Expensive right of access requests
The Swedish Authority for Privacy Protection has fined a digital music service SEK 58 million for failing to comply with right of access requests. Although users were given access to their personal data, they did not receive sufficient information on how it was being used. Also, users did not receive the information in a clear and comprehensible way.
Share video
The Swedish Authority for Privacy Protection inspected a digital music service after receiving complaints about how it handled right of access requests. Access requests were handled so that users could gain access to three different layers of data, categorised as “Type 1”, “Type 2” and “Type 3”. Each type included the following type of data:
- Profile information and data deemed of most interest (playlists, streaming history, searches, etc.)
- Technical log files connected to the user ID
- Specifically requested data (history on a specific date, extended history, unstructured data, etc.)
Type 1 data could be downloaded and accessed within seven days via the privacy settings website or by contacting customer service. Type 2 and Type 3 data could be accessed within two to four weeks by submitting a request via a privacy form, customer service or the DPO.
Upon submitting access requests, users received additional information, including links and files to help users understand their data. Links could be accessed in different languages, while the files were only in English as a default.
Transparent (local) language requirement
The Swedish Authority for Privacy Protection found that the company did not comply with the data protection rules as the information to users was not sufficiently clear.
It emphasised that a layered approach may work, but not when users were unable to understand how to access other layers or the data within each layer. Information must be provided in a clear, plain and easily accessible format and language. For each layer, users were provided with information that, by nature, was very technical without further explanation.
Consequently, additional measures should have been taken to make the users understand the description of the data. It noted that one measure that could have supported that was to provide the information in the user’s local language instead of English as a default.
IUNO’s opinion
Nothing prevents companies from applying layered approaches when designing how to structure access requests. There is also no direct requirement for information to be provided in a specific language. However, the decision of the Swedish Authority for Privacy Protection shows that indirect requirements may apply to ensure that data is transmitted in a transparent and plain way.
IUNO recommends that companies ensure a focus on transparency as part of all processing operations. Transparency is important, and a balanced approach is necessary to ensure that data subjects do not receive too much or too limited information. As this decision shows, the fines may become high even if the infringement is considered to be of low severity. We have previously written about the requirements to access requests here.
The decision has been appealed, and we are following the developments closely.
[The Swedish Authority for Privacy Protection decision of 12 June 2023 in case DI-2019-6696]
The Swedish Authority for Privacy Protection inspected a digital music service after receiving complaints about how it handled right of access requests. Access requests were handled so that users could gain access to three different layers of data, categorised as “Type 1”, “Type 2” and “Type 3”. Each type included the following type of data:
- Profile information and data deemed of most interest (playlists, streaming history, searches, etc.)
- Technical log files connected to the user ID
- Specifically requested data (history on a specific date, extended history, unstructured data, etc.)
Type 1 data could be downloaded and accessed within seven days via the privacy settings website or by contacting customer service. Type 2 and Type 3 data could be accessed within two to four weeks by submitting a request via a privacy form, customer service or the DPO.
Upon submitting access requests, users received additional information, including links and files to help users understand their data. Links could be accessed in different languages, while the files were only in English as a default.
Transparent (local) language requirement
The Swedish Authority for Privacy Protection found that the company did not comply with the data protection rules as the information to users was not sufficiently clear.
It emphasised that a layered approach may work, but not when users were unable to understand how to access other layers or the data within each layer. Information must be provided in a clear, plain and easily accessible format and language. For each layer, users were provided with information that, by nature, was very technical without further explanation.
Consequently, additional measures should have been taken to make the users understand the description of the data. It noted that one measure that could have supported that was to provide the information in the user’s local language instead of English as a default.
IUNO’s opinion
Nothing prevents companies from applying layered approaches when designing how to structure access requests. There is also no direct requirement for information to be provided in a specific language. However, the decision of the Swedish Authority for Privacy Protection shows that indirect requirements may apply to ensure that data is transmitted in a transparent and plain way.
IUNO recommends that companies ensure a focus on transparency as part of all processing operations. Transparency is important, and a balanced approach is necessary to ensure that data subjects do not receive too much or too limited information. As this decision shows, the fines may become high even if the infringement is considered to be of low severity. We have previously written about the requirements to access requests here.
The decision has been appealed, and we are following the developments closely.
[The Swedish Authority for Privacy Protection decision of 12 June 2023 in case DI-2019-6696]
Similar
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
Promises are made to be kept