IMY - DI-2020-10561

From GDPRhub
IMY - DI-2020-10561
LogoSEnew.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(3) GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Decided: 23.03.2021
Published: 26.03.2021
Fine: None
Parties: Rebtel Networks AB
National Case Number/Name: DI-2020-10561
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: n/a

The Swedish DPA (Integritetsskyddsmyndigheten) issued a reprimand on Rebtel Networks AB for violating Article 17 GDPR by not deleting personal data of the complainant without undue delay and Article 23 GDPR by providing incorrect information about deletion of personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant unsuccessfully tried to persuade the company to stop sending unsolicited emails after deleting her account. She requested removal of her data four times and each time the company confirmed that her data had been deleted and that she would not receive any more messages. After each time she then received a new email asking her to provide feedback about the service. She also tried to use the "unregister" link provided in each e-mail but it did not worked either.

The company stated that the complainant's request for deletion was not handled due to the company not perceiving it as a request for deletion.

Dispute[edit | edit source]

Holding[edit | edit source]

According to the DPA it has been made clear in the request that the complainant wanted to exercise her right to deletion.

The DPA issued a reprimand on Rebtel Networks AB for violating Article 17 GDPR by not deleting personal data of the complainant without undue delay and Article 23 GDPR by providing incorrect information about deletion of personal data.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                            1 (5)







                                                                Rebtel Networks AB
                                                                Jakobsbergsgatan 16
                                                                111 44 Stockholm







Record number:
DI-2020-10561 Decision after supervision according to

Date: Data Protection Regulation - Rebtel
2021-03-23

                             Networks AB





                             The decision of the Integrity Protection Authority


                             The Privacy Protection Authority states that Rebtel Networks AB has processed
                             personal data in violation of


                                  Article 17 of the Data Protection Regulation by not without undue delay first
                                     on 9 November 2020, delete the personal data requested by the complainant

                                     deletion of 18 September 2019.

                                  Article 12 (3) of the Data Protection Regulation by providing incorrect information

                                     on 22 September 2019 that the complainant's information had been deleted
                                     due to the complainant's request of 18 September 2019.


                             The Privacy Protection Authority gives Rebtel Networks AB a reprimand according to
                             Article 58 (2) (b) of the Data Protection Regulation.


                             Report on the supervisory matter


                             The Privacy Protection Authority (IMY) has initiated supervision regarding Rebtel Networks AB
                             (the company) in connection with a complaint. The complaint has been submitted to IMY, i

                             as the responsible supervisory authority in accordance with Article 56 of the Data Protection Regulation.
                             The transfer has taken place from the supervisory authority in the country where the complainant has left
                             lodged its complaint (Spain) in accordance with the provisions of the Regulation on cooperation

                             in cross-border treatment.

                             The complaint alleges that the complainant unsuccessfully tried to persuade the company

                             to stop sending unsolicited emails after deleting her account. She
                             has on four occasions requested removal and the company has each time confirmed that her
Postal address: information has been deleted and she would not receive any more messages, but she has
Box 8114
                             then each time receive a new email asking her to provide feedback
104 20 Stockholm about the service. She has also tried to use the "unregister" link provided in each e-mail
Website:
www.imy.se

E-mail:
imy@imy.se REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on
08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation). Integrity Protection Authority Record number: DI-2020-10561 2 (5)
                               Date: 2021-03-23






                               mail, but it has not worked either. Against this background, she believes that

                               the company has breached its obligations under Article 17 of the Data Protection Regulation.

                               Rebtel Networks AB has mainly stated the following.


                               The company received a request for deletion from the complainant on September 18, 2019. I
                               subsequently, however, it can be stated that it was not handled as a request for deletion

                               under the Data Protection Regulation, even if certain data were deleted. This is
                               the reason for further e-mail in the form of a reminder of a survey for

                               customer survey has been sent to the complainant. This has happened during the period up to
                               and with effect from 1 October 2019, ie not after the deadline of one month
                               applies under the Data Protection Regulation to comply with a deletion request.


                               Remaining data was deleted on November 9, 2020, except for those that are
                               necessary to be able to handle the current supervisory matter. The company informed

                               complainant about this on 20 November 2020.


                               Due to this supervisory matter, the company has taken special measures to
                               strengthen their established processes and procedures for identifying a request under
                               the Data Protection Regulation. This includes above all that further training of its

                               customer service agents. The company has further improved its so-called data triggers in its
                               customer service tools. The company's investigation of the complainant's case showed that it did not
                               had been flagged as a matter under the Data Protection Regulation as the data application did not

                               perceived any reference to the Data Protection Regulation in Spanish.

                               The processing has taken place through correspondence. Given that it applies

                               cross-border treatment, IMY has used the mechanisms of cooperation
                               and uniformity contained in Chapter VII of the Data Protection Regulation. Affected

                               regulators have been the data protection authorities in Spain, Germany, Norway,
                               Italy and France.


                               Justification of decision


                               Applicable regulations


                               According to Article 12 (3) of the Data Protection Regulation, the controller shall:
                               request without undue delay and in any case no later than one month after
                               to have received the request to provide the data subject with information on the measures taken

                               taken in accordance with Article 17. This period may, if necessary, be extended by a further two
                               months, taking into account the complexity of the request and the number received

                               requests. The personal data controller shall notify the data subject of a
                               such extension within one month of receipt of the request and state the reasons
                               to the delay.


                               According to Article 17 (1) (a), the data subject shall have the right to be informed by the controller
                               without undue delay have their personal data deleted and it

                               the person responsible for personal data shall be obliged to delete without undue delay
                               personal data if the personal data are no longer necessary for the purposes for which

                               which they have collected or otherwise treated. According to Article 17 (3) (b), this shall not be the case
                               apply to the extent that the processing is necessary to comply with a legal
                               obligation requiring treatment under Union law.Integrity Protection Authority Record number: DI-2020-10561 3 (5)
                               Date: 2021-03-23







                               The Integrity Protection Authority's assessment

                               Has there been a breach of the Data Protection Regulation?

                               The company has stated that the reason for the complainant's request for deletion of the 18th
                               September 2019 was not handled until November 9, 2020 due to the company not

                               perceived it as a request for deletion.

                               In the IMY's view, however, it has been made clear in the request that it

                               registered wanted to exercise their right to deletion. Because some data was deleted
                               only on 9 November 2020 did Rebtel Networks AB process personal data in violation
                               with Article 17 of the Data Protection Regulation by not without undue delay first it

                               9 November 2020 delete the personal data requested by the complainant on 18
                               September 2019. However, the company has been justified in retaining the information needed for

                               to be able to show that the request has been handled in accordance with the Data Protection Regulation.

                               The company has stated that no further e-mails have been sent since October 2, 2019

                               and that this is within the time limit of one month provided for in Article 12 (3) and 17
                               the Data Protection Regulation. However, the company was incorrect in its reply to the complainant on 22
                               September 2019 stated that the information had been deleted and that the complainant would not receive

                               a few more mailings. Rebtel Networks AB thereby violates Article 12 (3)
                               Data Protection Regulation provided incorrect information on what measures - that the data

                               had been deleted - which has been taken as a result of the complainant's request.

                               Despite the fact that the company, on 22 September 2019, informed the complainant that no more e-

                               mailing if customer satisfaction should take place, the complainant has received another four
                               such mailings. The four mailings were made on 22 and 25 September and on 1 and 2

                               October 2019. However, the IMY notes that this is a relatively short time after
                               request for deletion was made and considers that it is within the time limit
                               the company had undertaken to take action if the request had been handled correctly.


                               Choice of intervention


                               Article 58 (2) (i) and Article 83 (2) state that the IMY has the power to impose
                               administrative penalty fees in accordance with Article 83.

                               the circumstances of the individual case, administrative penalty fees shall be imposed
                               in addition to or in place of the other measures referred to in Article 58 (2), such as:
                               injunctions and prohibitions. Furthermore, Article 83 (2) sets out the factors to be taken into account

                               taken into account when deciding whether to impose administrative penalty fees and at
                               determining the amount of the fee. In the case of a minor infringement, IMY

                               as stated in recital 148 instead of imposing a penalty fee issue one
                               reprimand under Article 58 (2) (b). Account shall be taken of aggravating and mitigating circumstances
                               circumstances of the case, such as the nature, severity and duration of the infringement

                               as well as previous violations of relevance.

                               The company has stated that the reason for the complainant's request for deletion is not

                               was handled correctly mainly due to a mistake in the company's customer service and
                               customer service tools. Due to what happened, the company has stated that it has taken action

                               specific organizational and technical measures to strengthen their established
                               processes and procedures for identifying a request under the Data Protection Regulation.


                               In an overall assessment of the circumstances, the IMY finds that it is a question of less
                               infringements within the meaning of recital 148 and that Rebtel Networks AB thereforeIntegrittsskyddsmyndigheten Record number: DI-2020-10561 4 (5)

                                 Date: 2021-03-23






                                 shall be reprimanded in accordance with Article 58 (2) (b) of the Data Protection Regulation for those found

                                 the infringements.




                                 This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by

                                 lawyer Olle Pettersson.


                                 Catharina Fernquist, 2021-03-23 (This is an electronic signature) Integrity Protection Authority Registration number: DI-2020-10561 5 (5)
                              Date: 2021-03-23







                              How to appeal

                              If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i

                              the letter which decision you are appealing and the change you are requesting. The appeal shall
                              have been received by the Privacy Protection Authority no later than three weeks from the day you received

                              part of the decision. If the appeal has been received in time, send
                              The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
                              examination.


                              You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                              any privacy-sensitive personal data or data that may be covered by

                              secrecy. The authority's contact information can be found on the first page of the decision.