On October 19, 2023, the Swedish Authority for Privacy Protection (IMY) published its Decision No. DI-2020-10545, as issued on October 17, 2023, in which it imposed a fine of SEK 350,000 (approx. $31,850) on Hennes & Mauritz GBC AB (H&M), for violation of the General Data Protection Regulation (GDPR).

Background to the decision

In particular, IMY highlighted that it received six complaints from individuals who objected to direct marketing from H&M, but that the data subjects continued to receive direct marketing from H&M. Notably, IMY clarified that the complaints were received from multiple jurisdictions but that the complaints were handled by IMY since H&M has its headquarters in Sweden.

Findings of IMY

Following its investigation, IMY determined that since the right to object to direct marketing is an unconditional right under Article 21(1) of the GDPR, there is no room for individual examination of whether an objection should be accepted. Accordingly, IMY found that owing to the absence of a legal basis for processing data subjects' personal data, H&M was in violation of Article 6(1) of the GDPR.

Further, IMY recognized that in accordance with Articles 12(3) and 21(3) of the GDPR, individuals in charge of personal data must, without undue delay and within one month after the request is received, take measures in connection with the request and provide information about measures taken. Therefore, the failure of H&M to take action on the data subject's complaints for three months after the receipt was determined as a violation of both Articles 12(2), 12(3), and 21(3) of the GDPR.

Outcomes

Therefore, IMY imposed the abovementioned fine on H&M for violating the GDPR.

You can read the press release here and the decision here, both only available in Swedish.