Postal address:
Box 8114
104 20 Stockholm
Website:
www.imy.se
E-mail:
Phone:
08-657 61 00
1(11)
Notice: This document is an unofficial translation of the
Swedish Authority for Privacy Protection’s (IMY) decision
2022-06-27, no. DI-2020-10696. Only the Swedish version
of the decision is deemed authentic.
Decision under the General Data
Protection Regulation – Nordax Bank
AB
Decision of the Swedish Authority for Privacy
Protection (IMY)
The Swedish Authority for Privacy Protection (IMY) finds that Nordax Bank AB has
processed personal data in breach of:
- Article 15 of the General Data Protection Regulation (GDPR)
1
by failing to
handle the complainant’s requests of access made on 5 December 2018 and
11 February 2019.
- Article 17 by not without undue delay handle the complainant’s requests for
erasure made on 5 December 2018 and 11 February 2019.
- Article 12(3) by not without undue delay provide information to the
complainant on the measures taken, namely that the complainant was
blocked from direct marketing mailings, in response to the complainant’s
objection to direct marketing made on 9 July 2019.
The Swedish Authority for Privacy Protection finds that Nordax Bank AB has
processed personal data in breach of:
- Article 12(6) by requesting the complainant to submit further information in
order to comply with the request to object to direct marketing on 9 July 2019,
even though the data provided in the request was sufficient to actually
complete the request.
The Authority for Privacy Protection issues Nordax Bank AB a reprimand pursuant to
Article 58(2)(b) of the GDPR for the infringement of the Articles 12(3), 12(6), 15, 17 of
the GDPR.
In accordance with Article 58(2)(c) of the GDPR, IMY orders Nordax Bank AB to:
1
Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
protection of natural persons with regard to he processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation).
Ref no:
2020-10696,
IMI case no. 134903
Date of decision:
2022-06-27
Date of translation:
2022-06-27
Privacy Protection Authority
Our ref: 2020-10696
2(11)
Date:2022-06-27
- Comply with the complainant’s request to exercise its right of access under
Article 15 of the GDPR, with exception for information which is subject to any
applicable derogation provided for in Article 15(4). This is done by providing
the complainant access to all personal data that Nordax process regarding the
complainant by providing the complainant with a copy of the personal data
referred to in Article 15(3) and provide information pursuant to points (a) to (h)
of Article 15(1) and 15.2. The measures shall be implemented no later than
two weeks after this decision has become final.
In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to:
- Handle the complainant’s request of erasure of all of his personal data
according to Article 17 by assessing whether there is personal data that the
company in accordance with Article 17 is obliged to erase and, if so, to do so,
and to inform the complainant in accordance with Article 12(3) or (4). The
measures must be implemented no later than two weeks after this decision
has become final.
In accordance with Article 58(2)(d) of the GDPR, IMY orders Nordax Bank AB to:
- In accordance with Article 12(3), provide the complainant with information on
the measures which have been taken in response to the complainant’s
request to exercise his right of objection to processing for direct marketing
purposes. The measures shall be implemented no later than two weeks after
this decision has become final.
Report on the supervisory matter
The Authority for Privacy Protection (IMY) has initiated supervision regarding Nordax
Bank AB (Nordax or the company) due to a complaint. The complaint has been
submitted to IMY, as responsible supervisory authority for the company’s operations
pursuant to Article 56 of the General Data Protection Regulation (GDPR). The
handover has been made from the supervisory authority of the country where the
complainant has lodged their complaint (Norway) in accordance with the Regulation’s
provisions on cooperation in cross-border processing.
The investigation in the case has been carried out through correspondence. In the light
of a complaint relating to cross-border processing, IMY has used the mechanisms for
cooperation and consistency contained in Chapter VII of the GDPR. The supervisory
authorities concerned have been the data protection authorities in Norway, Denmark,
Finland and Germany.
The complaint
The complaint states the following. The complaint alleges that the company has not
dealt with the complainant’s requests to exercise the complainant’s rights under the
GDPR in relation to the right of access pursuant to Article 15, the right of erasure
pursuant to Article 17 and objection to obtaining personal data processed for direct
marketing purposes as referred to in Article 21(2). E-mail correspondence with the
company is attached to the complaint.
What Nordax has stated
Nordax has mainly stated the following.
Privacy Protection Authority
Our ref: 2020-10696
3(11)
Date:2022-06-27
Nordax is the data controller for the processing to which the complaint relates. The
processing is carried out by Nordax personal data processor Iper Direkt AB (Iper) on
behalf of Nordax and for direct marketing purposes, which is regulated in agreements
between Nordax and Iper. Nordax determines the purposes and means of the
processing. The relationship can be compared to the example set out in the EDPB
Guidelines 07/2020 on the terms “controller” and “processor” in GDPR, (“Example:
market research”).
2
Iper is responsible and the controller of the address register and responsible for
managing the rights of data subjects whose personal data are available in this address
register. Based on these, Iper makes, on behalf of Nordax, a selection from its address
register and provides the addresses to another data processor that Nordax uses to
carry out the marketing mailings. Nordax does not process or store any personal data
since the data provided by Iper to Nordax is de-identified.
Right of access
Nordax Bank AB originally received a request for access from the complainant on 5
December 2018. The request concerned "information on all data relating to me as you
have stored and what the data is used for". The complainant’s request was answered
by email on 6
December 2018 with the information that the complainant’s personal
data are not processed by Nordax why a request for access (or erasure) could not be
handled. Nordax states that, as a data controller, however, the company should have
interpreted this as a request under Article 15 of the GDPR and provided the
complainant with access to personal data with the help of the personal data processor
Iper in accordance with the provisions of Article 28 of the GDPR. Nordax took the view
that the complainant´s main request was not a request of access to personal data
pursuant to Article 15. In the light of the information in the complainant’s email and that
the complainant did not contact Nordax after a block on direct marketing was
established in respect of the complainant on 9 July 2019, Nordax considered that the
complainant’s primary wish was to be blocked against addressed direct marketing from
the company. Nordax believes that the complainant considers that the request for
objection has been dealt with but can definitely comply with the complainant’s request
for access if the complainant still wishes to exercise its right to access to the personal
data.
Right to erasure
The complainant´s request for erasure was received on 5 December 2018 and Nordax
replied to it on 6
December 2018. It was clear from the reply that the company did not
consider that it stored the complainant´s personal data, why any erasure of data at
Nordax could not be done. It is the address provider Iper, Nordax data processor, who
is reported to have stored the complainant’s personal data at the time of the
complainant’s request. Iper is controller of the address register for which Nordax
receives addresses for direct marketing mailings. Nordax does not have the ability to
erase personal data in Iper’s register. It is against this background that Nordax has not
complied with the complainant’s request for erasure.
Furthermore, Nordax states that the company is currently processing personal data
regarding the complainant in order to maintain a block on addressed direct marketing,
which is necessary to comply with a legal obligation. Nordax has by e-mail on 6
December 2018 and 16
July 2019 provided general information to the complainant that
Nordax may process the complainant’s personal data in order to maintain a block on
addressed direct marketing. Personal data of the complainant is also being processed
to deal with the ongoing supervisory case which will be discontinued when the
enforcement case is closed. The company has not interpreted the complainant´s
2
EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.
Privacy Protection Authority
Our ref: 2020-10696
4(11)
Date:2022-06-27
request for erasure in such a way that it would have included these ongoing processes
of personal data.
Right of objection
The complainant submitted a request for access and deletion on 5
December 2018
which Nordax replied on 6
December 2018. In the light of the information in
the complainant´s request Nordax presumed that the complainant had received
addressed direct marketing mailings of Nordax products. Therefore, Nordax provided
information on how the complainant should proceed with a block against further direct
marketing mailings of Nordax products. In order to block an individual against
addressed direct marketing Nordax needs information about the individual’s pre- and
surname and full address which the company informed the complainant about. Nordax
never received additional information from the complainant and could not therefore
block the complainant from the addressed direct marketing mailings. On 11
February
2019, the complainant submitted a further request for access and erasure and
objection to receiving direct marketing mailings. Nordax responded to the
complainant´s request on 12
February 2019 by referring to an earlier reply to the
request for access and erasure and stated that Nordax has grant the complainant´s
request to object to receiving further direct marketing. However, the complainant was
wrongly informed on that occasion that Nordax had taken measures to prevent the
complainant from receiving further direct marketing mailings. Nordax believes that the
handling of the case in question has failed due to the human factor and the company
reviews its procedures for individuals who wish to object to direct marketing mailings
because of this, to ensure that incorrect information is not sent again.
The complainant´s lodged a further complaint on 9
July 2019, which Nordax once
again replied with information on how the complainant should proceed in order to block
himself against addressed direct marketing mailings. At the time of receipt of this
objection, the complainant was also finally blocked against further addressed direct
marketing mailing from Nordax products. However, Nordax has not informed that
complainant was blocked from such further direct marketing mailings of Nordax
products. Nor did the complainant contact Nordax after 9
July 2019.
Justification of the decision
Applicable provisions, etc.
Data controller
The controller, as defined in Article 4(7) of the GDPR, means the natural or legal
person which alone or jointly with others determines the purposes and means of
the processing of personal data.
In the European Data Protection Board (EDPB) Guidelines 07/2020 on the concepts
data controller and processor in the General Data Protection Regulation
the following is mentioned concerning the respective roles of processors and
controllers in the exercise of data subjects’ rights:
“It is crucial to bear in mind that, although the practical management of
Privacy Protection Authority
Our ref: 2020-10696
5(11)
Date:2022-06-27
individual requests can be outsourced to the processor, the controller bears the
responsibility for complying with such requests. Therefore, the assessment as to
whether requests by data subjects are admissible and/or the requirements
set by the GDPR are met should be performed by the controller, either on a case-by-
case basis or through clear instructions provided to the processor in the contract
before the start of the processing. Also, the deadlines set out by Chapter III cannot be
extended by the controller based on the fact that the necessary information must be
provided by the processor.”
3
It also states the following in an example, to which Nordax refers to concerning
the relationship between Nordax and Iper:
“Example: Market research 1 Company ABC wishes to understand which types of
consumers are most likely to be interested in its products and contracts a service
provider, XYZ, to obtain the relevant information. Company ABC instructs XYZ on what
type of information it is interested in and provides a list of questions
to be asked to those participating in the market research. Company ABC receives only
statistical information (e.g., identifying consumer trends per region) from XYZ and does
not have access to the personal data itself. Nevertheless, Company ABC decided that
the processing should take place, the processing is carried out for its purpose and its
activity and it has provided XYZ with detailed instructions on what information to
collect. Company ABC is therefore still to be considered a controller with respect of the
processing of personal data that takes place in order to deliver the information it has
requested. XYZ may only process the data for the purpose given by Company ABC
and according to its detailed instructions and is therefore to be regarded as
processor.”
4
In the literature, Öman points out the following.
“The legal person which engages any other legal person to process personal data, e.g.
for storing and disseminating or for collecting and processing the personal data, is
normally considered to be the data controller and the hired as a personal data
processor. This applies even if it is the hired company and not the company who hires
who has the knowledge of how to best process the personal data, such as how to
store, collect, disseminate and process them, and the resources to do it. In fact, the
company who hires has decided the means of processing of the personal data by
employing a company that can use certain methods. This may involve outsourcing IT
operations or to hire a company to collect personal data within the framework of a
market research."
Rights of the data subject
According to Article 12(3) of the GDPR, the controller shall provide information on
action taken on a request under Articles 15 to 22 to the data subject without undue
delay and in any event within one month of receipt of the request. That period may be
extended by two further months where necessary, taking into account the complexity
and number of the requests. The controller shall inform the data subject of any such
extension within one month of receipt of the request, together with the reasons for the
delay.
Pursuant to Article 12(6), where the controller has reasonable doubts concerning the
identity of the natural person making the request referred to in Articles 15 to 21, the
controller may request the provision of additional information necessary to confirm the
identity of the data subject.
3
EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.
4
EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.
Privacy Protection Authority
Our ref: 2020-10696
6(11)
Date:2022-06-27
Under Article 15(1), the data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or her are being
processed, and, where that is the case, access to the personal data from the
controller.
Pursuant to Article 17(1), the data subject shall have the right to obtain from the
controller the erasure of personal data concerning him or her without undue delay and
the controller shall have the obligation to erase personal data without undue delay
under certain conditions set out in the current article.
Under Article 21(2) and (3), the data subject shall have the right to object at any time
to processing of personal data for direct marketing purposes concerning him
or her. Where the data subject objects to processing for direct marketing purposes, the
personal data shall no longer be processed for such purposes.
Assessment of the Authority for Privacy Protection (IMY)
On the basis of the complaint in this case, IMY examined the company’s conduct in the
individual case. Therefore IMY will not consider whether the company’s current
procedure for processing requests is compatible with the GDPR, but may take into
account possible improvements when considering choice of corrective measures.
Is Nordax’s data controller for the processing in question and has the company
been obliged to deal with the complainant´s requests to exercise his rights?
The question in this case is whether Nordax has had an obligation to comply with the
complainant’s requests for access, erasure and objection under the GDPR and in in
that case, if the company handled the complainant´s requests correctly. In order to
investigate this, IMY first needs to consider whether Nordax is the controller of
personal data for the processing of personal data in this case.
Nordax has stated that the company is the data controller for the processing.
The processing consists of the fact that the company Iper — on behalf of Nordax and
based on selection criteria that Nordax determines — makes a selection from Iper’s
address register and provides addresses for the sending of direct marketing to a third
company that Nordax hires to make the mailings. Nordax argues that the company
itself does not deal with any data, as the data provided by Iper to Nordax are de-
identified.
The investigation shows that Nordax initially failed to comply with the complainanat´s
first requests for access and erasure pursuant to Articles 15 and 17 on the grounds
that the Company does not process or store the complainant’s personal data and that
instead the complainant should refer directly to Iper. IMY notes, however, that it is not
required to have access to or store personal data in order to be considered to be data
controller for a particular processing operation. What matters is who decides
the purposes and means of the processing.
Since the processing consisting of the selection from Iper´s address register for direct
marketing is carried out on behalf of Nordax and based on the selection criteria that
Nordax has decided, IMY believes that Nordax determines the purpose and means of
the processing and is therefore the controller for the processing. This means that
Nordax is responsible for handling the complainant’s requests, either by handling the
request itself or to give clear instructions to for example a data processor, in order for
Privacy Protection Authority
Our ref: 2020-10696
7(11)
Date:2022-06-27
the data processor to be able to do so.
5
Nordax’s argument that it is not responsible for
Iper’s address register does not alter that.
What Nordax has stated that Nordax receives only de-identified data from Iper is
irrelevant for the company’s responsibility to deal with the complainant´s requests.
Nordax is responsible for the processing of personal data carried out by Iper namely
the selection of the advertising received by the complainant to which the complaint
relates.
There is therefore no need to consider whether the data received by Nordax are
de-identified in such a way that they are not personal data. IMY points out that even
information that can directly or indirectly identify a natural person is personal data,
including information that has been encoded, encrypted or pseudonymised but which
can be linked to a natural person with help of additional information.
Since IMY has found that Nordax is the data controller for the processing that
the complaint concerns and is therefore responsible for ensuring that the
complainant’s requests to exercise its rights under the GDPR are dealt with, IMY goes
on to investigate whether Nordax handled the requests correctly under the Regulation.
Has Nordax handled the complainant’s requests to exercise its rights been in
compliance with the GDPR?
Request for access
It is apparent from the investigation that the complainant submitted its first request to
access to the company on 5
December 2018. The request was worded in such a way
that the complainant would like to receive access to all data stored by the company on
the complainant and information about what the data was used for. Nordax did not
take any action other than to inform the complainant that the complainant´s personal
data were not being processed by the company and that the request could therefore
not be met. At the same time, Nordax informed of its process for selection and
dispatch of addressed direct marketing and which address provider Nordax uses for
selection of addresses. The complainant subsequently submitted its second request
for access on 11
February 2019, to which Nordax replied on 12
February by referring to
its previous reply to the complainant.
During the investigation Nordax stated that it should have interpreted the
complainant´s requests as a request to exercise their right of access under Article 15
of the GDPR and provided the complainant with the data and information
to which the complainant was entitled too with the assistance of Iper. IMY shares this
assessment. IMY notes in that regard that it is true that, in its request, the complainant
referred to the storage data, but that nevertheless, it should have been clear to Nordax
that the complainant intended to exercise its full right of access and that it is Nordax
responsibility, such as data controller for the processing, to ensure that the request
was handled.
Furthermore, IMY notes that Nordax has still not complied with the request even
though the company now admits that the company is obliged to do so. Nordax has
stated that it can comply with the complainant’s request for access if the complainant
so wishes. IMY notes, however, that there has been no evidence to suggest that the
request still wouldn’t be relevant, such as the fact that the complainant would have
5
EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.
Privacy Protection Authority
Our ref: 2020-10696
8(11)
Date:2022-06-27
withdrawn it. By failing to comply with the applicant’s request for access Nordax has
processed personal data in violation of Article 15 of the GDPR.
Request for deletion
It is apparent from the investigation that, on 5
December 2018, the complainant also
submitted his first request for deletion. Nordax did not take any action other than to
inform the complainant that the complainant´s personal data were not processed by
the company and that the request could therefore not be met. At the same time,
Nordax informed of its process for selection and dispatch of addressed direct
marketing and which address provider Nordax uses for selection of addresses. The
complainant subsequently submitted its second request for deletion on 11
February
2019, to which Nordax replied on 12
February by referring to its previous reply to the
complainant.
Article 17(3) of the GDPR provides for an exhaustive demonstration of the
grounds on which a request for erasure may be rejected. That the controller
not storing the data being processed is not such a basis. As IMY has stated above, the
company is obliged to deal with the complainant’s requests, which the company
haven't done. Nordax thus processes personal data in violation of Article 17 of the
GDPR by not without undue delay handle the complainant’s requests for erasure.
Request for objection
The investigation shows that Nordax perceived that, on 5
December 2018, the
complainant also submitted an objection to the processing of personal data for
direct marketing purposes pursuant to Article 21(2) GDPR. Nordax informed the
complainant how the complainant could proceed to object to further direct marketing
and requested additional information from the complainant in order to be able to fulfil
that right. However, the complainant did not return with additional information.
IMY considers that, as the request was worded, the complainant had not invoked its
right of objecting to direct marketing. IMY therefore notes that Nordax did not have
any obligation to deal with it as such a request, but welcomes the fact that
Nordax nevertheless provided information on how the complainant could proceed to
block further direct marketing.
However, the complainant lodged its first actual request of objection to further direct
marketing on 11
February 2019. Nordax provided information that the complainant had
been blocked against further direct marketing, but the information at this point was
incorrect. Because Nordax left incorrect information to the complainant on 12
February
2019 on the measures taken on the basis of the complainant´s request for objection
meaning that the complainant´s information was blocked for further direct marketing
mailings Nordax has acted in violation of article 12.3.
The complainant lodged its second objection on 9
July 2019. Nordax
replied to the complainant on 16
July 2019 referring to previous replies on how
the complainant could try to block him or herself from further marketing. The company
however blocked, the complainant against further addressed direct marketing on 9
July
2019, but did not inform the complainant of this measure.
Against this background, IMY takes the view that Nordax has satisfied the
complainant´s second request of objection pursuant to Article 21(2) of the GDPR.
Privacy Protection Authority
Our ref: 2020-10696
9(11)
Date:2022-06-27
In Nordax reply to the second request, the company asked the complainant to submit
additional information in order to comply with the request, even though the existing
information in the request according to Nordax, was sufficient to actually satisfy the
request directly. For this reason Nordax has requested additional information that has
not been necessary to confirm the identity of the data subject in violation of 12(6).
Furthermore, Nordax did not inform the complainant that, in accordance with its
second requests for objection the complainant was blocked against further addressed
direct marketing. By doing so, Nordax has failed to fulfil its obligation under Article
12(3) to provide the data subject with information on the measures taken under
Article 21 and thus processed personal data in breach of Article 12(3) of
the GDPR.
Choice of corrective measure
It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
power to impose administrative fines in accordance with Article 83. Depending on the
circumstances of the case, administrative fines shall be imposed in addition to or in
place of the other measures referred to in Article 58(2), such as injunctions and
prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
account when deciding on administrative fines and in determining the amount of the
fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of
imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
the aggravating and mitigating circumstances of the case, such as the nature, gravity
and duration of the infringement and past relevant infringements.
IMY notes the following relevant facts. Nordax have stated that they have taken action
by reviewing their procedures to ensure that incorrect information should not be
sent again and reviewing how the company handles data subjects’ rights regarding
processing carried out on the company’s behalf by the company’s processor.
According to IMY the noted infringements found occurred relatively far back in time,
partly due to the human factor and has affected one person. In addition, the company
has not previously acted in breach of the GDPR.
Against this background IMY considers that it is a minor infringement within the
meaning of recital 148 and that Nordax Bank AB must be given a reprimand pursuant
to Article 58(2)(b) of the GDPR.
Since the company has not handled the complainat´s request for access even though
the company is obliged to do so, IMY considers that there is reason in accordance with
Article 58(2)(c) to order the company to comply with the complainant´s request to
exercise its right of access under Article 15 with exception for information which is
subject to any applicable derogation provided for in Article 15(4).This is done by
providing the complainant access to all personal data that Nordax process regarding
the complainant by arranging a copy to the complainant of the personal data referred
to in Article 15(3) and provide information pursuant to points (a) to (h) of Article 15(1)
and 15.2. The measures shall be implemented no later than two weeks after this
decision has become final.
The company has also failed to deal with the complainant’s request for erasure even
though the company is obliged to do so. IMY therefore considers that it is appropriate,
on the basis of Article 58.2(d) to order the company to deal with the complainant’s
request for erasure of all personal data referred to in Article 17 by considering whether
Privacy Protection Authority
Our ref: 2020-10696
10(11)
Date:2022-06-27
there is personal data which the company is obliged to erase in accordance with
Article 17 and, if so, erase the information and inform the complainant in accordance
with Article 12(3) or (4). Measures shall be completed no later than two weeks after the
date on which this decision has become final.
Furthermore, Nordax did not inform the complainant about the measure which been
taken, namely that the complainant been blocked for further addressed direct
marketing, in response to the complainant’s second request to exercise the right of
objection to process for direct marketing purposes. IMY considers that it is appropriate,
pursuant to Article 58(2)(d), to order the company to in accordance with Article 12(3),
provide the complainant with information on the measures which been taken in
response to the complainant’s request to exercise his right of objection to processing
for direct marketing purposes. The measures shall be implemented no later than two
weeks after this decision has become final.
_________________________________________________________
This decision has been approved by the specially appointed decision-maker
after presentation by legal advisor
Privacy Protection Authority
Our ref: 2020-10696
11(11)
Date:2022-06-27
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.