The Swedish DPA IMY – Court Ruling (Sweden, 2023)

A data subject filed a complaint against a bank with the Swedish DPA IMY, claiming he was denied access to his personal data. The DPA chose to close the case, explaining that they had informed the bank about the complaint to allow them to evaluate their own processing and rectify any shortcomings. The data subject appealed to the Administrative Court (Förvaltningsrätten) in Stockholm, but the appeal was dismissed. The court stated that the DPA's decision not to act on his complaint doesn't impact him in a way that qualifies for an appeal. Subsequently, the data subject took his appeal to the Administrative Court of Appeal (Kammarrätten), which also rejected it. The court argued that the decision did not significantly affect the data subject and was, therefore, not eligible for an appeal under the relevant legal criteria. Ultimately, the case reached the Supreme Administrative Court (SAC). The Supreme Administrative Court (SAC) overturned the decisions of the Administrative Court of Appeal and the Administrative Court, and referred the case back to the Administrative Court for reconsideration. In their ruling, the SAC cited Article 78(1) GDPR, which pertains to the right to an effective remedy against legally binding decisions made by a DPA. They referred to [https://gdpr.fan/r141 Recitals 141] and [https://gdpr.fan/r143 143], highlighting that a data subject should have access to effective legal remedy at the competent national court against a DPA's decision that legally impacts them. The SAC noted an example from Recital 141, including cases where the DPA dismisses or rejects a complaint, either wholly or partially. The SAC determined that a decision indicating the DPA's refusal to take the action requested in a complaint should be viewed as a legally binding decision, which is appealable under Article 78(1) GDPR. Therefore, since the data subject's complaint did not result in the desired actions, he is entitled to appeal.