Five years have passed since the EU’s General Data Protection Regulation (GDPR) came into force. But it is not possible to put data protection work to one side; it is something that needs to be reviewed on an ongoing basis. That this is the case is made clear by three of this year’s decisions from the Swedish Data Protection Authority, IMY.
Lack of information to individuals – penalty of SEK 58 million
Under the GDPR, individuals have the right to receive information about what personal data an organisation processes about them and how the personal data is used. Organisations have an obligation to respond to such requests from individuals without undue delay. For organisations to be able to meet these requirements, an updated and structured register of the processing of personal data that occurs in the organisation is required.
The IMY examined how a music streaming service provided information to individuals and found in its decision that, although the music streaming service had disclosed the personal data processed by the company, it had not provided sufficiently clear information on how it was used. It must be easy for individuals to understand how the company uses personal data. Personal data of a technical nature may need to be explained specifically and not only in English, but also in the individual’s own language. The IMY has therefore imposed a fine of SEK 58 million on the music streaming service for failing to provide information on the use of personal data.
Lack of information security – penalty of SEK 35 million
The GDPR also requires organisations to have good information security for the personal data they process. Furthermore, the organisation should have internal procedures to quickly handle incorrect processing of personal data, so-called personal data incidents. The importance of continuously working to ensure good technical security is illustrated by the IMY’s decision regarding an insurance company.
The insurance company had sent an e-mail to a private individual with a link to an offer page. By accessing the offer page and changing a few digits in the browser, it was possible to access other policyholders’ documents, including names, personal identification numbers and financial information. In addition, some health data was also available, i.e. so-called sensitive personal data requiring extra protection.
The IMY made the assessment that the insurance company should have had the opportunity to detect and correct these fundamental flaws. By not doing so, the insurance company has processed personal data in violation of the GDPR and has not taken appropriate technical measures. The company has therefore been ordered to pay a penalty fee of SEK 35 million.
Inadequate procedures for avoiding direct marketing – penalty of SEK 350,000
The GDPR protects individuals from unsolicited direct marketing. The IMY has investigated how a large international fashion company has handled several individuals’ requests to avoid such marketing. In its decision, the IMY has found that the fashion company violated the GDPR’s rules on ceasing, without undue delay, to process the complainants’ personal data for direct marketing, and that there were deficiencies in the systems and procedures regarding the handling of the objections so that the complainants could not, in a simple way, exercise their right to object to direct marketing. For these deficiencies, the fashion company has been ordered to pay a penalty fee of SEK 350,000.
Has your company adapted to data protection rules?
The IMY’s decision above shows the importance of having an updated register of the personal data processing that an organisation carries out, having procedures to be able to respond promptly to requests from individuals, having control over its technical security and having systems, processes and procedures to be able to continuously satisfy the data subject’s right to object in an appropriate manner and in a timely manner. It is therefore important to continuously review the organisation’s data protection work to ensure that your company lives up to the requirements. At Gulliksson, we have solid national and international experience in this area. We are also used to dealing with issues at the interface between technology and law. If you have questions, concerns or need help reviewing your company’s data protection work, you are welcome to contact us.