The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, ‘IMY’) has dealt with a GDPR-complaint regarding the Nordax Bank.

Facts
This bank has instructed another company, Iper Direkt, to provide direct marketing services, including an address register, to the bank. Someone has complained with Nordax and asked for erasure of his/her personal data. Nordax is of the opinion that the complainant should go to Iper for that. Nordax was willing to institute a block on addressed direct marketing regarding complainant and has provided general information to the complainant that Nordax may process the complainant’s personal data in order to maintain a block on addressed direct marketing. The complainant did not provide the requested personal data (pre- and surname and full address) to Nordax. According to the decision at a later date complainant was  blocked against further direct marketing mailing regarding Nordax products.

Decision
In the decision IMY points out that Nordax is the controller, as Nordax determines the purposes and means of the processing of personal data. It can not refer to Iper for complying with GDPR-requests of data subjects.

IMY is of the opinion that Nordax unnecessarily asked the complainant to submit additional information in order to comply with the blocking request, even though the existing information in the request according to Nordax was sufficient to actually satisfy the request directly. For this reason Nordax has requested additional information that has not been necessary to confirm the identity of the data subject in violation of Article 12(6) GDPR. Further Nordax has breached GDPR by failing to inform complainant that it had blocked complainant against further addressed direct marketing.

The violations of the GDPR are grounds for IMY to issue a reprimand to Nordax and to issue some orders to the bank to correct its practices:

• to comply with complainant’s request to exercise its right of access, “This is done by providing the complainant access to all personal data that Nordax process regarding the complainant by arranging a copy to the complainant of the personal data referred to in Article 15(3) and provide information pursuant to points (a) to (h) of Article 15(1) and 15.2.“;
• to comply with complainant’s request for erasure;
• to provide the complainant with information on the measures which been taken in response to the complainant’s request to exercise his right of objection to processing for direct marketing purposes.

More information:

• Unofficial translation of the IMY decision of 27 June 2022 on the site of EDPB.