Vinnsla persónuupplýsinga af hálfu Easy Park AB.
Mál nr. 2020082101
Þegar um vinnslu persónuupplýsinga yfir landamæri er að ræða þarf að huga að samræmdri beitingu persónuverndarreglugerðarinnar (ESB) 2016/679. Í slíkum tilvikum ber persónuverndarstofnun þess lands þar sem ábyrgðaraðili er með höfuðstöðvar jafnan ábyrgð á meðferð máls. Nefnist sú persónuverndarstofnun forystustjórnvald og sér m.a. um að samræma rannsóknaraðgerðir í samvinnu við persónuverndarstofnun þess ríkis sem hinn skráði er búsettur.
----
Í þessu tilviki barst Persónuvernd kvörtun yfir vinnslu persónuupplýsinga af hálfu Easy Park AB. Fyrirtækið Easy Park AB er með höfuðstöðvar í Svíþjóð og því um vinnslu persónuupplýsinga yfir landamæri að ræða. Persónuvernd tilkynnti sænsku persónuverndarstofnuninni (IMY) um kvörtun kvartanda og hóf síðarnefnda stofnunin rannsókn málsins með úttekt á vinnslu persónuupplýsinga kvartanda í samræmi við kvörtun. Taldi sænska persónuverndarstofnunin að ekki hefði verið sýnt fram á að vinnsla Easy Park AB á persónuupplýsingum um kvartanda umrætt sinn hefði brotið gegn persónuverndarreglugerðinni. Þann 25. apríl 2024 gaf sænska persónuverndarstofnunin út bráðabirgðarákvörðun í málinu og í samræmi við 8. mgr. 60. gr. reglugerðar (ESB) 2016/679 samþykkti Persónuvernd ákvörðun sænsku persónuverndarstofnunarinnar.
Decision
of the Icelandic Data Protection Authority to adopt a decision of the Swedish Authority for Privacy Protection regarding a complaint lodged with the Icelandic Authority against Easy Park AB.
Background and Procedure
1 The Icelandic Data Protection Authority (DPA) received a complaint from [A] (“complainant”) on July 30th, 2020, stating that Easy Park AB (“Easypark”) processed his personal data in breach of Article 9 and Article 17 of the Icelandic Data Protection Act no. 90/2018, cf. Article 6(1) (lawfulness of the processing) and Articles 12, 13 and 14 (Transparency and Information).
2 The Icelandic DPA submitted the complaint to the Swedish Authority for Privacy Protection (IMY), as the responsible supervisory authority for the company’s operations pursuant to Article 56 of the GDPR and in accordance with the provisions of the GDPR on cooperation in cross-border processing. IMY initiated a supervision regarding Easypark and sent a letter to the company on 29 November 2023, in order to investigate whether the company was the data controller for the processing in question. The investigation also included whether Easypark collected the complainant's location data and on what legal basis the complainant's data may have been processed, as well as whether Easypark provided the complainant with information about the processing of his personal data when the data was collected. Easypark gave IMY its response on 3 January 2024. The Icelandic DPA forwarded the company’s response to the complainant on 14 March 2024. The complainant has not replied.
Arguments
Arguments of the Complainant
3 The complainant claims that Easypark collected his location through his mobile application without having clearly communicated this in advance and without having obtained his consent. According to the complainant, the location data is collected around the clock, even when the app is not in use.
Arguments of Easypark
4 Easypark stated that they have deleted most of the personal data about the complainant for the year 2020, i.e. the period to which the complaint relates. Easypark therefore lacks logs from the period regarding how the complainant's location data was processed. For this reason, Easypark mostly provided general answers to how they have processed location data.
5 Easypark has stated, with reference to their privacy policy annexed to their response, that they generally process location data in order to provide their services and to be able to analyse and improve their services. The processing of location data for the purpose of providing the services is carried out in accordance with the policy pursuant to Article 6(1)(b) of the GDPR and the processing of location data for the purpose of carrying out maintenance, promoting security and developing the services is carried out in accordance with the policy on the basis of Article 6(1)(f) of the GDPR. It is stated in the policy that in cases where the processing of location data is not necessary to provide the services, the processing is carried out with the support of the consent of the data subjects. According to the policy, this consent can be revoked at any time by changing the settings in the app. In accordance with the policy, location data is stored for a maximum period of 23 months after the end of the customer relationship. According to Easypark, the personal data policy has been provided to all customers in Iceland.
6 Easypark believes that regardless of the purpose for which location data is processed, it is incorrect that location data is collected around the clock. Easypark also rejects the complainant's claim that they would have processed the complainant's location data in the present case. According to the Easypark, in the present case, the complainant paid for a twelve-minute parking period which ended automatically after the parking period expired. What is likely to have happened since then is that the complainant attempted to terminate the parking, which was not possible because the parking had already been terminated automatically. Location data was not a factor at all in this context.
Applicable provisions, etc.
7 In order for the processing of personal data to be lawful, the controller must be able to support the processing on a lawful basis in accordance with Article 6(1) of the GDPR. The processing must also comply with the basic principles set out in Article 5(1) of the GDPR.
8 In accordance with Article 5(1)(e) of the GDPR, personal data may not be kept in a form which permits identification of the data subject for longer than is necessary for the purposes for which the personal data are processed (the principle of storage limitation). Under Article 5(2) of the GDPR, the controller is also responsible for demonstrating compliance with the fundamental principles (the principle of accountability).
9 Recital 39 of the GDPR states that personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This requires, in particular, that it be ensured that the period for which personal data are stored is limited to a strict minimum. In order to ensure that personal data are kept for no longer than necessary, the controller should introduce time limits for erasure or for regular verification.
10 According to Article 13 of the GDPR, when a controller collects personal data from a data subject, the controller must, when the personal data are obtained, provide the data subject with certain information, including, inter alia, the legal basis for the processing.
Assessment of IMY
Prerequisites and Delimitation of the Resolution of the Case
11 On the basis of the complaint in the case, IMY has only examined Easypark’s conduct on a case-by-case basis. The purpose of the supervision was to investigate whether the processing in question had support on a lawful basis and whether the complainant was informed about the processing of personal data when the data were collected. The supervision has not covered whether Easypark’s personal data processing was otherwise compliant with the GDPR.
Legal basis for the processing
12 Easypark states that, in the present case, they did not process the complainant’s location data, since the complainant had paid for a limited time parking. Easypark further states that they have deleted most of the logs from the period in question and that they cannot therefore answer whether the complainant’s location data has been processed for any other purpose.
13 IMY notes that, although Easypark is responsible for demonstrating compliance with the principles of the GDPR, pursuant to Article 5(2), they also have an obligation to erase personal data which are no longer necessary for the purposes for which they were collected, pursuant to Article 5(1)(e). Easypark must, for that purpose, limit the retention period to a strict minimum and impose time limits for erasure. Easypark’s privacy policy states that they have established procedures for erasure of location data and that the storage of such data has been limited to 23 months after the end of the customer relationship. In the present case, it has passed more than three years since the complainant used the service and any collection of location data took place. IMY therefore takes the view that the fact that Easypark has deleted the logs about the complainant demonstrates that Easypark followed its erasure procedure and thus acted in accordance with Article 5(1)(e) and 5(2) of the GDPR.
14 IMY further notes that, although Easypark has deleted the logs and cannot, for that reason, explain whether there has been any processing of the complainant’s location data for another purpose, there are no circumstances in the present case to suggest that this is the case. The complainant states that he has used Easypark’s parking app on an individual occasion. According to IMY, Easypark’s statement that what occurred on that occasion is that the complainant paid for a limited time parking where no location data was collected appears to be credible and reasonable. IMY has not received any reply from the complainant from the Icelandic Data Protection Authority. The investigation therefore suggests that there has been no processing of the complainant’s location data in the present case. In the light of the above, IMY’s assessment is that it has not been demonstrated that Easypark has failed to comply with the GDPR as alleged in the complaint.
Information to the complainant
15 Easypark has stated that all their customers in Iceland have received a copy of their personal data policy. The personal data policy is based on the grounds on which Easypark processes the complaint’s location data. The complainant states, as he must be understood, that he was unable to find relevant information on how the location data was used or how consent was obtained for the processing.
16 IMY’s assessment is that if all of Easypark’s customers in Iceland received a copy of the personal data policy in connection with their use of the parking app, which IMY finds no reason to call into question, it is likely that the complainant also took note of the policy. Against this background, and in view of the likelihood that the information sought by the complainant could not be found because it was based on a misunderstanding, IMY notes that the investigation does not reveal that Easypark has failed to fulfil its obligation to provide information to the complainant under Article 13 of the GDPR.
17 In view of the above IMY finds that the investigation has not shown that Easypark has processed the complainant’s personal data in breach of the GDPR in the manner alleged in the complaint.
18 Pursuant to Article 60(8) of the GDPR the Icelandic Data Protection Authority hereby adopts IMY’s decision that Easypark has not processed the complainant’s personal data in breach of the GDPR in the manner alleged in the complaint.
D e c i s i o n
Easy Park AB has not processed
the complainant’s personal data in breach of the GDPR in the manner alleged in
the complaint.
The Icelandic Data Protection Authority,
13 June 2024
Valborg Steingrímsdóttir Edda Þuríður Hauksdóttir