Region Uppsala – Court Ruling (Sweden, 2024)

The data subject lodged a complaint against the controller, the Region Uppsala, at the Swedish DPA (“IMY”) for recording telephone conversations without a legal basis for the processing. The DPA sent an information letter to the controller, informing them of the complaint, the applicable law and closed the case without taking any further action. The DPA held that the purpose of the letter was to give the controller the opportunity to review its processing and to correct any shortcomings themselves. The DPA therefore did not see any grounds to investigate the complaint further. The data subject appealed this decision at the Administrative Court of Stockholm (“Förvaltningsrätten I Stockholm”), arguing that the DPA has the obligation to take effective measures to limit violations. As the letter stated that the DPA did not intend to take further action, there was no incentive for the controller to remedy its violations. Therefore, the data subject argued that the DPA failed to investigate the matter with due diligence, even though it was clear from the complaint that the controller did not have a legal basis for its processing. The data subject further argued that information letters are not a corrective measure under Article 58 GDPR and can therefore not constitute as an effective measure. The data subject argued that this was also not in line with the [https://www.edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en EDPB internal document on Supervisory Authorities’ duties in relation to alleged GDPR infringements]. The IMY held that the appeal should be rejected as the measure was sufficient. The IMY held that if the letter did not result in the controller correcting any shortcomings, the data subject was free to submit a new complaint at a later stage. The court assessed whether IMY had grounds for not investigating the data subject’s complaint further, beyond sending an information letter to the cont