Tietosuojavaltuutetun toimisto (Finland) - TSV/2/2018
From GDPRhub
| Tietosuojavaltuutetun toimisto - TSV/2/2018 | |
|---|---|
 | |
| Authority: | Tietosuojavaltuutetun toimisto (Finland) |
| Jurisdiction: | Finland |
| Relevant Law: | Article 17(3)(e) GDPR Article 58(2)(b) GDPR § 4 Act on the Expiry of Debts |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 20.07.2018 |
| Decided: | 06.05.2024 |
| Published: | 16.05.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | TSV/2/2018 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Finnish |
| Original Source: | Finlex (in FI) |
| Initial Contributor: | fred |
The DPA reprimanded a telecom operator for storing customer data for more than three years, which was considered a justified period of time to defend against possible invoicing claims.
English Summary
Facts
The Finnish DPA was notified that a telecom operator (the controller) had refused to erase the data subject's personal data relating to their customer relationship. The DPA then asked the controller to explain why it had refused the erasure request and for how long it stored the personal data of its customers.
In response to the request, the controller clarified that it could not comply with the data subject's request because the processing was necessary according to Article 17(3)(e) GDPR. The controller stated that, according to Section 4 of the Finnish Act on the Expiry of Debts, the general expiry limit of for debts is three years. Therefore, the controller could not erase the personal data because three years had not passed since the end of the customer relationship.
The controller also stated that customer data older than three years should have been deleted from its systems through an automatic deletion process, which had not been done due to a technical error. However, the controller stated that it had already manually deleted the data subject's personal data at a later stage.
Holding
On the basis of the information provided by the controller, the DPA considered that the controller was entitled to store the data subject's personal data for three years after the end of the customer relationship. The DPA stated that if the controller deleted the data subject's personal data, it would not be able to defend itself against possible invoicing claims by customers or other creditors.
However, the DPA found that the controller had still violated Article 17(3)(e) GDPR because, despite the data subject's request, it had not erased such personal data, which should have been removed from its systems even before the data subject's request. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Thing
The data subject's right to delete data
Registrar
Mobile operator
This decision replaces the decision of the Deputy Data Protection Commissioner issued on April 23, 2024 with the same reference number TSV/2/2018.
The registrar has requested that the factual error be corrected on May 3, 2024. The controller has announced that the decision of the Deputy Data Protection Commissioner on 23 April 2024 did not take into account the additional explanation it gave on its own initiative on 8 April 2022, nor the answer given to the supplementary question on 5 December 2023 in its entirety. The decision of the Deputy Data Protection Commissioner has now been corrected pursuant to section 50 subsection 1 point 1 of the Administrative Act (434/2003).
The parties involved have not been given the opportunity to be heard in the correction procedure. Pursuant to Section 34, Subsection 2, Clause 5 of the Administrative Act, the matter can be resolved without hearing the parties involved, if the hearing is obviously unnecessary. Obtaining reports would not change the way the case is resolved. The registrar himself has taken the initiative to correct the error. The matter can be resolved on the basis of the applicable legislation and the facts brought to the attention of the data protection authorized office.
The initiator's requirements with reasons
On 20 July 2018, the initiator has initiated a case at the data protection commissioner's office, which concerns the processing of personal data by the data controller. The initiator has said that he requested that the data controller delete all the initiator's information in his possession. At that time, the controller had not implemented the initiator's request to delete the data.
Statement received from the registrar
The registrar has been asked to clarify the matter. The registrar has issued his report on 3 April 2020.
In the report provided, it has been established that the initiator had used mobile phone subscriptions, the last of which had been terminated in 2019. The initiator had also had a previous customer relationship with the data controller, and this customer relationship had ended in 2007. The information about this previous customer relationship should have been removed from the data controller's information systems in an automatic deletion process, which was not however, had occurred due to a technical error situation. The information had concerned the initiator's customer role and address. This information has since been manually deleted from the controller's information systems in March 2020.
After the removal request was made, the processing of the initiator's data for the purposes of direct marketing and marketing communication was decided and all marketing to the initiator was blocked. According to the report given below, with regard to mobile phone subscriptions, the initiator's customer data has been included in the data deletion process carried out in 2023.
The report also states that personal data will only be stored as long as it is necessary to fulfill the purposes defined in the data protection statement of the data controller, if the legislation does not require otherwise. Information processed on the basis of a contractual relationship is basically kept for the duration of the contractual relationship or as long as the delivery of services requires. After the end of the contractual relationship or the delivery of services, personal and proxy data have been found to be kept as long as there is a need for them, for example within the framework of unfinished matters, invoicing, complaints or warranty periods. Furthermore, it has been established that the initiator's need to process customer data is related to the processing of possible invoicing complaints. It has been said that such customer data processed in the invoicing process is generally kept for three years from the end of the calendar year in which the customer relationship with the data controller has ended. The general three-year statute of limitations for claims stipulated in Section 4 of the Act on Statute of Limitations of Debt (728/2003) has been cited as the basis for this.
The equivalent of an initiator
The initiator is given the opportunity to give a response in the case. The initiator has given his response on April 9, 2020. In its response, the initiator has, among other things, expressed surprise that the retention of the data is justified by a technical fault situation.
Additional explanation received from the registrar
Additional clarification has been requested from the registrar. The registrar has given his additional explanation on 7 May 2020, 15 April 2021 and 8 April 2022. In addition, on 5 December 2023 and 16 January 2024, the controller has answered detailed questions regarding the matter put to it.
In the additional explanation provided, it has been established that the customer data processed in the billing process, which the data controller had still kept at that time for the initiator, refers to basic personal data as well as brokerage and location data. The basic personal data to be stored are the customer's identification information, contact information, and information on the start, change, and end dates of customerships for various services, information on ordered products and services as well as service validity information and delivery addresses, information on invoices including information on which services they have been applied to, invoicing dates and invoiced amounts, information the initiator's browsing history in the controller's own pages service (through which the initiator has access to his billing information according to the additional explanation) and information about the communication between the initiator and the controller. In addition to this information, the registrar had kept information about the marketing bans made by the initiator and the status of marketing permits.
The forwarding and location data are said to be deleted in the automatic data deletion process. According to the maximum retention period stipulated in § 139 of the Act on Electronic Communication Services (917/2014), the controller has been told to keep transmission data for three years and location data for two years from the communication event.
In connection with the answer to the clarifying question on December 5, 2023, it was stated that in 2022 the data controller had developed its procedure for deleting data. In this context, the storage period for data processed on the basis of the contractual relationship was shortened, and is now said to be generally three years from the end of the customer relationship.
In addition, as a clarifying answer, the controller has stated that its subscription sales are mainly invoiced in retrospect, which means that the last invoice is scheduled for the period after the end of the customer relationship.
In connection with the answer given to the detailed questions on 16 January 2024, it was stated that the complaint possibility according to the law on the limitation of debt entitles the customer to complain to the data controller about the service it provides for a maximum of three years from the end of the service. It has also been submitted that the general three-year limitation period for claims provided for in Section 4 of the Act on the Limitation of Debt is read according to Section 7 of the aforementioned Act with respect to a possible compensation in compensation based on a breach of contract, from when the buyer has discovered an error or deficiency in the object of sale. It has been continued by stating that the customer must notice a possible error or deficiency in the service provided by the data controller no later than when the service ends. After this, the customer has the opportunity to complain about the service and its billing to the data controller within the general three-year limitation period. As stated in the answer, the retention of the data controller's personal data for three years from the end of the customer relationship is based, among other things, precisely on this possibility of the customer's invoicing complaint. For example, even after paying the bill, the customer can later complain about the allegedly non-functional service. The customer may also terminate the contract when, among other things, he is dissatisfied with the services offered to him. In the given answer, it has been separately stated that the retention period for an individual invoice may be longer, as the expiration of the debt may be interrupted, for example, due to the initiation of collection actions, agreement on payment arrangements, or payment.
On applicable legislation
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) applies in this case. As a regulation, the legislation is immediately applicable law in the member states. The general data protection regulation is specified in the national data protection act (1050/2018).
A legal issue
The Deputy Data Protection Commissioner assesses and decides the initiator's case on the basis of the General Data Protection Regulation as mentioned above. The Deputy Data Protection Commissioner must decide whether the data controller has had the grounds set out in Article 17, Section 3 of the General Data Protection Regulation to refuse the data subject's request for data deletion.
Decision and reasons of the Deputy Data Protection Commissioner
Decision
The controller has had the grounds set out in Article 17(3)(e) of the General Data Protection Regulation to refuse the initiator's request in July 2018 to delete the initiator's personal data related to the terminated mobile phone subscription in 2019. (This decision per se does not apply to proxy and location data for which the controller has defined a retention period other than the three-year retention period calculated from the end of the customer relationship currently being evaluated.)
The controller had not had the basis set out in Article 17, paragraph 3, letter e of the General Data Protection Regulation to deny the initiator's request in July 2018 regarding the initiator's personal data related to the customer relationship that ended in 2007.
Note
The Deputy Data Protection Commissioner gives the data controller a notice under Article 58(2)(b) of the General Data Protection Regulation with the reasons shown below.
Reasoning
About the right to delete data and data retention and retention periods
Pursuant to Article 17(1)(a) of the General Data Protection Regulation, the data subject has the right to have the data controller delete the personal data concerning the data subject without undue delay, and the data controller has the obligation to delete the personal data without undue delay if the personal data is no longer needed for the purposes for which they were collected or for which they were otherwise processed. As stipulated in Article 17(3)(e) of the General Data Protection Regulation, the aforementioned Article 17(1) does not apply if the processing is necessary for the preparation, presentation or defense of a legal claim.
Furthermore, according to recital 65 of the preamble of the General Data Protection Regulation, a natural person should have the right to "be forgotten" if the retention of data violates this regulation or the Union law or Member State legislation applicable to the data controller. In particular, the data subject should have the right to have his personal data deleted and not processed after the personal data are no longer needed for the purposes for which they were collected or for which they were otherwise processed, or when he has objected to the processing of his personal data or when the processing of his personal data otherwise does not comply with the provisions of this regulation.
Regarding the mobile phone subscription terminated in 2019, the initiator's request to delete the data had not been implemented. It has been said that personal data will be kept as long as there is a need for it, for example within the framework of unfinished business, invoicing, complaints or warranty periods. It has also been established that the initiator's need to process customer data was related to the processing of possible billing complaints. It has been said that such customer data processed in the invoicing process is generally kept for three years from the end of the calendar year in which the customer relationship with the data controller has ended. The general three-year statute of limitations for claims stipulated in Section 4 of the Act on Statute of Limitations of Debt (728/2003) has been cited as the basis for this.
However, in connection with the answer given to the clarifying question on December 5, 2023, it was stated that the data controller had developed its data deletion procedure in 2022. In this context, the storage period for data processed on the basis of the contractual relationship was shortened, and is now said to be generally three years from the end of the customer relationship.
Article 5, paragraph 1, letter e of the General Data Protection Regulation provides for limiting the storage of personal data. Personal data must be kept in a form from which the data subject can be identified only for as long as is necessary to fulfill the purposes of the data processing. The storage period for personal data must therefore be as short as possible. According to recital 39 of the preamble of the General Data Protection Regulation, personal data should only be processed if the purpose of the processing cannot reasonably be fulfilled by other means. Personal data should therefore not be stored longer than necessary.
It should be noted that the data protection working group in accordance with Article 29 has given practical instructions ("instructions on transparency") on the principle of transparency. (Guidelines for transparency according to Regulation 2016/679, WP260 rev.01, issued on 29 November 2017, last revised and approved on 11 April 2018.) According to these guidelines, the retention period (or the criteria for determining it) may be affected by, for example, statutory requirements or sector-specific guidelines. If necessary, different retention periods should be defined for different personal data groups and/or processing purposes. (Guidelines for transparency in accordance with Regulation 2016/679, WP260 rev.01, issued on 29 November 2017, last revised and approved on 11 April 2018, pp. 38–39.)
In the additional explanation provided, it is specified that the customer data processed in the invoicing process, which the data controller had still kept for the initiator, refers to basic personal data as well as brokerage and location data. The basic personal data to be stored are the customer's identification information, contact information and information on the start, change and end dates of customerships for various services, information on ordered products and services as well as service validity information and delivery addresses, information on invoices including information on which services they have been applied to, invoicing dates and invoiced amounts, information the initiator's browsing history in the controller's own pages service (through which the initiator has access to his billing information according to the additional explanation) and information about the communication between the initiator and the controller. In addition to this information, the registrar had kept information about the marketing bans made by the initiator and the status of marketing permits.
Section 4 of the Act on the Limitation of Debt (728/2003) provides for a general limitation period. This period is three years. According to the mentioned law, the debt expires after three years from the time referred to in Sections 5–7, unless the limitation period has been interrupted before then. As stipulated in Section 5 of the same law, the limitation period begins to run from the due date, if it is binding on the debtor in advance. Furthermore, as stipulated in section 7 subsection 1 point 1 of the same law, the limitation period for compensation based on a breach of contract begins to run when the buyer has discovered an error or deficiency in the object of sale. As stated in the preambles of the law, this last mentioned section 7 subsection 1 point 1 applies to the limitation period for refunds based on faulty performance or other contractual violations. The statute of limitations begins when the buyer or other recipient of the performance has discovered or should have discovered an error or deficiency in the object of the transaction or another flaw in the performance of the other contracting party. (See HE 187/2002 vp, p. 45. It should also be noted that, in general, performance is considered faulty if it deviates from the agreed upon or from the level that is considered the usual quality level, see HE 187/2002 vp, p. 46.)
The deputy data protection commissioner considers that, based on the report received, the data controller has the right in principle to process the basic personal data defined by its mobile phone subscription customers in such a way that their retention period can be considered to be three years after the customer relationship with the data controller has ended. (This decision per se does not apply to proxy and location data for which the data controller has defined a retention period other than the three-year retention period calculated from the end of the customer relationship currently under evaluation.) For the sake of clarity, it must be stated that no grounds have been presented in the case on the basis of which such data would have been appropriate keep for three years from the end of the calendar year in which the customer relationship with the data controller has ended. The retention period of three years, which is considered appropriate, is therefore calculated from the end of the customer relationship, as stated above. If such personal data were to be deleted before three years have passed since the end of the customer relationship, the controller would not necessarily have the opportunity to defend himself in a situation where the buyer or other creditor makes claims based on a mistake.
Based on the above, the data controller had the grounds set out in Article 17, paragraph 3, letter e of the General Data Protection Regulation to deny the initiator's request in July 2018 to delete the initiator's personal data related to the terminated mobile phone subscription in 2019.
Finally, it should be noted that the initiator's personal data related to the aforementioned mobile phone subscription has since been deleted. Therefore, it is not necessary to evaluate in more detail whether the data controller should now be ordered to delete this information.
Article 25 of the General Data Protection Regulation provides for built-in and default data protection. As stipulated in paragraph 2 of the mentioned article, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. Article 25, paragraph 2 of the General Data Protection Regulation, together with Article 5, paragraph 1, subparagraph e, concerning the limitation of storage, imposes a clear obligation on the controller to make sure that personal data is stored only for the time necessary for the purpose of its processing.
However, personal data of the initiator related to the customer relationship that ended in 2007 was still included in the data controller's information systems in July 2018, even though the data should have been removed from the data systems in an automatic deletion process three years after the end of the calendar year in which the customer relationship ended, according to the retention period defined by the data controller itself. Despite the fact that the data in question had been stored due to a technical error situation significantly longer than the retention period defined by the data controller itself would have required, the data controller had not deleted the data even based on the request made to the data controller by the initiator in July 2018. This information was manually deleted from the data controller's information systems only in March 2020.
Based on the above, the data controller has not had the basis provided for in Article 17, paragraph 3, letter e of the General Data Protection Regulation to deny the initiator's request in July 2018 regarding the initiator's personal data related to the customer relationship that ended in 2007.
The Deputy Data Protection Commissioner issues a notice to the data controller pursuant to Article 58, Section 2, Subsection b of the General Data Protection Regulation. The data controller has acted in a reprehensible manner, because despite the initiator's request, it had not deleted information that should have been removed from the data controller's information systems several years before the initiator's request. This information was manually deleted from the data controller's information systems only in March 2020. The Deputy Data Protection Commissioner draws attention to the fact that an explanation has been requested from the data controller with a clarification request dated 6 March 2020, and the statement dated 3 April 2020 stated the above, i.e. that the data was only deleted in March 2020.
