What can we learn about disclosures and how to draft privacy notices from the Sweden IMY decision and why is it important for both GDPR companies and CPRA, CDPA, CPA and UCPA companies:

Takeaway 1: You can get a 725,000 EUR fine for privacy notice transparency violations.

Takeaway 2: Go back and read the EDPB Guidelines on Transparency and on Automated Decision Making, which are referenced heavily throughout the decision.

Other takeaways:

Purpose and Recipients:

• State your purpose and legal basis, clearly. Not including an explanation of a purpose and legal basis for the processing in your privacy notice is not only a GDPR Art 12 violation, but also a violation of Art 5 fair and lawful. (This was also said by DPC Ireland in the Facebook and WhatsApp cases.)
• When listing your purposes, you have to match the data process to the purpose (also FB and WA).
• Stay away from saying "may."
• Your privacy notice must include complete and clear information about the recipients of various categories of personal data. (The inclusion of categories of recipients is also required by the US privacy laws.)

Cross Border Transfers:

Under GDPR, your notice must include information on which countries outside the EU/EEA personal data were transferred to (listing the specific countries) and where and how the individual could access or obtain documents regarding the protection measures that applied to the transfer to third countries (e.g link to the registration/document).

Data Retention:

• You need to provide information about the periods during which personal data would be stored and the criteria used to determine these periods (this is also required by CCPA/CPRA).
• It is not enough to generally state that the personal data is retained for as long as is necessary for the legitimate purposes of the processing.
• You need to provide the retention term for each processing.

Individual Rights:

• You need to provide information about the individual rights. (Under GDPR, this is the relevant rights. Under CCPA, this is all the rights.)
• IMY rejects the following formulation for the right to delete and says that it is a violation of Art 5, but does not say what a better formulation would be:

"Right to be deleted. You have the right to request the deletion of your personal data, for example when it is no longer necessary to process the data for the purpose for which it was collected, or if you revoke your consent. However, as described in Sections 3 and 9 above, Klarna needs to comply with certain laws that prevent us from immediately deleting certain information"

• For the right to restrict processing, it needs to differentiate between objection to marketing and objection to processing.
• For the right to data portability, it cannot be included under the header "data access" (mind your headers, also stated by DPC in FB and WA)

Profiling and Automated Processing

You need to provide meaningful information about the logic behind automated decision-making, and the significance and the anticipated consequences of it, like profiling (CPRA regulations are coming on this). This includes information about which categories of information are crucial within the framework of an internal scoring model and the possible existence of conditions that always lead to a refusal decision within the decision support personal data controllers use.

[View source.]