
Original Source: | Original decision (in SV) Inofficial English version of decision (in EN) |
Initial Contributor: | Kave Noori |
The Swedish DPA reprimanded a Swedish bank for not responding to an access request for 5 months following complaints filed with DPAs in Germany and Austria.
Facts
The DPA opened an investigation into Klarna Bank following complaints filed with DPAs in Germany and Austria. The IMY assumed the role of lead supervisory authority under Article 56, as Klarna is based in Sweden. These cross-border cases were handled through the consistency and cooperation procedure under Chapter VII of the GDPR.
Complaint 1 from Austria concerned the fact that Klarna took more than 5 months to process a request for access to personal data under Article 15. The complainant's access request was sent to a different email than the one Klarna intended for data protection matters. Therefore, the request was not processed according to Klarna's internal procedures.
Complaint 2 from Germany concerned a data subject access request under Article 15, initially initiated by chat and resubmitted by email two days later. Klarna complied with the request within 14 days and shortly thereafter sent more detailed information about its automated decision making for purchases. A month later, the complainant contacted Klarna again. Another month passed until Klarna asked the complainant to provide a new address but received no reply.
Dispute
Did Klarna violate Article 15 of the GDPR?
Holding
Complaint 1 (Austria)
The DPA considered that Klarna failed to process the request within the timeframe required by Article 12(3) and without the required notice of delay. The DPA did not consider that the fact that Klarna receives a high volume of requests related to the GDPR or Klarna's quick responses to the complainant's follow-up questions should influence this decision.
Complaint 2
The DPA considered that Klarna did what could be expected of a company in dealing with the Complaint 2. In the DPA's view, Klarna provided the requested information within 14 days, although it did not reach the recipient. When the complainant informed Klarna that he/she had not received the mailing, Klarna asked for a new address. Klarna never received an alternative address. The DPA concluded that Klarna was not obliged to take further action and therefore did not breach the law.
Corrective action
The DPA considered Klarna's handling of complaint 1 to be a minor infringement and issued a reprimand on the basis of Article 58(2)(b).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (5) Klarna Bank AB Sveavägen 46 113 35 Stockholm dataprotectionofficer@klarna.com Record number: DI-2020-10518 Decision after supervision according to Data Protection Regulation - Klarna Date: 2021-03-31 Bank AB The decision of the Integrity Protection Authority The Privacy Protection Authority states that Klarna Bank AB has processed personal data in breach of Article 12 (3) of the Data Protection Regulation by regarding complaint 1: not without undue delay, at the request of the 5 January 2019, give the complainant access to his personal data in accordance with Article 15. The Privacy Protection Authority gives Klarna Bank a reprimand in accordance with Article 58 (2) (b) i the Data Protection Regulation. Report on the supervisory matter The Privacy Protection Authority (IMY) has initiated supervision regarding Klarna Bank AB (the company) due to two complaints. Respective complaints have been submitted to IMY, as the supervisory authority responsible for the company's operations under Article 56 in the Data Protection Regulation, from the supervisory authority of the country where the complainant has left lodged their complaint (Austria and Germany) in accordance with the provisions of the Regulation on cooperation in cross-border matters. The complainants have indicated that they have requested access to their personal data under Article 15 of the the Data Protection Regulation. In response to the complaints, IMY has initiated supervision with a view to: investigate whether the complainants' requests for access under Article 15 have been complied with and if done within the time limit specified in Article 12 (3). Klarna Bank AB states that they are responsible for personal data for it personal data processing to which the complaints relate. The company also states that they handle Postal address: a large number of requests in accordance with the Data Protection Regulation. Box 8114 104 20 Stockholm Complaint 1 (Appendix 1 from Austria with national reference number: D130.247) Website: www.imy.se E-mail: imy@imy.se REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on 08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation). Page 1 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 2 (5) Date: 2021-03-31 With regard to the first complaint, the company states that the complainant's request for access was received by the company via e-mail on 5, 10 and 29 January 2019. Since the request was received by an e-mail address other than the one the company refers to for data protection issues The request was not processed in accordance with the company's internal processing routines. The caused a longer processing time and that information as well as a copy of the complainant's personal data pursuant to Article 15 was not sent until 18 June 2019. The company has promptly answered the complainant's follow-up questions about the company's personal data processing which the complainant was satisfied with. Complaint 2 (Annex 2 from Germany with national reference number: LDA-1085.1- 13373/19-F) With regard to the second complaint, the company states that the complainant's request for access joined the company's chat on October 28, 2019. The complainant repeated his request via e-mail on October 30, 2019. The company contacted the complainant on November 6 2019 to request further information. These were provided the same day. The On November 11, 2019, the company sent out information and a copy of the personal data to the complainant under Article 15, ie within 14 days of receiving the company request. On November 14, 2019, the company sent more detailed information about the company's automatic decision-making when purchasing. The complainant contacted the company again on December 13, 2019 due to the fact that he has not received the company's mailing. The company requested a new address on January 7, 2020 and has not received a response. The processing has taken place through correspondence. Given that there are two cross-border complaints, the IMY has used the mechanisms of cooperation and uniformity contained in Chapter VII of the Data Protection Regulation. Affected regulators have been the data protection authorities of Austria, Germany, the Czech Republic, Denmark and Norway. Justification of decision Applicable regulations The person responsible for personal data is obliged to provide information to anyone who requests it information on personal data concerning the applicant is processed or not. treated such data, the controller shall, in accordance with Article 15 i the Data Protection Regulation, provide the applicant with additional information and a a copy of the personal data processed by the data controller. According to Article 12 (3), a request for access shall be dealt with without undue delay and in any case no later than one month after receipt of the request. The deadline for one month may be extended by a further two months if the request is special complicated or the number of requests received is high. If the time limit is extended by one month, the person responsible for personal data shall notify it registered about the extension. The extension of the time limit shall be notified within one month of receipt of the request. The person responsible for personal data must also state the reasons for the delay. According to Article 12 (6), the controller may, if he has reasonable grounds for: question the identity of the natural person submitting a request under Article 15; request additional information necessary to confirm the data subject's identity is provided. Page 2 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 3 (5) Date: 2021-03-31 IMY's assessment Has there been a breach of the Data Protection Regulation? Complaint 1 (Annex 1 from Austria with national reference number: D130.247) With regard to the first complaint, the IMY notes that the complainant, in accordance with Article 15 of the Data Protection Regulation, provided with information and a copy of the personal data processed. However, the right of access was only satisfied after more than five months from the submission of the first request. The request thus does not have handled without undue delay and within the stipulated time limit in Article 12 (3) and the complainant has also not been informed of the delay. What the company has stated that they handle a large number of inquiry matters according to the Data Protection Regulation and that prompt questions are answered promptly does not cause anyone another assessment regarding the delay and that it was thus a question of one infringement of Article 12 (3) concerning complaints 1. Complaint 2 (Annex 2 from Germany with national reference number: LDA-1085.1- 13373/19-F) With regard to the second complaint, the IMY notes that the complainant, in accordance with Article 15, provided with information and a copy of the personal data provided treated. The information was provided without undue delay. After the complainant pointed out that he had not received the mailing, the company requested alternative contact information. Against this background, IMY considers that the company has not been obliged to take any further action in response to that request. Choice of intervention Article 58 (2) (i) and Article 83 (2) state that the IMY has the power to impose administrative penalty fees in accordance with Article 83. the circumstances of the individual case, administrative penalty fees shall be imposed in addition to or in place of the other measures referred to in Article 58 (2), such as: injunctions and prohibitions. Furthermore, Article 83 (2) sets out the factors to be taken into account taken into account when deciding whether to impose administrative penalty fees and at determining the amount of the fee. In the case of a minor infringement, IMY as stated in recital 148 instead of imposing a penalty fee issue one reprimand under Article 58 (2) (b). Account shall be taken of aggravating and mitigating circumstances circumstances of the case, such as the nature, severity and duration of the infringement as well as previous violations of relevance. In an overall assessment of the circumstances, the IMY finds that, with regard to complaints 1, is a minor infringement within the meaning of recital 148 and that Klarna Bank AB must therefore be reprimanded in accordance with Article 58 (2) (b) for the person found the infringement. _________________ This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by jurist Murat Vrana. Catharina Fernquist, 2021-03-31 (This is an electronic signature) Page 3 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 4 (5) Date: 2021-03-31 Copy to The Data Protection Officer, filip.johnssen@klarna.com Page 4 of 5Integritetsskyddsmyndigheten Record number: DI-2020-10518 5 (5) Date: 2021-03-31 How to appeal If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received part of the decision. If the appeal has been received in time, send The Integrity Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information appears on the first page of the decision. Page 5 of 5