Tietosuojavaltuutetun toimisto (Finland) - TSV/91/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/91/2020 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242283 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
 
mNo edit summary
Line 65: Line 65:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=fred
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]
|
|
}}
}}

Revision as of 19:03, 7 October 2024

Tietosuojavaltuutetun toimisto - TSV/91/2020
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(2) GDPR
Article 15 GDPR
Article 15(3) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started: 27.04.2020
Decided: 30.08.2024
Published: 27.09.2024
Fine: n/a
Parties: Finnish Tax Administration
National Case Number/Name: TSV/91/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA reprimanded the Finnish Tax Administration for making it unnecessarily burdensome to submit an access request and ordered it to facilitate the use of a representative for access requests.

English Summary

Facts

The Finnish DPA was notified that the Finnish Tax Administration (the controller) had made unreasonable demands in order to fulfil the access request and had refused to provide a copy of the data subject's personal data to their agent. The data subject, who was resident abroad, had requested the controller to provide the personal data either by secure email or, alternatively, to the Finnish postal address of their representative. The DPA then asked the controller to explain how it facilitated the exercise of data subject rights.

In response to the request, the controller clarified that it could only provide the personal data directly to the data subject, as the right of access under Article 15 GDPR is a personal right and requires the data subject’s own request.

The controller also stated that it could not provide a copy of the data subject’s personal data by email. Instead, the controller suggested that the data subject could view their personal data by logging into the controller's secure MyTax service. Alternatively, the access request could be made in writing by sending a hand-signed request on the controller's form, in which case the controller would provide the personal data to the data subject by post.

Holding

On the basis of the information provided by the controller, the DPA considered that the data subject's request could not be properly fulfilled by directing the data subject to view their personal data on the controller's online service, but that the controller should have provided the data subject with a copy of the personal data in accordance with Article 15(3) GDPR.

The DPA noted that the controller could not require the data subject to sign the access request or to submit it by post. Such requirements do not facilitate the exercise of data subject rights, as required by Article 12(2) GDPR, but on the contrary make it unnecessarily burdensome to submit an access request. The DPA emphasised that the GDPR does not impose any formal requirements for requests regarding data subject rights.

The DPA found that the GDPR does not prevent the use of a representative, for example, to obtain copies of documents related to an access request. Therefore, the controller should not have rejected the data subject's request on this ground alone.

On the basis of the information gathered, the DPA held that the controller violated Article 12(2) GDPR.

As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to bring its processing operations into compliance with the GDPR with regard to the handling of access requests, including the possibility of using a representative.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing
Implementation of a personal data inspection request, exercise of the inspection right through an agent

Registrar
Tax Administration

Explanation given by the initiator
On April 27, 2020, the initiator has told the data protection commissioner's office that he has not been able to find out with the Tax Administration whether his friend's husband's phone number [phone number deleted] has been erroneously recorded in the Tax Administration's company data.

The initiator has also submitted a request for inspection of his own personal data to the Tax Administration. According to the initiator, the Tax Administration has made unreasonable demands for the implementation of the request, and the initiator has been required, for example, to sign the request. According to the initiator, the data controller had also not approved that copies of the initiator's personal data be delivered to his agent instead of the initiator.

Statement given by the registrar
The registrar has been asked to clarify the matter with a clarification request dated June 2, 2021. The registrar has issued a written statement on 16 June 2021.

According to the report provided by the registry keeper, on April 8, 2020, the initiator submitted a request for inspection of personal data and wanted information about the phone number recorded in the data of [company name deleted] (hereinafter also the company). The initiator has wanted his phone number to be removed from the company's records if necessary. The background of the requests has been a call received by the initiator from the Tax Administration, in which a person related to the company has been sought. According to the registrar's report, the representative of the company had previously called the Tax Administration, and the Tax Administration had later contacted the person in question by phone from the number from which he had called the Tax Administration.

Regarding the possibility of the initiator's phone number ending up in the company's data, the registrar has stated the following: When a customer calls the Tax Administration, the phone number is not saved in the customer's contact information, but in connection with the transaction in question. The registry keeper does not consider that the initiator's phone number could have ended up in the contact information of the initiator's friend's husband's company through this.

The registrar states in his report that due to § 1 and § 4 of the Act on Publicity and Confidentiality of Tax Information (1346/1999), tax information concerning the company, such as the company's contact information, must be kept secret. The registrar states in its report that it has considered that it cannot provide the initiator with information about the company's taxation information, which is considered the company's phone number.

Regarding the personal data inspection request, the controller states in his report that the initiator has demanded that the Tax Administration send his personal data via secure e-mail or give the information by post to an agent in Finland. In its response, the Tax Administration has told the initiator that access to personal data in accordance with Article 15 of the General Data Protection Regulation is a personal right and requires the person's own request.

According to the registrar, if the request is made in writing, for example, the person's information will be sent to a postal address known to the Tax Administration. The Tax Administration does not send this information to the agent. The registrant has told the initiator that access to own data is primarily realized in the OmaVero service of the Tax Administration, where transactions are secure. Access to one's own data can also be done in writing, so that the person sends the request signed by hand.

The equivalent of an initiator
The request for a response from the data protection authorized office has been delivered to the initiator on June 16, 2021. The initiator has not given any compensation in the case.

Applicable legislation
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) and the specifying national data protection act (1050/2018) apply in this case.

According to Article 5(1)(d) of the General Data Protection Regulation, personal data must be accurate and, if necessary, updated; must take all possible reasonable measures to ensure that personal data that is inaccurate or incorrect in relation to the purposes of the processing is deleted or corrected without delay ("accuracy").

According to Article 12(2) of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22.

According to Article 15 of the General Data Protection Regulation, the data subject has the right to receive confirmation from the controller that personal data concerning him or her is being processed or that it is not processed, and if it is processed, the right to access the personal data and the information in accordance with Article 15, paragraph 1, subparagraphs a–h. According to paragraph 3 of the article, the controller must provide a copy of the personal data being processed. If the data subject requests several copies, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be submitted in a commonly used electronic format, unless the data subject requests otherwise.

According to Article 16 of the General Data Protection Regulation, the data subject has the right to demand that the controller correct inaccurate and incorrect personal data concerning the data subject without undue delay.

Article 17 of the General Data Protection Regulation provides for the data subject's right to have the data controller delete the data subject's personal data.

A legal issue
The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

It has to be evaluated

1) Whether the controller's procedure in handling the initiator's personal data inspection request was in accordance with Article 12(2) of the General Data Protection Regulation

2) Should the data controller be ordered to provide the initiator with information about which phone number is recorded in the [company's] data

Decision and reasons of the Deputy Data Protection Commissioner
The procedure of the controller in handling the request for inspection of the initiator's personal data, as detailed in the reasons for this decision, has not been in accordance with Article 12(2) of the General Data Protection Regulation.

Regulation

The controller is given an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation in the processing of requests for inspection of personal data, including with regard to enabling the use of an agent. Pursuant to this order, the controller must also process the personal data inspection request submitted by the initiator on April 8, 2020.

Note

The data controller is given a notice in accordance with Article 58(2)(b) of the General Data Protection Regulation to the extent that the data controller has required the submission of the request regarding the exercise of the data subject's rights again, in paper form, drawn up on a specific form, signed and delivered by mail or to the data controller's office.

The deputy data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders it to submit a report on the measures taken to the data protection commissioner's office by October 31, 2024, unless the data controller applies for an amendment to this decision regarding the order. If an amendment to the order given in the decision of the Deputy Data Protection Commissioner is requested, and the decision of the Deputy Data Protection Commissioner does not change as a result of the appeal, a report on the measures must be submitted to the Office of the Data Protection Commissioner within two months after the appeal has been finally resolved, without a separate request.

Regarding legal question 2, the deputy data protection commissioner gives guidance to the controller.

Reasoning
Processing of personal data verification request
The initiator has submitted a personal data inspection request in accordance with Article 15 of the General Data Protection Regulation to the data controller by e-mail and requested to receive his own personal data processed by the Tax Administration. The initiator has said that he is staying abroad, and he has requested that the information be delivered to him either via a secure e-mail connection or to his agent's Finnish postal address.

The controller has presented the initiator with the following options for processing the personal data inspection request:

1) The initiator logs into the OmaVero service and looks up his personal information from the service there
2) The initiator sends a signed request (form 8235) to the Tax Administration (endnote 1) and the Tax Administration sends a reply to the postal address of the initiator at the Tax Administration
3) The initiator requests his information pursuant to the Publicity Act

Implementation of the request for a copy by directing the registered person to check his data in the remote service

The initiator has asked the data controller to send the information about his personal data either by email or letter. The request meant that the initiator wanted to receive a copy of his personal data as referred to in Article 15(3) of the General Data Protection Regulation. The controller has presented the initiator as one implementation option of the inspection request, that the initiator can, for example, log into the controller's remote service and view his personal data from there.

Introductory paragraph 63 of the General Data Protection Regulation states that, if possible, the data controller should be able to offer remote access to a protected system where the data subject gets direct access to his personal data. Based on the report obtained in the case, the electronic service of the data controller is about this kind of remote access.

According to the report obtained in the case, the initiator did not want to use the remote access offered by the data controller, but he wanted copies of his data either by e-mail or by letter. According to Article 15(3) of the General Data Protection Regulation, the controller must provide the data subject with a copy of the personal data being processed. According to the same article, if the data subject submits the request electronically, the information must be submitted in a commonly used electronic format, unless the data subject requests otherwise. According to the opinion practice of the European Data Protection Board, "Granting access in a way other than by providing a copy does not exclude the data subject's right to also receive a copy, unless he decides not to request it". (endnote 2)

In itself, the controller could have told the registered person about the option to check their personal data via a remote service. However, if the data subject wants a copy of his data, the controller must provide one to the data subject. Enabling remote access cannot replace giving a copy.

The request made by the initiator has not been properly implemented in the case being evaluated now by directing the initiator to view his personal data on the controller's electronic service, but the controller has had to provide the initiator with a copy referred to in Article 15(3) of the General Data Protection Regulation. In the case, it must therefore be assessed whether the controller has properly implemented the initiator's inspection request in another way.

Requirements set by the registrar for the processing of a personal data inspection request

The registrar has offered the initiator the option of sending the registrar a personally signed personal data inspection request prepared on the form of the Tax Administration. The request has been submitted either to the Tax Administration's office or by letter. The register keeper has said that he will send his response to the request to the postal address of the initiator in the Tax Administration.

Regarding the procedure, it should be noted that Section 28 of the Personal Data Act (523/1999) stipulated the following: "Anyone who wishes to check the information concerning themselves as referred to in Section 26 must submit a request to this effect to the registrar in a handwritten or similarly certified document or in person with the registrar". The Personal Data Act has been repealed by the Data Protection Act (1050/2018), which entered into force on January 1, 2019.

The general data protection regulation has started to be applied on 25 May 2018. The General Data Protection Regulation does not set corresponding basic requirements for submitting a request for inspection of personal data. Instead, Article 12(2) of the General Data Protection Regulation explicitly requires that the data controller facilitates the exercise of the data subject's rights. (endnote 3)

Taking into account the above, the data controller has not been able to make it a condition for processing the data subject's request regarding the exercise of rights that the request be signed or presented in person at the data controller's place, or that it be delivered by mail. Such basic requirements for submitting a request do not facilitate the exercise of the data subject's rights as required by Article 12(2) of the General Data Protection Regulation, but on the contrary, they make the submission of a request unnecessarily difficult.

Nor has the registrar had the right to require the request to be submitted on a specific form. There are no format requirements set for requests regarding the rights of the data subject in the General Data Protection Regulation. (endnote 4)

Introductory paragraph 59 of the General Data Protection Regulation states that the controller should offer the means to submit requests regarding the data subject's rights electronically, especially when personal data is processed electronically. Thus, taking this into account, the controller has not been able to require that the initiator who submitted the request by e-mail, for example, submits his request again in another electronic format or on paper.

The Deputy Data Protection Commissioner orders the data controller to bring the processing operations in line with the provisions of the General Data Protection Regulation when processing requests for inspection of personal data. Pursuant to this order, the controller must also process the personal data inspection request submitted by the initiator on April 8, 2020. For the sake of clarity, this regulation does not contain a statement on what the final result of the processing of the inspection request should be in this individual case.

Using an agent in exercising the right of inspection

The initiator has asked the controller to deliver copies of his personal data either by email to the initiator or to the Finnish postal address of the initiator's agent. The registrar has stated that copies cannot be delivered by e-mail and that copies can only be delivered to the initiator himself.

The Data Protection Commissioner has stated in his decision-making practice during the period of the Personal Data Act (523/1999) that the right to inspect personal data is an emphasized personal right and that the inspection request cannot be made through a lawyer or other agent, but must be made personally. In this case, it should be noted that the general data protection regulation has been applied since May 25, 2018. The Data Protection Commissioner's previous position is from the era of the Personal Data Act, which was repealed due to the General Data Protection Regulation.

The General Data Protection Regulation does not prevent the use of an agent in the matter of the right to inspect data, i.e. for receiving copies of documents related to the request for the right to inspect personal data. The initiator's request has therefore not been rejected solely on this basis.

The European Data Protection Board has stated the following regarding the application of the inspection right regulation of the General Data Protection Regulation: "Although data subjects can generally use the right of access to information in matters concerning themselves, it is possible that a third party submits a request on behalf of the data subject. […] In this case, national laws on legal representation (for example powers of attorney) should be taken into account, which may have specific requirements regarding the demonstration of authorization to make a request on behalf of the data subject, as the General Data Protection Regulation does not regulate this issue”. (endnote 5)

The Deputy Data Protection Commissioner orders the data controller to bring the processing operations in line with the provisions of the General Data Protection Regulation also with regard to this procedure.

Requesting information under the Publicity Act

In the exchange of messages between the registry keeper and the initiator, based on the report received, the right to access information based on the Act on the Publicity of the Authority's Activities (621/1999, the "Publicity Act") has also been discussed. Regarding that, it should be noted that the Deputy Data Protection Commissioner does not have the authority to direct the application of the Publicity Act, and the Deputy Data Protection Commissioner therefore does not take a position in his decision on the possibilities of the initiator to obtain access to information under the Publicity Act.

Request to get information about the phone number registered in the company's information
The initiator has tried to find out which phone number is recorded in the company's data processed by the Tax Administration, and if necessary, to have his phone number removed from the company's data.

Based on the report obtained in the case, the initiator has not been sure whether his phone number is in the company's data, which is processed by the Tax Administration. The initiator has considered it possible that his phone number has ended up in the company's data, because he has received a call about the company from the registrar. According to the report obtained in the case, the registrar has called the initiator and sought out the person who called the Tax Administration from the initiator's number a few days earlier.

The controller has told the data protection commissioner's report to the office that when a customer calls the Tax Administration, the phone number is not saved in the customer's contact information, but in connection with the transaction in question. The registry keeper does not consider that the initiator's phone number could have ended up in the contact information of the initiator's friend's husband's company through this. The controller has said that he replied to the initiator on April 8, 2020 as follows:

"The customer has the right to call the Tax Administration from any phone number, in which case the phone number used by the customer is either his own or someone else's number. The phone number used by the customer is visible to the clerk and saved in this transaction. However, the phone number is not saved in the customer's contact information. Therefore, your phone number should not be in the customer information of your friend or the company represented by your friend.

In the situation you described, you could have been contacted due to the fact that your friend's matter (founding a company) involved a need for clarification or guidance. In that business situation, it has apparently not occurred that the number used by your friend is not his or her company and you have suffered from this. We apologize for the inconvenience you suffered."

Based on the report provided by the registrar, the company's representative has called the registrar from the initiator's mobile phone. The registrar has called this number back and reached out to a company representative. The initiator's mobile phone would thus appear to have been used by another person.

Based on the report obtained in the case, the controller has tried to find out with the initiator the need to correct the phone number recorded in the information about the company. Based on the report, however, the initiator has not continued to clarify the matter with the data controller in these respects, but based on the report received, the processing of the matter has therefore remained unfinished between the parties. The deputy data protection officer directs the controller to find out, if possible, whether the correction of the data is appropriate. This also requires cooperation from the initiator. In assessing the need for correction, it is important to take into account, in addition to other things, the intended use of the information requested to be corrected.

It should be noted that the controller has, for example, the obligation according to Article 5(1)(d) of the General Data Protection Regulation to take all possible reasonable measures to ensure that personal data that are inaccurate and incorrect in relation to the purposes of the processing are deleted or corrected without delay. If necessary, it is also possible for the data subject to make a request for correction or deletion of personal data in accordance with Article 16 or 17 of the General Data Protection Regulation. The controller must assess whether the request made in the individual case is such that it is possible to implement it. The controller must also understand to take measures if it becomes aware that certain parts of the personal data it processes may need to be corrected.

Regarding the possibility of data correction, it can also be stated that the information that a certain person has called the data controller from a certain phone number is not incorrect solely on the basis that the caller does not own the mobile phone in question. The information is also not necessarily one that the owner of the phone would have the data subject's right to correct according to the data protection regulation, but the data controller must assess this on a case-by-case basis. However, the controller must in any case, based on its obligation according to Article 5(1)(d) of the General Data Protection Regulation, examine whether it is, for example, appropriate to correct the information taking into account the purposes of the processing.