GDPR Rights in Sweden: Court confirms that authority must investigate complaints

The Stockholm administrative court held that a complainant under Article 77 GDPR has the right to request a decision from the Swedish Data Protection Authority (IMY) after six months.

By noyb.eu (guest author) · November 16, 2022

The Stockholm administrative court held that a complainant under Article 77 GDPR has the right to request a decision from the Swedish Data Protection Authority (IMY) after six months. So far, the IMY took the view that users are not a party in procedures concerning their own GDPR rights. The right to get a decision within six months also applies if the IMY opens a parallel ex officio investigation into the same company.

One month according to the GDPR turns into three years in reality

In January 2019, a user filed a complaint with the Austrian DSB in response to Spotify’s insufficient answer to his access request. The complaint was forwarded to the Swedish IMY, which is responsible for Spotify. Since then, the case has not been decided. Instead, the Swedish DPA claimed to have a broader investigation into Spotify – for more than three years by now. Under the GDPR, everyone would have a right to access their data. The deadline for responding to an access request under the GDPR is one month.

Request to decide rejected. Under Swedish law, a party can request a decision within four weeks, if an authority has not decided within six months. Following three years of inactivity, the complainant requested a formal decision under Section 12 of the Swedish administrative law, which was rejected by the Swedish IMY, arguing that it is undertaking a parallel ex officio investigation into Spotify and that the complainant is not a party to the procedure.

IMY violated GDPR and Swedish Law

Following an appeal by noyb against the inaction of the DPA, the Stockholm administrative court held that Swedish law does not deny complainants party status, as recently argued by the Swedish IMY. Consequently, the decision by the Swedish regulator to exclude a user from investigation into a complaint he filed was incompatible with the GDPR.

It says a lot about GDPR enforcement, if regulators don’t even want to grant users the right to fight for their rights. Denying users the status as a party means that they cannot enforce their rights. We therefore welcome the decision in Sweden, but there are still authorities in other EU Member States that do not grant party rights.” – Stefano Rossetti, Data Protection Lawyer at NOYB

Swedish IMY to revise enforcement model. The Swedish court ordered the IMY to process and investigate the complaint. The decision has a wider effect for all users in Sweden, as they can rely on the court ruling when enforcing their rights via the IMY.

We are happy to have opened up the option for anyone in Sweden to enforce their rights before the IMY. We are reviewing the situation in other member states too.” – Stefano Rossetti, Data Protection Lawyer at NOYB

The article was first published by noyb.eu here.

Contribution by: EDRi member, noyb