Nordax Bank AB – Complaint Upheld (Sweden, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Sweden's privacy authority found that Nordax Bank mishandled a customer's request to access and erase their data. The bank wrongly told the customer that another company was responsible for their data, which violated GDPR rules. This decision highlights the importance of companies understanding their responsibilities when handling personal data.
What happened
Nordax Bank incorrectly told a customer that another company was responsible for their personal data requests.
Who was affected
A customer of Nordax Bank who requested access to and erasure of their personal data.
What the authority found
The Swedish authority found that Nordax Bank violated GDPR by not properly handling the customer's data access and erasure requests.
Why this matters
This case underscores that businesses must clearly understand their data responsibilities and cannot pass off customer requests to third parties. Companies should ensure they have clear processes for handling data requests to comply with GDPR.
GDPR Articles Cited
Nordax (controller) is a Swedish bank. The bank entrusted a processor, Iper Direct AB (Iper), to manage its customers' address register. According to Nordax, this processor was the controller in all matters regarding this register and was also responsible for answering data subjects requests related to any processing of this register's personal data. Iper's task was to provide another processor of Nordax a selection of e-mail addresses, which were used by this second processor for direct marketing purposes on behalf of Nordax. The selection of addresses from Iper's address register was also carried out on behalf of Nordax and was based on selection criteria determined by Nordax. It is not explicitly mentioned in this decision whether or not the data subject used to be a (former) customer of the controller. It is also not explicitly stated that the data subject received direct marketing e-mails from the controller. The latter is however most likely, looking at the objection of the data subject against direct marketing, which was eventually granted by the controller (will be further discussed below). Round 1 (Access 1 and Erasure 1) On 5 December 2018, the data subject filed an access request and an erasure request at Nordax, which were answered by the controller on 6 December 2018. The access request inquired on all data relating to him and the way Nordax used it. The controller replied to the access request that it did not process and/or store the personal data of the data subject and was therefore unable to comply with the request. Rather, the controller informed the data subject of the fact that personal data was processed by its appointed processor, Iper, which was responsible for the address register of the bank and for managing data subject rights related to any processing regarding this register. Furthermore, Nordax also did not classify the request of the data subject as an access request at first, but as an objection to processing. Bas
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Nordax Bank AB in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Nordax Bank AB - Sweden (2022). Retrieved from cookiefines.eu
Last updated: