Tietosuojavaltuutetun toimisto (Finland) - 9707/152/19: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 72: Line 72:
The Finnish DPA requested a statement from the controller on 11 February 2020, which the controller failed to provide in time. The DPA then asked for a statement again on 23 March 2021 and, this time, received a response. In the statement, the data controller acknowledged that the data subject had submitted a request under [[Article 15 GDPR]]. However, the data controller recognised that it had not fulfilled the data subject's right to access and that it would implement it on 24 March 2021.
The Finnish DPA requested a statement from the controller on 11 February 2020, which the controller failed to provide in time. The DPA then asked for a statement again on 23 March 2021 and, this time, received a response. In the statement, the data controller acknowledged that the data subject had submitted a request under [[Article 15 GDPR]]. However, the data controller recognised that it had not fulfilled the data subject's right to access and that it would implement it on 24 March 2021.


However, according to the data subject, the data controller exercised their right under Article 15 GDPR in April 2021, but not within the deadline set by the GDPR, even though the third party assisting the data subject provided guidance to the controller about how to comply with the GDPR requirements and informed it of the urgency of enforcing the right. The data subject further showed that on 20 July 2018, the data controller informed the data subject that it had decided to grant access to the requested information. However, this did not happen.
However, according to the data subject, the data controller exercised their right under [[Article 15 GDPR]] in April 2021, but not within the deadline set by the GDPR, even though the third party assisting the data subject provided guidance to the controller about how to comply with the GDPR requirements and informed it of the urgency of enforcing the right. The data subject further showed that on 20 July 2018, the data controller informed the data subject that it had decided to grant access to the requested information. However, this did not happen.


The data subject claimed to have suffered damage as a result of the delays in obtaining the requested information; it affected the legal actions he had initiated and had financial impacts since the data subject needed to use a third party to request personal data from the data controller.
The data subject claimed to have suffered damage as a result of the delays in obtaining the requested information; it affected the legal actions he had initiated and had financial impacts since the data subject needed to use a third party to request personal data from the data controller.
Line 78: Line 78:
In response, the data controller acknowledged that exceptional circumstances had influenced its actions, contributing to a decrease in turnover and denied deriving any financial benefit from not fulfilling GDPR requirements.
In response, the data controller acknowledged that exceptional circumstances had influenced its actions, contributing to a decrease in turnover and denied deriving any financial benefit from not fulfilling GDPR requirements.


Thus, the DPA decided to assess whether the data controller implemented the data subject's right to access in accordance with Article 12(3) GDPR and Article 12(4) GDPR.
Thus, the DPA decided to assess whether the data controller implemented the data subject's right to access in accordance with [[Article 12 GDPR|Article 12(3) GDPR]] and [[Article 12 GDPR#4|Article 12(4) GDPR]].


=== Holding ===
=== Holding ===
The DPA first stated that a third party may make a request under Article 15 GDPR on behalf of the data subject.  
The DPA first stated that a third party may make a request under [[Article 15 GDPR]] on behalf of the data subject.  


It then proceeded by holding that the data controller did not comply with Article 12(3) GDPR and Article 12(4) GDPR.  
It then proceeded by holding that the data controller did not comply with [[Article 12 GDPR#3|Article 12(3) GDPR]] and [[Article 12 GDPR#4|Article 12(4) GDPR]].  


The DPA stated that Article 12(3) GDPR provides for time limits within which the controller must inform the data subject of the action taken to respond to an access request, and Article 12(4) GDPR states that if the controller does not intend to exercise the data subject's right, it must inform the data subject without undue delay and at the latest within one month of receipt of the request.   
The DPA stated that [[Article 12 GDPR#3|Article 12(3) GDPR]] provides for time limits within which the controller must inform the data subject of the action taken to respond to an access request, and [[Article 12 GDPR#4|Article 12(4) GDPR]] states that if the controller does not intend to exercise the data subject's right, it must inform the data subject without undue delay and at the latest within one month of receipt of the request.   


Considering that the data subject submitted a request under Article 15 GDPR several times in 2017, 2018 and 2019, that the controller did not refuse to implement the right of the petitioner, nor did it indicate that it needed additional time to implement the right and that it implemented the petitioner's right in April 2021, that the controller has not informed the petitioner for almost three years of why the right under Article 15 GDPR could not be implemented within the time-limit, the controller breached Article 12(3) GDPR by failing to implement the right of the data subject under Article 15  GDPR within the time limit and it breached Article 12(4) GDPR since it did not inform the data subject for almost three years of the reasons why the right under Article 15 of the GDPR could not be implemented within the time-limit.  
Considering that the data subject submitted a request under [[Article 15 GDPR]] several times in 2017, 2018 and 2019, that the controller did not refuse to implement the right of the petitioner, nor did it indicate that it needed additional time to implement the right and that it implemented the petitioner's right in April 2021, the controller breached [[Article 12 GDPR#3|Article 12(3) GDPR]] by failing to implement the right of the data subject under [[Article 15  GDPR]] within the time limit and it breached [[Article 12 GDPR#4|Article 12(4) GDPR]] since it did not inform the data subject for almost three years of the reasons why the right under [[Article 15 GDPR]] could not be implemented within the time-limit.  


The DPA, thus, fined the data controller €1,600 on the basis of Article 83 GDPR.  
The DPA, thus, fined the data controller €1,600 on the basis of [[Article 83 GDPR]].  


== Comment ==
== Comment ==

Revision as of 09:07, 16 October 2023

Tietosuojavaltuutetun toimisto - 9707/152/19
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 16.12.2019
Decided: 04.09.2023
Published: 04.09.2023
Fine: 1600 EUR
Parties: n/a
National Case Number/Name: 9707/152/19
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Eetu Salpaharju

The Finnish DPA (Tietosuojavaltuutetun toimisto) fined a psychotherapist €1,600 for denying data subject's access to treatment history and notes made by the psychotherapist.

English Summary

Facts

A data subject requested access to their patient documents multiple times between 2017 and 2019, both personally and through a third party who had a letter of attorney signed by the data subject. The data controller received these requests but did not respond to them.

The Finnish DPA requested a statement from the controller on 11 February 2020, which the controller failed to provide in time. The DPA then asked for a statement again on 23 March 2021 and, this time, received a response. In the statement, the data controller acknowledged that the data subject had submitted a request under Article 15 GDPR. However, the data controller recognised that it had not fulfilled the data subject's right to access and that it would implement it on 24 March 2021.

However, according to the data subject, the data controller exercised their right under Article 15 GDPR in April 2021, but not within the deadline set by the GDPR, even though the third party assisting the data subject provided guidance to the controller about how to comply with the GDPR requirements and informed it of the urgency of enforcing the right. The data subject further showed that on 20 July 2018, the data controller informed the data subject that it had decided to grant access to the requested information. However, this did not happen.

The data subject claimed to have suffered damage as a result of the delays in obtaining the requested information; it affected the legal actions he had initiated and had financial impacts since the data subject needed to use a third party to request personal data from the data controller.

In response, the data controller acknowledged that exceptional circumstances had influenced its actions, contributing to a decrease in turnover and denied deriving any financial benefit from not fulfilling GDPR requirements.

Thus, the DPA decided to assess whether the data controller implemented the data subject's right to access in accordance with Article 12(3) GDPR and Article 12(4) GDPR.

Holding

The DPA first stated that a third party may make a request under Article 15 GDPR on behalf of the data subject.

It then proceeded by holding that the data controller did not comply with Article 12(3) GDPR and Article 12(4) GDPR.

The DPA stated that Article 12(3) GDPR provides for time limits within which the controller must inform the data subject of the action taken to respond to an access request, and Article 12(4) GDPR states that if the controller does not intend to exercise the data subject's right, it must inform the data subject without undue delay and at the latest within one month of receipt of the request.

Considering that the data subject submitted a request under Article 15 GDPR several times in 2017, 2018 and 2019, that the controller did not refuse to implement the right of the petitioner, nor did it indicate that it needed additional time to implement the right and that it implemented the petitioner's right in April 2021, the controller breached Article 12(3) GDPR by failing to implement the right of the data subject under Article 15 GDPR within the time limit and it breached Article 12(4) GDPR since it did not inform the data subject for almost three years of the reasons why the right under Article 15 GDPR could not be implemented within the time-limit.

The DPA, thus, fined the data controller €1,600 on the basis of Article 83 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The registrant's right to access his data and incomplete implementation of the right

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 9707/152/19

Thing

The registrant's right to access information in accordance with Article 12, Sections 3 and 4 of the Data Protection Regulation.

Registrar

Psychotherapist

Decision of the Deputy Data Protection Commissioner

Statement received from the initiator

1. On December 16, 2019, a complaint was filed with the Data Protection Commissioner's office regarding the data subject's right to access information provided for in Article 15 of the Data Protection Regulation.

2. The initiator has submitted a request in accordance with Article 15 of the Data Protection Regulation to the data controller several times during the years 2017, 2018 and 2019. The initiator's request concerns patient document entries made by the registrar of psychotherapy visits from 2015–2017. The initiator has submitted the request personally and with the help of a third party with a power of attorney.

3. The initiator has said that the data controller has received the initiator's request to access the information. The initiator has said that the data controller did not implement the initiator's right to access the information.

Statement received from the registrar

4. The Office of the Data Protection Commissioner has requested an explanation from the data controller on February 11, 2020. The controller did not respond to the data protection commissioner's request for clarification within the given deadline.

5. The Office of the Data Protection Commissioner has asked the data controller for another explanation on 15 March 2021. The controller has submitted his report to the data protection commissioner's office on March 23, 2021. The data controller has admitted in its report that the initiator has presented it with a request in accordance with Article 15 of the Data Protection Regulation, but the data controller had not exercised the initiator's right to access the data in accordance with Article 15 of the Data Protection Regulation. In his statement to the data protection commissioner's office, the controller has informed that he will exercise the right to initiate proceedings on March 24, 2021. In his report, the controller has justified his delay as follows:

"The request made by the initiator has been left waiting for a solution. In connection with the initiator's request, a consultation has been obtained, in connection with which the legal issues related to responding to the request have been left to think about. After much deliberation, it has been decided that the request will be answered in accordance with the initiator's proposal."

The initiator's response and additional explanation

6. The initiator has given his response to the controller's report. The response has been given to the data protection commissioner's office on April 29, 2021. In the response, the initiator has stated that in April 2021, the data controller has implemented the initiator's right to access the data according to Article 15 of the Data Protection Regulation. In the response, the initiator has stated that the data controller did not implement the initiator's right within the deadline according to the data protection regulation. The initiator has said that the data controller did not indicate that he needed additional time to exercise the right according to Article 15 of the Data Protection Regulation.

7. In the response, the initiator has stated that he has suffered damage as a result of the delayed implementation of the right according to Article 15 of the Data Protection Regulation. The initiator has said that as a result of the delayed implementation of the right, the legal actions initiated by the initiator have become more difficult. According to the initiator, the financial damages are the result of the fact that a third party was used to make the request.

8. The initiator has submitted an additional explanation to the data protection commissioner's office on 12 May 2021. Correspondence between the data controller and the initiator is presented in the supplementary report. In the additional report, it is stated, among other things, that the third parties representing the initiator have given the data controller advice on the data controller's obligations according to the data protection regulation and information about the urgency of implementing the right.

9. In the initiator's additional explanation, it appears that on July 30, 2018, the controller has confirmed to the initiator that he will implement this right to access the information.

Hearing of the controller and further clarification

10. In accordance with Section 34 of the Administrative Act (2003/434), the controller has the opportunity reserved in the request for consultation and additional information issued on 13 April 2023 to be heard and to express his opinion on the matter and to give his explanation of such requirements and explanations that may affect the resolution of the matter. In the consultation request, the controller is given the opportunity to be heard about the presented facts, the presenter's preliminary assessment of the matter and the administrative penalty fee that may be imposed in the case. At the same time, the data controller is given the opportunity to bring up the points referred to in Article 83, Section 2 of the General Data Protection Regulation, which, according to the data controller's opinion, must be taken into account when making a decision.

11. The registrar has given his answer to the request for consultation and additional information on 16 May 2023. In the given answer, the data controller has admitted that the data controller has not implemented the initiator's right according to Article 15 of the Data Protection Regulation within the deadline according to the Data Protection Regulation.

12. In its response, the controller has stated that the initiator's request according to Article 15 of the data protection regulation was first presented in a formally incorrect way. The controller has said that the controller has also received the request that was formally presented in the correct way.

13. In its response, the controller has stated that the initiator's health has influenced the controller's decision not to implement the initiator's right according to Article 15 of the data protection regulation within the deadline.

14. The data controller has stated in his answer that there have been exceptional circumstances in the case that have affected the data controller's procedure. The registrar has said that exceptional circumstances have contributed to the fact that the registrar's turnover has decreased. In his answer, the data controller has denied that he received any financial benefit in the case.

15. The registrar has given his opinion on the sanction to be imposed. According to the registry keeper's view, a sufficiently effective, proportionate and warning sanction to be imposed in the case is a warning. Regarding the imposition of a possible administrative penalty fee, the controller has considered 800 (eight hundred) euros to be the right starting level, when the minor seriousness of the violation according to the controller's view has been taken into account.

16. The Office of the Data Protection Commissioner has requested additional clarification from the data controller as to whether it has received requests in accordance with Article 15 of the Data Protection Regulation by data subjects other than the initiator. In its response, the controller has stated that it has not received any other requests in accordance with Article 15 of the Data Protection Regulation in addition to the initiator.

17. In the controller's response to the request for additional information, it has been stated that the controller's total turnover in 2022 has been EUR 235,000. According to the registrar, 45 percent of the turnover consists of renting business premises and 55 percent of healthcare services.

On applicable legislation

18. The General Data Protection Regulation (EU) 2016/679 has been applied since May 25, 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The general data protection regulation is specified in the national data protection act (1050/2018), which entered into force on January 1, 2019. The previously valid Personal Data Act (523/1999) was repealed by the Data Protection Act.

19. Article 15 of the General Data Protection Regulation provides for the data subject's right to access data. According to the provision, the registered person has the right to receive confirmation from the controller that personal data concerning him or her is being processed or that it is not being processed, and if this personal data is being processed, the right to have access to the data and other information stated in subsections a-h of Article 1. According to paragraph 3 of the same article, the controller must provide a copy of the personal data being processed.

20. The procedures to be followed in exercising and exercising the data subject's rights are stipulated in Article 12 of the General Data Protection Regulation. According to Article 12, Section 3 of the Data Protection Regulation, the data controller must provide the data subject with information on the measures taken in response to a request made pursuant to Article 15 without undue delay and in any case within one month of receiving the request. If necessary, the deadline can be extended by a maximum of two months, taking into account the complexity and number of requests. The controller must inform the data subject of such a possible extension within one month of receiving the request and the reasons for the delay. According to Article 12, paragraph 4 of the Data Protection Regulation, if the data controller does not implement measures based on the data subject's request, the data controller must inform the data subject immediately and no later than one month after receiving the request of the reasons for this and inform about the possibility of filing a complaint with the supervisory authority and using other legal remedies.

Legal issues

21. The Deputy Data Protection Commissioner assesses whether the data controller has implemented the data subject's right to access the data in the case of the initiator in accordance with the provisions of Article 12, Sections 3 and 4 of the General Data Protection Regulation.

22. In addition, the deputy data protection commissioner assesses whether it has to use the remedial powers provided for in Article 58, paragraph 2 of the General Data Protection Regulation.

Decision of the Deputy Data Protection Commissioner

Note

23. The controller has not implemented the initiator's right to access the data in accordance with the provisions of Article 12, Sections 3 and 4 of the General Data Protection Regulation.

24. The Deputy Data Protection Commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation.

Administrative penalty fee

25. According to Section 24 of the Data Protection Act, the administrative penalty fee stipulated in Article 83 of the General Data Protection Regulation is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners.

26. The Deputy Data Protection Commissioner submits the matter to the Sanctions College for decision regarding the penalty payment consideration. The Sanctions Board must assess whether an administrative penalty payment in accordance with Article 58, Section 2, subparagraph i of the General Data Protection Regulation must be imposed on the data controller in addition to the notice issued by the Deputy Data Protection Commissioner.

Reasons for the decision

About third party use

27. In the response to the hearing, the controller has pointed out that the initiator's request according to Article 15 of the Data Protection Regulation was first presented in a formally wrong way. The registrar has not explained in more detail why it has considered that the request was formally presented in the wrong way in the first place. The controller has stated in the response to the hearing that the request was later presented to the controller in the correct formal manner as well.

28. The Deputy Data Protection Commissioner has no reason to doubt the request made by the initiator in accordance with Article 15 of the Data Protection Regulation. A third party can make a request in accordance with Article 15 of the Data Protection Regulation on behalf of the data subject. The provision of information to a third party requires, in accordance with the proof obligation of the Data Protection Regulation, that the data controller has confirmed the permission given by the initiator to provide the information to the third party.

The right to access information without undue delay

29. Paragraph 3 of Article 12 of the General Data Protection Regulation provides for deadlines within which the data controller must inform the data subject of the measures taken in response to the data subject's request to exercise their rights. Furthermore, paragraph 4 of that article provides for the duty of the data controller to inform the data subjects of the reasons if it does not implement measures based on the data subject's request and of the legal remedies available. In accordance with Article 12, Section 4 of the Data Protection Regulation, the data controller must inform the data subject if the data controller does not intend to exercise the data subject's right. The notification must be made without delay and no later than one month after receiving the request.

30. Paragraph 59 of the preamble of the General Data Protection Regulation states that the data controller should be obliged to respond to the data subject's requests without undue delay and within one month at the latest, and to justify his refusal in the event that the data controller does not intend to comply with such a request.

31. The initiator has submitted a request in accordance with Article 15 of the General Data Protection Regulation several times during the years 2017, 2018 and 2019. The initiator has submitted the request even before the application of the General Data Protection Regulation. From the explanation given, it appears that the data controller did not refuse to exercise the right of the initiator, and did not indicate that he needed additional time to exercise the right. The initiator has said that the data controller has implemented the initiator's right in April 2021.

32. The controller has admitted in its response to the consultation that it has not responded to the initiator's request within the deadline set by the General Data Protection Regulation. In its response to the hearing, the controller has stated that the initiator's health condition has influenced the controller's decision not to implement the initiator's right according to Article 15 of the Data Protection Regulation within the deadline.

33. The deputy data protection commissioner considers that the procedure of the data controller with regard to the information to be reported to the initiator has not met the requirements laid down in the data protection regulation. The controller has acted contrary to Article 12, paragraph 3 of the General Data Protection Regulation, when it has not implemented the right of the initiator within the deadline according to the mentioned article. Taking into account that for almost three years, the controller has not informed the initiator of the reasons why the right according to Article 15 of the Data Protection Regulation could not be implemented within the deadline, it has acted contrary to Article 12, paragraph 4 of the General Data Protection Regulation.

34. It must be stated that informing the initiator of the reasons provided for in Article 12, Section 4 of the Data Protection Regulation without delay is particularly important, so that the data subject can, if necessary, correct the request he submitted and/or submit the matter to the supervisory authority for evaluation, if necessary.

35. In his assessment, the Deputy Data Protection Commissioner has drawn attention to the fact that the Data Protection Commissioner's office has given guidance to the data controller on the implementation of the data subject's right of access on 11 February 2020.

36. Considering that, based on the report presented in the case, the procedure of the data controller has already started before the application of the General Data Protection Regulation, the violation must be considered to have continued for quite a long time.

37. Based on the above, the Deputy Data Protection Commissioner considers that the data controller has not complied with the provisions of Article 12, Sections 3 and 4 of the General Data Protection Regulation. The Deputy Data Protection Commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation. In addition, the deputy data protection commissioner submits the matter to the sanctions panel for decision regarding the penalty payment consideration.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019).

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision was given by deputy data protection commissioner Heljä-Tuulia Pihamaa.

Decision of the Sanctions Board on the administrative penalty payment

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on the imposition of the administrative penalty fee.

1. According to the decision of the Deputy Data Protection Commissioner, the data controller has not complied with the provisions of Article 12, Sections 3 and 4 of the General Data Protection Regulation. In his decision, the Deputy Data Protection Commissioner has given the data controller a notice in accordance with Article 58, Paragraph 2, subparagraph b of the Data Protection Regulation regarding the violation of Articles 12, Sections 3 and 4 of the Data Protection Regulation.

2. Taking into account the seriousness of the violation, the matter is not a minor violation referred to in the preamble 148 of the General Data Protection Regulation. In terms of effectiveness, proportionality and warning, it must be stated that in the current case, the notice issued by the Deputy Data Protection Commissioner pursuant to Article 58(2)(b) of the General Data Protection Regulation is not a sufficient sanction in the case, when taking into account the provisions of Article 83(2) of the General Data Protection Regulation.

3. In addition, an administrative fine must be imposed in the case. The imposition of a penalty fee is particularly supported by the fact that the process of the data controller, which lasted for almost three years, has created a considerable risk for the realization of the initiator's right according to Article 15 of the data protection regulation.

4. The matter under consideration belongs to the higher penalty payment category according to Article 83, Paragraph 5, Subsection b of the General Data Protection Regulation. In the case of a violation, the amount of the imposed fine can be a maximum of either 20,000,000 euros, or four percent of the annual global total turnover of the previous financial year, whichever of these amounts is greater.

5. In the response given at the hearing, the controller has stated that the controller's total turnover in 2022 has been 235,000 euros. In addition to the notice given by the above-mentioned Deputy Data Protection Commissioner, the Sanctions Board formed by the Data Protection Commissioner and the Deputy Data Protection Commissioners (later the "Sanctions Board") imposes an administrative penalty fee of EUR 1,600 (one thousand six hundred) to be paid by the data controller to the state pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation. Taking into account the seriousness of the violation and the other circumstances of the case, as shown in more detail below in the reasoning of the sanctioning board, the sanctioning board considers the administrative penalty payment of 1,600 (one thousand six hundred) euros to be effective, proportionate and a warning.

Reasons for imposing an administrative penalty

6. Article 83 of the General Data Protection Regulation lays down the general conditions for imposing an administrative fine. First of all, imposing an administrative penalty fee must be effective, proportionate and warning in each individual case. Secondly, an administrative penalty fee is imposed according to the circumstances of each individual case, in addition to or instead of the remedial powers provided for in Article 58. In the case at hand, the deputy data protection commissioner has issued a notice to the controller. The administrative penalty fee is therefore imposed in addition to the notice in accordance with Article 58(2)(b).

7. When deciding on the imposition of an administrative penalty fee and the amount of the administrative penalty fee, the factors listed in Article 83, Paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.

8. As deemed in the decision of the Deputy Data Protection Commissioner, the data controller has not complied with the provisions of Article 12, Sections 3 and 4 of the General Data Protection Regulation.

9. According to Article 83, paragraph 3 of the General Data Protection Regulation, if the data controller intentionally or negligently violates several provisions of the Data Protection Regulation in the same or related processing activities, the total amount of the administrative fine may not exceed the fine imposed for the most serious violation.

10. The seriousness of the violation must be assessed based on the factors listed in Article 83, paragraph 2 of the General Data Protection Regulation. In the evaluation, the procedure or omission that can be considered the most reprehensible, taking into account the details of the matter being evaluated at any given time, must be chosen.

11. The matter to be discussed concerns the right to access information provided for in Article 15 of the Data Protection Regulation. Taking into account the details of the case, the matter concerns the data subject's right to access information in accordance with Article 12, Sections 3 and 4 of the Data Protection Regulation. As stated above in section 4, the matter belongs to the higher penalty payment category according to Article 83, Section 5, Subsection b of the General Data Protection Regulation.

12. When evaluating the matter, the guidelines on the application and imposition of administrative fines given by the data protection working group have been taken into account.

Assessment of the severity of the breach

13. Taking into account as a whole the criteria stated in more detail below, especially what was said about the causing of the damage and intentionality, the sanctioning panel considers that the conditions for imposing a penalty payment are met.

14. In the assessment of the seriousness of the violation of the Data Protection Regulation, Article 83, paragraph 2, subparagraphs a, b and g of the Data Protection Regulation have been taken into account.

The nature, severity and duration of the breach

15. The obligations of the Data Protection Regulation are classified in paragraphs 4–6 of Article 83 according to their nature. The fact that the data protection regulation establishes two maximum amounts of the administrative fine shows that the violation of some regulations can be more serious than others.

16. In the case at hand, the violation, as evident from the decision of the Deputy Data Protection Commissioner, is directed at non-implementation and neglect of Article 12, Sections 3 and 4 of the General Data Protection Regulation. The initiator's right to access the information according to Article 15 of the Data Protection Regulation has been significantly delayed, and has not been realized in accordance with Article 12, Sections 3 and 4 of the General Data Protection Regulation.

17. The Sanctions Board states that the case concerns the delayed implementation of a right protected in the European Charter of Fundamental Rights (the right to access information).

18. The purpose of the right stipulated in Article 15 of the General Data Protection Regulation is to also enable the exercise of other rights stipulated in the Data Protection Regulation. The right to access the data enables, among other things, that the data subject can monitor the legality of the processing of his own personal data and, if necessary, bring the matter to the attention of the data protection authorized office or other supervisory authority.

19. The fact that the data controller has implemented the initiator's right according to Article 15 of the Data Protection Regulation after a new contact from the data protection authorized office does not reduce the seriousness of the violation.

20. As stated in the decision of the Deputy Data Protection Commissioner, the implementation of the initiator's right has taken almost three years, i.e. significantly longer than the deadline stipulated in the General Data Protection Regulation. During this time, the data controller had not informed the initiator of any reasons why the initiator's right could not be implemented. Such duration of the infringement must be taken into account as an aggravating factor.

21. Let it be stated that the nature and duration of the violation must be considered in the case as a factor in favor of the imposition of an administrative penalty.

The nature, scope or purpose of data processing and the groups of personal data affected by the breach

22. The registrant is a joint-stock company (joint-stock company) formed by one natural person, which produces healthcare services in accordance with the Act on Private Healthcare (152/1990). The operation of the registrar started in 2009.

23. The controller has operated as a provider of psychotherapy services in private healthcare and has processed personal data for the purposes of securing patient care in accordance with Section 12, subsection 1 of the Act on the Status and Rights of the Patient (Patients Act 1992/785).

24. Personal information generated in psychotherapy is personal and belongs to the core area of registered privacy protection. The data is health-related data and belongs to the special personal data groups of Article 9 of the Data Protection Regulation. Stricter requirements have been set for the processing of data generated in psychotherapy in national legislation, such as the Act on the Status and Rights of the Patient (Patient Act, 1992/785), the Act on the Electronic Processing of Social and Health Care Customer Data (784/2021) and the Patient Document Regulation (94/2022).

25. In psychotherapy, the processing of personal data is part of the implementation of the service. The sanctions panel considers that the violation of the data protection regulation can be considered more serious in the case under question than if the request had only been directed to, for example, appointment information or the contact information of business customers.

26. The implementation of the right in accordance with Article 15 of the Data Protection Regulation without undue delay is important for the realization of the legal protection of data subjects. Information entered in patient documents may be necessary, for example, in processing reminders, complaints, insurances and benefits. The information entered in the patient documents is necessary when the care of the registered person is transferred to the responsibility of another healthcare unit or healthcare professional. Checking the information entered in the patient documents (the right to access the information) is also a prerequisite for evaluating the actions of the healthcare professional and the appropriateness of the treatment he or she provides.

27. Those who use the psychotherapy service may be data subjects in a weaker position, who may not be able to monitor the implementation of their data protection rights. A possible imbalance of power may lead to the fact that the data subject cannot influence the data processing practices of the data controller. In such a situation, the registrar's responsibility and diligence in implementing the rights of the data subjects according to the data protection regulation is emphasized.

28. The sanctions panel considers, based on the aforementioned grounds, that the nature and purpose of data processing and the groups of personal data affected by the violation increase the reprehensibility of the violation.

The number of registrants affected by the breach

29. As a factor that reduces the severity of the violation, it must be taken into account that, according to the report received, the case is an individual one for the data controller in question. It concerns one registered person.

The extent of the damage

30. Damages caused to registrants can be material and/or immaterial damages. Paragraph 75 of the preamble of the Data Protection Regulation defines damage as, for example, other significant economic or social damage when data subjects may be denied their rights and freedoms or prevented from monitoring their own personal data.

31. Intangible damage can be considered, for example, the inconvenience or trouble that has resulted from the investigation of the matter. Intangible damage can also be considered the psychological burden caused by lack of awareness in the exercise of the right according to Article 15 of the Data Protection Regulation.

32. The initiator has stated in the manner evident from the decision of the Deputy Data Protection Commissioner that he has suffered damage as a result of the delayed implementation of the right according to Article 15 of the Data Protection Regulation. The initiator has said that as a result of the delayed implementation of the right, the legal actions initiated by the initiator have become more difficult. According to the initiator, the financial damages are the result of the fact that a third party was used to make the request.

33. The sanctions panel draws attention to the fact that, according to the initiator's report, the data controller has been aware of the legal actions initiated by the initiator and the urgency of implementing the right. The initiator has had a heightened need for legal protection, and despite this, the data controller had not implemented the initiator's right as required by the data protection regulation.

34. The sanctions panel considers that such an unreasonable delay in the implementation of the right according to Article 15 of the Data Protection Regulation is likely to cause the above-mentioned damages. In terms of the causal connection between the breach of the Data Protection Regulation and the damages caused to the initiator, in the circumstances of the case at hand, the possibility that the initiator's damages are the result of the controller's neglect to implement the initiator's right to access the data in accordance with Article 12, Sections 3 and 4 of the Data Protection Regulation can be considered sufficient.

35. The sanctions panel considers that the magnitude of the damage caused to the initiator must be taken into account as a factor that increases the severity.

Intentional or negligent breach

36. In the previously mentioned guidelines issued by the data protection working group, it has been stated that intentionality generally requires a conscious and intentional violation, while inadvertent means that the violation was not intentional, even if the data controller violated the duty of care required by law. Intentional violations that manifest disregard for the law are generally considered more serious than unintentional violations.

37. Let it be stated for the sake of clarity that it has been established that ignorance of the content of the law does not in general mean the kind of mistake that would eliminate possible intentionality or negligence. It is the registrar's responsibility to ensure that its operations comply with the provisions of the law.

38. The Sanctions Board states that the procedure of the data controller is not due to human error. The Sanctions Board especially draws attention to the fact that the data protection commissioner's office has given written guidance to the data controller. Even after this guidance, the controller had not implemented the initiator's right as required by the data protection regulation. The data controller has failed to respond to the written guidance given by the data protection authorized office.

39. In this case, it should be noted that the third parties representing the initiator have informed the controller about the obligations of the data protection regulation.

40. Based on the above-mentioned grounds, the sanctioning board considers that the data controller was aware of his negligence and the violation of the obligations of the data protection regulation. The Sanctions Board considers that the data controller has become aware of these obligations at the latest after the written guidance given by the data protection authorized office. The quite long duration of the procedure of the data controller also shows a more general carelessness in complying with the provisions of the data protection regulation.

41. Based on the above-mentioned grounds, the sanctioning board considers that the intentionality of the violation must be taken into account as a factor that increases the severity.

Assessment of aggravating and mitigating factors

Actions taken by the data controller to mitigate the damage caused to the data subject

42. In the data protection working group's instructions on the application and imposition of administrative fines, it has been stated that the party responsible for the damage should do everything possible to mitigate the consequences of the violation for the person concerned. The supervisory authority may take into account such responsible action or the absence of such responsible action.

43. The sanctions panel considers that the data controller has not taken any measures to mitigate, repair or prevent future damage to the data subject. The sanctions panel takes this into account in its assessment as an aggravating factor.

Degree of responsibility, taking into account the technical and organizational measures taken by the data controller pursuant to Articles 25 and 32

44. In the matter under question, the controller's responsibility according to Articles 25 and 32 of the Data Protection Regulation is mainly related to the practices and procedures required in the Data Protection Regulation regarding the exercise of registered rights.

45. The sanctions panel considers that when it comes to such an unreasonable delay in the fulfillment of the main right of the data subject, it cannot be completely excluded that this case manifests a general lack of practices stipulated in the data protection regulation. The sanctions panel takes this into account in its assessment as an aggravating circumstance.

Previous similar violations and measures previously imposed on the same issue

46. The Data Protection Commissioner's office is not aware of any previous violations of data protection regulations concerning the data controller. The data controller has not previously been assigned the powers referred to in Article 58(2) of the General Data Protection Regulation. The penalty panel does not consider the aforementioned as a mitigating or aggravating factor in the penalty payment estimate.

The degree of cooperation with the supervisory authority, and the manner in which the breach came to the supervisory authority's attention

47. In the aforementioned guidelines of the data protection working group on the application and imposition of administrative fines, it has been stated that the degree of cooperation can be properly taken into account when deciding on the imposition of an administrative fine and its amount. When evaluating the cooperation with the supervisory authority, importance could be given to whether the data controller has reacted to the requests of the supervisory authority during the investigation of the case in such a way that it has significantly limited the risk to the rights of individuals. However, according to the instructions, it would not be appropriate to emphasize the cooperation already required in the legislation.

48. It must be stated that, as stipulated in Article 31 of the General Data Protection Regulation, the data controller must, upon request, cooperate with the supervisory authority in order to perform its tasks. Pursuant to Article 58(1) of the General Data Protection Regulation and Section 18 of the Data Protection Act, the controller is also obliged to submit the requested information to the supervisory authority.

49. The case concerning the registrar has been initiated as a complaint. As stated above in points 4 and 5 of the Deputy Data Protection Commissioner's decision, the data controller did not respond to the clarification request of the Data Protection Commissioner's office within the given deadline. The disciplinary board considers that the data controller has delayed the investigation of the matter by his own actions. The Sanctions Board considers the aforementioned to be an aggravating factor.

Any other aggravating or mitigating factors applicable to the case

50. In the above-mentioned guidelines of the data protection working group on the application and imposition of administrative penalty fees, it has been stated that possible other aggravating or mitigating factors applicable to the case can be, for example, the benefit or financial advantage obtained by the violation.

51. According to its answer to the hearing, the controller has not received a direct or indirect financial benefit from the violations of the General Data Protection Regulation that are now being evaluated.

52. In the response given to the hearing of the data controller, the data controller has stated that there have been exceptional circumstances in the case that have affected the data controller's procedure. The Sanctions Board considers that, even in exceptional circumstances, the data controller must organize its operations in such a way that it is able to implement the measures required by the data protection regulation to implement the registered rights. The penalty panel states that in the case at hand, the request according to Article 15 of the Data Protection Regulation has concerned one data subject. At no point had unfounded, particularly broad, open to interpretation or otherwise unreasonable requests been made to the controller.

53. Based on the above-mentioned grounds, the Sanctions Board considers that no other aggravating or mitigating factors applicable to the case can be demonstrated.

The decision regarding the imposition of an administrative penalty fee has been made by the members of the penalty panel of the Data Protection Commissioner's office.

Data Protection Commissioner Anu Talus

Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa

Deputy Data Protection Commissioner Annina Hautala

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019).

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.