Nordea Bank – Dismissed (Sweden, 2023)

The data subject requested access from the controller, the Swedish branch of the Nordea Bank. The data subject requested a recording of a conversation between one of the controller’s employees and the data subject himself. The data subject only received a copy of the conversation without the voice of the controller’s employee. The data subject filed a complaint at the Swedish DPA (Integritetsskydds myndigheten, IMY) for a violation of the right of access under Article 15 GDPR as the data subject did not receive a copy of the conversation that included the voice of the controller’s employee. The controller argued that it had complied with the request by allowing the data subject to listen to the recording on site at the controller’s branch. The data subject had also been offered a transcript of the phone conversation and a copy of the audio file with the recording in which the controller’s employee’s voice had been edited out. According to the DPA, the right of access under Article 15 GDPR implies that the controller is obliged to provide a data subject with the requested copy of the processed personal data. However, the DPA notes that this right to a copy must not adversely affect the rights and freedoms of others. The DPA explains that the purpose of the right of access is to ensure that the data subject is aware that the processing is taking place and can verify its lawfulness. The right to obtain a copy of personal data includes a right for the data subject to obtain an accurate and intelligible reproduction of all personal data that the controller processes about them. The DPA held that the data subject’s voice in the telephone conversation is personal data of the data subject and thus the data subject is entitled to receive a copy of this telephone conversation. However, the DPA also held that the voice of the controller's employee does not constitute personal data concerning the data subject. Therefore, a transcript of the telephone conversation is sufficie