Tietosuojavaltuutetun toimisto (Finland) - 3021/452/2017: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX <!--Information about the DPA--> |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=logoFI.png |DPA_Abbrevation= |DPA_With_Country=Tietosuojavaltuutetun toimisto...")
 
No edit summary
Line 41: Line 41:
|GDPR_Article_5=Article 13 GDPR
|GDPR_Article_5=Article 13 GDPR
|GDPR_Article_Link_5=Article 13 GDPR
|GDPR_Article_Link_5=Article 13 GDPR
|GDPR_Article_6=Article 15(1)(h)GDPR
|GDPR_Article_6=Article 15(1)(h) GDPR
|GDPR_Article_Link_6=Article 15 GDPR#1h
|GDPR_Article_Link_6=Article 15 GDPR#1h
|GDPR_Article_7=Article 15(3) GDPR
|GDPR_Article_7=Article 15(3) GDPR

Revision as of 13:46, 2 March 2020

- 3021/452/2017
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Article 13 GDPR
Article 15(1)(h) GDPR
Article 15(3) GDPR
Article 15(4) GDPR
Article 58(2) GDPR
Type: Complaint
Outcome: Upheld, pending appeal
Started:
Decided:
Published: 02.20.2020
Fine: n/a
Parties: Anonymous
Electricity company
National Case Number/Name: 3021/452/2017
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

A person filed a complaint with the Finnish Data Protection Authority (Tietosuojavaltuutetun toimisto) regarding not being notified that a sales call had been recorded and being denied access to recording of the call.

The Data Protection Authority (DPA) found that the company’s procedure to record calls did not fulfil the requirements under Article 5(1)(a), 12(1) and 13 GDPR. The decision highlighted that audio is personal data when it is stored and it is possible to identify an individual. As such, companies must inform data subjects when they collect the information. In addition, data subjects have the right to receive a copy of the call. The Data Protection Authority therefore ordered the company to modify its processing operation pursuant to Article 58(2)(d) GDPR.

English Summary

Facts

The data subject received a sales call from an electricity company. After the call, the data subject filed a subject access request, wishing to be informed how the company was aware of his current supplier of electricity, as well as wishing to be informed of other information the controller had about him. During this process, the data subject was made aware of the previous sales call being recorded.

The controller stated that releasing the recording of the sales call could “adversely affect the rights and freedoms” of his employees as found in the exception in Article 15(4) GDPR. As such, the controller offered two ways to exercise the rights of access. The first option was to listen to the recording at the data controller’s office, or to listen to the recording by telephone.

Due to the factual basis of the decision, several of the points of contention regards the question of whether there was a difference between the national implementation of 95/46/EC and GDPR. These issues are not discussed here.

Dispute

The question for the DPA to decide was whether Article 12(1) GDPR in conjunction with Article 15 GDPR requires the data controller to grant a copy to the recording of the sales call.

In addition, the DPA assessed whether the information provided to the data subject conformed to requirements pursuant to Articles 5(1)(a), 12(a) and 13 GDPR.

Holding

Application of Articles 12 and 15 GDPR to call records

The DPA held it as undisputed that call records contain personal data within the meaning of Article 4(1) GDPR.

The DPA highlighted the general requirements under Article 12(1) GDPR for the controller to take appropriate steps to provide the data subject with all information relating to processing of personal data under Article 15 in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”, and that the information should be “provided in writing”, or by other means, including “by electronic means”. In addition, the DPA pointed out that Article 15(3) requires the controller to provide the data subject with a copy of the personal data undergoing processing.

With regard to the controller’s claim that information could not be provided due to Article 15(4) and having to balance the right to access with the rights and freedoms of others, the Data Protection Authority highlighted the wording of Recital 63, and stated that the paragraph was without prejudice to applying access rights to cases such as this.

As such, the DPA found the practices of the electricity company to not be in line with the requirements under GDPR.

Information on recording of calls

The DPA assessed whether the information provided to the data subject was in line with requirements found in Article 5(1)(a), 12(1) and 13 of the GDPR. After an assessment in the concrete, the DPA found the information to lack sufficient transparency regarding the processing information as the data subject was not informed at the start of the call.

Comment

Feel free to add your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Keywords: 	processing of personal data, calls, recording, information, right of access, right of access, data subject's rights
Legal basis: 	Decision under the General EU Data Protection Regulation
Registration: 	3021/452/2017

THING

The applicant states that he has received a sales call concerning the supply of electricity. After the sales call, the applicant states that he has sent an inquiry to the registrant requesting information on how the registrant was aware of the applicant's electricity supplier and what other information the registrant has about the applicant. Thereafter, the Sales Manager working for the Registrar has been in contact with the applicant by telephone. In this connection, a record of a previous sales call between the seller and the applicant has been made to the applicant. In his complaint, the applicant states that he was not aware that the sales call was recorded. In addition, the applicant states that the controller did not disclose where the information on the electricity supplier with which the applicant has an existing customer relationship was obtained. According to the applicant, the sales manager who contacted him said that it was a well-known fact that, within the applicant's zip code, electricity was supplied by the electricity company to which the applicant was a customer.

The Applicant states that it has agreed with the Sales Manager that the Applicant will be provided with a sales call record between the Seller and the Applicant and any information the Registrar has about the Applicant. Later, however, according to the applicant, the sales manager has asked the applicant to formally request a call record and the requested information. The registrar has sent the applicant a description of the registrar's registry and informed the applicant of the possibility of coming to the recording site after making a formal request. On the basis of the report, the applicant has not made a formal request to obtain the information requested by the sales manager.

The applicant feels that the controller does not assume the obligations under the Personal Data Act with the seriousness they require, as the controller would not have been able to record the call between the applicant and the controller without notice. In addition, the applicant considers that it has not received the information requested by the controller.

Information from the controller

The controller states in his statement that he describes the sources of personal data in the privacy statement on his website. The privacy statement states that the personal information is collected from public sources, such as public address registers, or from third parties with whom the controller works, such as credit providers, debt collection agencies and marketing partners. When the consumer inquires about the source of the personal data, the sellers have stated, according to the controller, that the personal information has been obtained from Suomen Asiakastieto. The registrar declares that he is a customer of Suomen Asiakastieto, on the basis of which the registrar has obtained the contact details of the applicant.

The registrar states in his further clarification that he has no other sources of information than those previously described which would have provided information on the applicant's current electricity seller. Prior to the sales call, the registrar states that it will combine the address information obtained from the consumer's public sources with a register maintained by Fingrid Oyj, which will obtain the address of that consumer from the electricity grid company. Based on this information, the seller working for the registrar has asked the applicant whether the consumer's electricity sales company may be the same as his local grid company. The registrar says that he does not currently raise a consumer electricity company in sales calls because consumers do not always understand the difference between an electricity company and a power grid company.

The Registrar has stated that it will protect the privacy of its employees in connection with the release of the call record pursuant to Article 15 (4) of the General Data Protection Regulation. According to that Article, the right to obtain a copy within the meaning of Article 15 (3) must not adversely affect the rights and freedoms of others. According to the registrar, the call records contain the personal data of the employees, so it does not send the records to the data subject in order to protect the privacy of the employees when handing over the telephone records.

With regard to call records, the controller states that he currently offers two ways of exercising his registered right of inspection. The first way is to allow the identified person to listen to the recording at the registrar's office, and the second way is to allow the identified person to listen to the recording by telephone.

The registrar states in his statement that he records sales and customer service calls to ensure the rights of the parties and for training purposes. The registrar also states that he will record a separate voucher from the sales call, which remains proof of the transaction if the consumer enters into an electronic contract on the phone. In the applicant's case, there was no electrical contract between the registrar and the applicant, so no separate notice of the recording of the voucher was made. The controller states in his further clarification that he will report the recording. The Controller has further clarified its call recording policy as follows:

1) The Registrar Calling a Non-Customer Consumer: If the call leads to a contract, the sales negotiator will go through a summary of the contract details (so-called voucher). At the beginning of the contract summary, the registrar tells the customer that the sales call is being recorded. The registrar will not record calls if the sales situation does not lead to a contract. In these calls, the recording already started will be paused and the conversation already recorded will be automatically deleted. According to the controller, these records were destroyed when the General Data Protection Regulation became applicable.

2) Controller Calling Existing Customer: If a contract is made with the customer at the initiative of the controller, the details of the contract will be reviewed at the end of the call (voucher). At the beginning of the contract summary, the customer is informed that the sales call is being recorded. The Registrar further states that the Consumer will be sent a Privacy Statement, which will also be available on the Registrar's website, when ordering the electricity contract. This privacy statement describes how to record a customer call to improve the quality of customer service and safeguard the rights of the parties to the contract.

3) The consumer calls the registrar: When calling a telephone number, the consumer is informed before connecting to the customer advisor that incoming calls to the customer service are recorded. In addition, the Controller states that a Privacy Statement has been sent to existing customers when concluding the electricity contract, which states that the Controller will collect sales and customer service call records as personal information.

The applicant's response

The applicant states in the response requested by the Office of the Data Protection Officer that the information on the applicant's electricity provider cannot be found in the sources that the controller has indicated as the source. Furthermore, the applicant states that at no point in the discussion with the Registrar's Sales Manager is mentioned in the request for verification of the records. The applicant further states in his defense that, despite the request sent by the applicant, the controller did not send the information requested by the applicant.

DECISION OF THE ASSISTANT DATA PROTECTION SUPERVISOR

In the process, it should be noted that Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46 / EC (General Data Protection Regulation) entered into force on 25 May 2016 and it has been applied since May 25, 2018. As a result of the reform of Union data protection law, the Personal Data Protection Act (523/1999) on personal data protection was repealed by the Data Protection Act (1050/2018), which entered into force on 1 January 2019.

RIGHT OF ACCESS TO INFORMATION

The case has been brought to the office of the Data Protection Ombudsman during the period of validity of the Personal Data Act. It is therefore necessary to assess, in accordance with Article 38 (3) of the Data Protection Act, whether Articles 12 and 15 of the General Data Protection Regulation are applicable.

It will then be necessary to determine whether the controller complied with the applicant's request for access to the information (right of access) in accordance with the applicable law.

Choice of applicable law

The General Privacy Regulation has been applicable since May 25, 2018. The act is an EU Regulation and is directly applicable in the Member States. The General Data Protection Regulation is specified by the National Data Protection Act, which entered into force on 1 January 2019. The Data Protection Act repealed the Personal Data Act (523/1999).

The applicant has made a request to the data controller for access during the period of validity of the annulled Personal Data Act. The applicant's request is based on a right under Articles 26 and 28 of the Personal Data Act.

Given that the issue is the realization of the data subject's right of access (right of access), the transitional provision in Article 38 (3) of the Data Protection Act is relevant to the choice of law applicable to the decision. Pursuant to Article 38 (3) of the Data Protection Act, the provisions of Articles 12 and 15 to 18 of the General Data Protection Regulation, which impose broader obligations on the controller than the provisions of the Data Protection Act, applying the provisions of the Regulation would be disproportionate for the controller.

Application of Articles 12 and 15 of the General Data Protection Regulation

Under Article 26 (1) of the Personal Data Act, notwithstanding the provisions on secrecy, everyone has the right to know what information concerning him or her has been or has not been entered in the personal data file after having disclosed the facts. The controller shall at the same time inform the data subject of the regular sources of information in the register and of the use and regular release of the information in the register.

According to Article 15 (1) of the General Data Protection Regulation, the data subject shall have the right to obtain from the controller confirmation that personal data concerning him or her are being processed and, if such data are processed, to have access to personal data and the following information: (c) the recipients or categories of recipients; (d) where possible, the criteria for determining the period for which the personal data will be stored; or, if this is not possible, the criteria for determining this period; (e) the data subject's right to request (g) the right to lodge a complaint to the supervisory authority; (g) where personal data are not collected from the data subject, all available information as to the origin of the data; and (h) automatic decision-making; the existence of profiling as referred to in Article 22 (1) and (4), as well as, at least in these cases, relevant information on the logic involved in the processing as well as the significance of that processing and its potential consequences for the data subject.

The provisions of Article 26 (1) of the Personal Data Act and the provisions of Article 15 (1) (a) to (g) of the General Data Protection Regulation on the right of access are essentially identical in substance. However, the Assistant Data Protection Officer notes that Article 15 (1) (a) (a) (g) of the General Data Protection Regulation provides for more extensive information than Article 26 (1) of the Personal Data Act, which would not allow the data subject to Article 15 (1) (b). (d), (e) and (f).

Where the rule applicable in the present case imposes obligations on the controller which go beyond the provisions of the Personal Data Act, it is necessary to assess whether their application is unreasonable for the controller. In assessing the reasonableness of the application of Article 15 (1) (a) to (ah) of the General Data Protection Regulation, the Assistant Supervisor notes that the applicant would have been entitled under the Personal Data Act to receive and According to the Personal Data Act, the data subject has been entitled to obtain from the controller information similar to (b) above, ie a description of the data subject group or groups and related data (Article 10 (1) (3) Personal Data Act) the exercise of rights in the processing of personal data concerned (Article 24 (1) Personal Data Act).

In the light of the above, the Assistant Data Protection Supervisor considers that if the Personal Data Act were applicable, the applicant would be entitled to access information corresponding to Article 15 (1) (a), (b), (c), (e), (g) and (h). Therefore, only subparagraphs (d) (information on the retention period) and f (right to lodge a complaint to the supervisory authority) would contain information that the applicant would not have been entitled to obtain from the controller under the Personal Data Act.

Provisions concerning the retention period and the right of appeal are irrelevant to the outcome of the case. However, the Assistant Supervisor notes that the information referred to in Article 15 (1) (d) and (f) concerns the obligations of the controller, which are also laid down in the Personal Data Act. When applying the Personal Data Act, the controller has been obliged to comply with the general principles of personal data processing laid down in Chapter 2 of the Personal Data Act, such as the planning of personal data processing and the necessity requirement (Sections 6 and 9 of the Personal Data Act). In addition, the data subject has had the right to refer the matter to the supervisory authority under the Personal Data Act (Article 28 (2) Personal Data Act). The Assistant Data Protection Officer therefore considers that Article 15 (1) (a) a.

Pursuant to Article 28 (1) of the Personal Data Act, a person wishing to verify information relating to himself within the meaning of Article 26 must submit a request to that effect to the controller in a document duly signed or duly authenticated or personally at the controller.

Article 12 (2) of the General Data Protection Regulation requires the controller to facilitate the exercise of the rights of the data subject under Articles 15 to 22. In the cases referred to in Article 11 (2), the controller shall not refuse to act at the request of the data subject in order to exercise the rights under Articles 15 to 22 unless the controller demonstrates that he is unable to identify the data subject. Without prejudice to Article 11, pursuant to Article 12 (6) of the General Data Protection Regulation, where a controller has reasonable grounds to suspect the identity of a natural person who made a request under Articles 15 to 21, the controller may request the submission of additional information necessary to verify the identity of the data subject.

Thus, the General Data Protection Regulation does not contain specific formal requirements for a request for access to data. According to the Personal Data Act, the request must have been submitted to the controller in a handwritten or similarly authenticated document or in person at the controller. This may be interpreted as meaning, for the controller, the broader obligations set out in Article 38 (3) of the Data Protection Act. It is therefore necessary to assess the reasonableness of the application of the provisions of the General Data Protection Regulation to the controller.

It would be unreasonable for the controller to complain that the controller has not exercised the right of the data subject if the request has not been made in accordance with Article 28 (1) of the Personal Data Act. The purpose of this provision was to enable the controller to verify that the person making the request was registered. On the basis of the information provided in the case at issue in the present case, the controller was not in doubt as to the status of the applicant. On the basis of the information received, the controller has also responded orally to the data subject's request by telephone. From the point of view of the controller, the end result is no different depending on whether the Assistant Data Protection Officer would order the personal data to be provided to the data subject or whether the applicant himself / herself would make a new request for information from the controller. Therefore, also taking into account the legal protection of the applicant, the Assistant Supervisor considers that it is not unreasonable for the controller to apply the provisions of the General Data Protection Regulation in force regarding the form of the request.

Under Article 28 (2) of the Personal Data Act, the method of transmission of personal data must, without undue delay, be made available to the data subject by the controller or made available in writing upon request. The information shall be provided in an intelligible form.

Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate steps to provide the data subject with all processing information under Article 15 in a concise, transparent, easily understandable and accessible form, in clear and simple language. The information shall be provided in writing or otherwise and, where appropriate, in electronic form. If the data subject so requests, the information may be given orally, provided that the data subject's identity is otherwise verified. Article 15 (3) of the General Data Protection Regulation requires the controller to provide a copy of the personal data undergoing processing.

According to Article 12 of the General Data Protection Regulation, personal data may, where appropriate, be transmitted to the data subject in electronic form. The manner in which information is communicated verbally or electronically is not explicitly mentioned in the corresponding provision of Article 28 (2) of the Personal Data Act. The provision of Article 12 (1) of the General Data Protection Regulation may be interpreted as imposing broader obligations on the controller. It is therefore for the controller to assess the proportionality of the application of the provision. As the General Data Protection Regulation, under certain conditions, increases the controller's choice of the appropriate form of transmission of personal data in relation to the Personal Data Act, this cannot be considered disproportionate for the controller.

In the light of the above, the EDPS considers that Articles 12 and 15 of the General Data Protection Regulation should apply.

Decision

The data controller has not exercised his right of access under Article 15 of the General Data Protection Regulation.

Pursuant to Article 58 (2) (c) of the General Data Protection Regulation, the Assistant Data Protection Officer orders the data subject to comply with the data subject's request under Article 15 (1) (a) to (ah) of the General Data Protection Regulation. and Article 15 (3).

As the applicant has not made a request under Article 28 (1) of the Personal Data Act in force at the time of the request, the Assistant Data Protection Officer considers the disclosure provision to be sufficient.

Reasoning

On the basis of the clarification received and the response, the controller has not provided the applicant with the personal information he requested.

In particular, with regard to the provision of call records, the Assistant Data Protection Officer draws attention to the following points.

Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate steps to provide the data subject with all processing information under Article 15 in a concise, transparent, easily understandable and accessible form, in clear and simple language. The information shall be provided in writing or otherwise and, where appropriate, in electronic form. If the data subject so requests, the information may be given orally, provided that the data subject's identity is otherwise verified. Article 12 (2) of the General Data Protection Regulation requires the controller to facilitate the exercise of the rights under Articles 15 to 22. Article 15 (3) of the General Data Protection Regulation requires the controller to provide a copy of the personal data undergoing processing.

The applicant has stated that he has agreed by telephone with the controller to provide the applicant with the personal information and call record requested by the applicant. However, the recordkeeper has not provided the applicant with a record of the call, but has subsequently indicated the possibility of coming to the recording on the spot following a formal request for access. This practice was later justified by the controller to the EDPS office under Article 15 (4) of the General Data Protection Regulation.

Nationally, the right of access to personal data and the form in which the information is provided is governed by the Personal Data Act, repealed on 1 January 2019, which requires the controller to provide the data subject with access to the information referred to in section 26 or to provide such information in writing. In his case law (10 May 2011 No 2680/41/2010 and 12 September 2013 No 2240/523/2013), the Data Protection Ombudsman has interpreted the right of a data subject to receive a customer call record pursuant to Article 28 of the Personal Data Act. The EDPS has considered that the right under Article 26 of the Personal Data Act can be exercised either by reserving the data subject to listen to the call record (2680/41/2010) or by submitting the record to the data subject at his / her request in written form (2240/523/2013). However, at the request of the data subject, the information should have been provided in writing (12 September 2013, No 2240/523/2013). Similarly, the General Data Protection Regulation sets out the format for the transmission of information. According to Article 12 (1) of the General Data Protection Regulation, Article 15 information must be communicated in writing or by other means and, where appropriate, in electronic form. Furthermore, as regards the right of access, Article 15 (3) of the General Data Protection Regulation requires the controller to provide the data subject with a copy of the personal data undergoing processing.

Therefore, the Assistant Supervisor considers that the controller has not exercised the applicant's right of access to the data.

APPLICATION OF ARTICLES 12 AND 15 OF THE GENERAL DATA PROTECTION REGULATION (RIGHT OF ACCESS) TO CALL RECORDS

From the clarification provided by the controller, it has become apparent that since the application of the General Data Protection Regulation, the controller has not changed its practices for the exercise of the right of access to information (right of access) to call records.

Decision

The Assistant Data Protection Officer shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to modify the processing operations in accordance with Articles 12 (1) and 15 (3) of the General Data Protection Regulation as regards the exercise of the right of access to call records.

The Assistant Data Protection Officer shall, subject to the limitations set out in the grounds of the decision, leave the appropriate measures to the discretion of the controller, but shall provide a report on the measures taken to the Data Protection Officer's Office by 30 March 2020.

Reasoning

It is undisputed that the call record contains personal data within the meaning of Article 4 (1) of the General Data Protection Regulation. In its ruling of 30 July 2010 (2094/1/09), the Supreme Administrative Court considered the audio recorded on the tape to be personal data and thus subject to the right of scrutiny provided for in Article 26 of the Personal Data Act. Similarly, in Case T-166/05, the Court of First Instance of the European Communities held on 11 March 2009 that a person could be identified by voice (paragraph 39). The general privacy setting has not changed the definition of personal data under the Personal Data Act. Data subjects will therefore continue to have the right of access to their personal data for the purposes of telephone recording.

The Registrar states that, in the case of call records, it will provide the data subject with the opportunity to listen to the recording at the registrar's office or, alternatively, give the data subject the opportunity to listen to the recording by telephone. The data controller stated in his statement that he could not provide the data subject with a call record as such, due to Article 15 (4) of the General Data Protection Regulation.

Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate steps to provide the data subject with all processing information under Article 15 in a concise, transparent, easily understandable and accessible form, in clear and simple language. The information shall be provided in writing or otherwise and, where appropriate, in electronic form. If requested by the data subject, the information may be given orally, provided that the data subject's identity has been verified. Article 12 (2) of the General Data Protection Regulation requires the controller to facilitate the exercise of the rights under Articles 15 to 22. Furthermore, as regards the right of access, Article 15 (3) of the General Data Protection Regulation requires the controller to provide the data subject with a copy of the personal data undergoing processing.

Article 15 (4) of the General Data Protection Regulation, which states that the right to obtain a copy shall not adversely affect the rights and freedoms of others, such as trade secrets or intellectual property, in particular software copyright, as stated in recital 63 of the Data Protection Regulation. Information in accordance with Article 15 (1). However, this paragraph shall be without prejudice to the exercise by the controller of the right of scrutiny of the data subject in a case such as this.

In his decision (12.9.2013, no. 2240/523/2013), the EDPS considered that, in practice, telephone conversations always include personal data of another person, and this cannot be considered as an obstacle to the exercise of the right of scrutiny. Thus, according to the decision, personal data concerning the representative of the controller may, without prejudice to the Personal Data Act, end up with the data subject exercising his right of inspection. The registrar has stated that he records sales and customer service calls to ensure the rights of the parties and for training purposes. The calls are therefore recorded for the purposes specified by the controller and the vendor's personal information is thus incorporated into the recording.

In addition to Article 15 (4) of the General Data Protection Regulation, the right of access to information may be restricted on the grounds set out in Article 34 of the Data Protection Act. Under that provision, for example, the right of access to information is not available where disclosure could seriously jeopardize the health or the care of the data subject or the rights of the data subject or of another (Article 34 (1) (2)). In situations such as this one, the data subject's right cannot be restricted under that law.

The Deputy Data Protection Supervisor considers that the way described by the controller in exercising the data subject's right under Article 15 of the General Data Protection Regulation to provide a call record does not meet the requirements of the General Data Protection Regulation, since the controller is required to provide a copy of personal data. In this context, the EDPS draws attention in particular to the need to interpret strictly the restrictions on the right of access in accordance with Article 8 (2) of the Charter of Fundamental Rights of the European Union (2012 / C 326/02).

In the light of the above, the Assistant Supervisor considers that the current practice of the controller in exercising the right under Article 15 in respect of call records does not meet the requirements of the General Data Protection Regulation.

As explained above, the Personal Data Act would have required the controller to provide the information requested by the data subject, for example in transcription. However, as the general data protection regulation currently in force allows the controller to provide information electronically, the controller may, at its discretion, also provide a copy of the information in another form, such as a telephone recording.

INFORMATION ON RECORDING OF CALLS

In light of the issues raised during the proceedings, the Assistant Data Protection Officer will have to assess whether the controller's approach to informing the recording of telephone calls is in line with Articles 5 (1) (a), 12 (1) and 13 of the General Data Protection Regulation.

Decision

The current information practices of the controller under Article 5 (1) (a) of the General Data Protection Regulation are not sufficiently transparent and thus still do not fulfill the requirements of Articles 12 (1) and 13 of the General Data Protection Regulation.

Pursuant to Article 58 (2) (d) of the General Data Protection Regulation, the Assistant Data Protection Officer orders the data controller to modify the processing operations to inform the recording of calls in accordance with Articles 5 (1) (a), 12 (1) and 13 of the GDR.

The Assistant Data Protection Supervisor shall leave the appropriate measures to the discretion of the controller, but shall provide a report on the measures taken to the Data Protection Officer's Office by 30 March 2020.

In addition, the Assistant Data Protection Supervisor will make a note to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation due to a lack of information on the record of the controller.

Reasoning

Article 13 of the General Data Protection Regulation requires the controller to provide the data subject with the information referred to in Article 13 when personal data are obtained. Pursuant to Article 13 (1) (c), the data subject must be informed of the purposes of and the legal basis for the processing of the personal data.

Article 5 (1) (a) of the General Data Protection Regulation requires the controller to process personal data in a lawful, proper and transparent manner. Recital 39 of the General Data Protection Regulation states that natural persons should be transparent about how their personal data are collected and used.

Article 12 (1) of the General Data Protection Regulation lays down the obligation for the controller to take appropriate measures to provide data subjects with the information referred to in Article 13, including in a transparent and easily understandable form.

The registrar states that he will record a separate voucher from the sales call if the consumer enters into an electronic contract. According to the controller, the applicant has not been informed of the start of the recording since the applicant had not concluded an electricity contract with the controller.

On the basis of the clarification received, the Assistant Data Protection Officer considers that the controller has not informed the applicant of the recording of the call. In his overall assessment of the case, the Assistant Data Protection Officer shall note that the controller has modified his call recording information on his website following a request for clarification from the Office of the Data Protection Officer.

The registrar has further clarified its current operating model and stated that it will not record a sales call if the sales situation does not lead to an agreement. In these calls, the recording already started will be paused and the recorded conversation will be automatically deleted. Therefore, the registrar will inform the data subject about the recording of the call only if the sales call results in an agreement. The Assistant Data Protection Officer notes that recording a call is a processing of personal data within the meaning of the General Data Protection Regulation (as well as the processing of personal data within the meaning of the annulled Personal Data Act). The controller must therefore inform the data subject about the collection of personal data.

As the data controller does not inform the data subject at the time the call is initiated, its procedure does not fulfill the conditions of Articles 5 (1) (a), 12 (1) and 13 of the General Data Protection Regulation. Therefore, the Assistant Supervisor considers that the current information practices of the controller under Article 5 (1) (a) of the General Data Protection Regulation are not sufficiently transparent and thus still do not fulfill the requirements of Articles 12 (1) and 13 of the General Data Protection Regulation. Given that the controller has already taken some steps to bring its activities in line with the General Data Protection Regulation, the Assistant Data Protection Supervisor considers the comment along with the provision on the processing of personal data to be a sufficient sanction in the matter.

APPLICABLE LAWS

EU General Data Protection Regulation (2016/679) Article 5 (1) (a), Article 12 (1), (2) and (6) , Article 13, Article 15 (1) (h), (3) and (4), Article 58 (2) (c) and (d) subparagraphs

Article 34 (1) (2), Article 38 (3) of the Data Protection Act (1050/2018)

Personal Data Act (523/1999) Sections 6, 9, 10 (1) (3), 24 (1), 26 (1), 28

Charter of Fundamental Rights of the European Union (2012 / C 326/02) Article 8 (2)

The decision is not yet final.