Tietosuojavaltuutetun toimisto (Finland) - 7099/183/2018
Tietosuojavaltuutetun toimisto - 7099/183/2018 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 4(7) GDPR Article 4(8) GDPR Article 4(11) GDPR Article 6(1)(a) GDPR Article 7(2) GDPR Article 12(5) GDPR Article 15 GDPR Article 28(3) GDPR |
Type: | Complaint |
Outcome: | Other Outcome |
Started: | |
Decided: | |
Published: | 03.03.2022 |
Fine: | n/a |
Parties: | Oy Suomen Henkilötieto Ab |
National Case Number/Name: | 7099/183/2018 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Finnish |
Original Source: | Finlex (in FI) |
Initial Contributor: | Vadym Kublik |
The Finnish DPA held that an intermediary service facilitating subject access requests to companies violated Article 6 GDPR in lacking a legal basis for processing personal data.
English Summary
Facts
Oy Suomen Henkilötieto Ab is a Finnish company offering services to ease communication between data subjects and controllers regarding access requests under Article 15 GDPR. Individuals are offered to register with the www.henkilötieto.fi website and file access requests with companies using the platform.
The website does not charge individuals for its use but requires a € 5 fee to cover the authentication costs. On the other side, companies acting as controllers have to pay a € 300 yearly charge if they wish to use the service.
Between 22 August 2018 and 14 November 2018, seven companies complained to the Finnish DPA about the Suomen Henkilötieto's practices. They had not subscribed to the Henkilötieto.fi service. However, the service provider contacted the companies, claiming that there were individuals filing access requests (no identity was revealed), and offered access to the request by registering as an annual customer of the Henkilötieto.fi service.
The Finnish DPA was asked to consider the following issues:
1) Whether Oy Suomen Personal Data Ab had acted as a processor (as opposed to a controller) of personal data;
2) Whether Oy Suomen Henkilötieto Ab (acting as the controller) had a legal basis for the processing of personal data in relation to data subjects' requests under Article 6 GDPR;
3) Whether the consent to electronic direct marketing collected by the controller in the registration form was valid under Article 4(11) GDPR;
4) Whether, contrary to Article 12(5) GDPR, the controller had charged data subjects a fee for exercising their rights.
Holding
First, the Finnish DPA held that in the absence of a contractual relationship between the service provider and the companies (controllers), the service provider cannot be considered a processor as per Article 4(7) GDPR, Article 4(8) GDPR, and Article 28(3) GDPR. Therefore, the service provider acted as a data controller in its relations with subscribed individuals.
Second, the Finnish DPA held that, by misleading individual subscribers about the presence of contractual relationships between the service provider and the particular companies of interest to them, the service provider failed to present clear information about the purposes for which it would use their data. Therefore the consent was not informed, and the processing lacked a legal basis under Article 6 GDPR.
Third, the registration form's default consent to direct marketing cannot be considered voluntary because it was not separate from other matters. Hence, it is invalid under Article 4(11) GDPR and Article 7(2) GDPR. No other legal ground is available to the processing of personal data for the purposes of direct marketing as consent is required for such processing under the ePrivacy Directive and the corresponding Finnish implementing Act.
Fourth, charging an administrative fee for authentication, at least in the present case, cannot be considered as charging a fee for exercising data subject rights, and hence is not contrary to Article 12(5) GDPR.
Consequently, and pursuant to Article 58(2)(d) GDPR, the Finnish DPA ordered the controller to bring its processing operations into line with the GDPR. The controller shall have a legal basis for processing under Article 6 GDPR, and if the controller processes the data on behalf of companies as a processor, it must have an agreement on processing in accordance with Article 28 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
3/3/2022 Legality of data processing in the service providing the exercise of the right of inspection Keywords: consent electronic direct marketing right of inspection Legal basis: Decision in accordance with the EU General Data Protection Regulation Diary number: 7099/183/2018 Thing Legality of processing, consent to electronic direct marketing, etc. Registrar Oy Suomen Henkilötieto Ab Between 22 August 2018 and 14 November 2018, seven complaints related to the activities of data controllers were initiated in the Office of the Data Protection Supervisor. The complaints have mainly concerned the contacts received by various companies about the service called Henkilötieto.fi. In these contacts, each company that made the complaint has been informed that a data subject who has not been identified in these contacts has made a request for access to the information via the Henkilötieto.fi service. The registrant has been told that he has strongly identified with the Henkilötieto.fi service. The contacts also referred to the general data protection regulation and stated that the company acting as controller had one month to respond to the request. The companies that have complained to the Data Protection Supervisor's office have not authorized Oy Suomen Henkilötieto Ab, ie the data controller, to act on its behalf. These companies have not had a contractual relationship with a service provider called Henkilötieto.fi. Companies that have made a complaint have been offered the opportunity to get acquainted with the request by registering as an annual customer of the Henkilötieto.fi service for an annual fee of approximately EUR 300. Without the payment of this annual fee, no further information has been provided to the companies at the request of the data subject. One of the complaints states that the request for access to the information would have been made by a member of the Board of Oy Suomen Henkilötieto Ab. The complainant companies have, inter alia, alleged that the data subjects have been misled. The initiation documents have requested that the Office of the Data Protection Officer take action. Based on the information provided by the registrar on his website about his service, the impression is formed that the controller acts on behalf of the companies listed in his service. On 11 October 2018, the registrar has been in contact with the Office of the Data Protection Commissioner. The Henkilötieto.fi service has been presented as providing a secure and easy way to forward verification requests for registered registry data to various registrars. In this contact, the Office of the Data Protection Commissioner has been informed that not all registrars have responded to the data subject's requests forwarded by the Henkilötieto.fi service. The registrants have been told to complain to the Henkilötieto.fi service. The controller has requested guidance from the Office of the Data Protection Officer in this regard. The complainant companies are not considered to be parties within the meaning of section 11 of the Administrative Procedure Act (434/2003). Statement received from the controller The registrar has been asked to clarify the matter with a request for clarification dated 26.10.2018. The registrar has responded to the request for clarification from the Office of the Data Protection Commissioner on 22 November 2018. According to the report, some of the company information found on the Henkilötieto.fi service comes from public sources. Companies subscribing to the service authorize the controller to act as an intermediary for the information requests and information they receive. However, the majority of the companies listed by the registrar on their website have not ordered the service provided by Henkilötieto.fi. In a report submitted to the Office by the Data Protection Supervisor, the controller has stated that he or she will process the personal data of the data subjects on the basis of consent. When registering for the service, the data subject must give his or her consent for the companies to whom the Henkilötieto.fi service forwards the data subject's request to transfer the data subject's personal data to the Henkilötieto.fi service. The registration form also contains a default consent for electronic communications, in addition to which a time stamp is stored in the database for the individual consent and prohibition. By default, the consent given by the registration form can be revoked by logging in to the service. According to the report, the data will not be disclosed to third parties without the express consent of the data subject. The report states that the data subject is not charged for the data transmitted via the Henkilötieto.fi service. However, the registrant will be charged a nominal fee of € 5 to cover the cost of strong identification. The data subject requesting the information must be strongly identified with the service. The system uses SSL encryption. Attached to the report is a process diagram of security breaches, a record of security breaches, a document on the data protection practices of the service, a description of the processing operations and a document on the obligation to report under Article 5 of the General Data Protection Regulation. Request for further clarification and consultation Following the request for clarification described above, the registrar has the opportunity to be heard referred to in section 34 of the Administrative Procedure Act (434/2003) and to express his or her opinion on the matter and to provide explanations on such claims and explanations that may affect the resolution of the matter. . At the same time, the controller has the opportunity to raise issues referred to in Article 83 (2) of the General Data Protection Regulation which, in the controller's view, should be taken into account in reaching a decision. The registrar submitted his reply on 19 March 2021. According to the answer given, the Henkilötieto.fi service has been made an easy and safe way to make requests based on the general data protection regulation. The response states that all people know that companies have made it difficult to make such requests. The Henkilötieto.fi service has been developed for this reason. The reply states that small businesses would have made it even impossible to submit requests. The reply also states that the existence of the Henkilötieto.fi service creates pressure on such companies. When the registrant can make a request quickly and reliably in the Henkilötieto.fi service, then requests are also made easier. In addition, the reply states that, once the data has been deleted, companies will no longer be able to target the registrants with marketing. According to the given answer, this is likely to make these companies hostile to the Henkilötieto.fi service. The reply also states that, in the normal course of events, the data subject will first have to seek information from the data protection officer of the data controller in question and send him or her an e-mail or letter. According to the answer given, this is where the tangle of problems begins. As indicated in the reply, the data protection officer referred to above cannot identify the data subject. It is further common practice to require the registrant to do business in person at one of the registrar's offices. According to the answer given, this cannot be considered in accordance with the current data protection law. The reply referred to Article 15 of the General Data Protection Regulation and stated that it had not been clear to the controller how the requested data could be provided to the data subject without electronic identification. The registrar has stated that he is aware of several examples of the impossibility of the above. As indicated in the answer, the question could only come from a site visit or a registered letter. The controller has submitted for clarification whether the Office of the Data Protection Officer should provide a link between controllers and data subjects. Use of the Henkilötieto.fi service When registering for the service, the data subject must provide the information requested in the registration form. When a person makes their first request for information on the service, they are strongly identified. For example, if a person does not want to be strongly identified, he or she can print the information request form free of charge and send it to the registrar of his or her choice. Authentication transaction information is retained for as long as the ID is valid. If a new anomalous login is made with the ID, a new strong login is required. The registrant will not be charged a high identification fee. However, there is a small charge for maintaining the data of the data subject and for storing the data of his / her inquiries to cover the costs of maintaining the service. If a company acting as a registrar refuses to provide information in connection with a request made in the Henkilötieto.fi service, the registrant who made the request will be notified. According to the given answer, 99.9% of the company information available on the Henkilötieto.fi service is free information, ie information about companies that do not have a contractual relationship with Oy Suomen Henkilötieto Ab. Registrants are not given information on whether or not a company acting as a registrar is a contractual partner of Oy Suomen Henkilötieto Ab. The non-contractor's request will not be forwarded without the payment of an annual fee of EUR 300. The information of the companies that can be found on the service comes from the business registers / company databases or the data protection statements of the companies in question. Oy Suomen Henkilötieto Ab has forwarded a total of six requests for inspection rights between 25 May 2018 and 19 March 2021. Applicable law The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The provision is a directly applicable law in the Member States. The General Data Protection Regulation contains national room for maneuver, which allows national law to supplement and clarify matters specifically defined in the Regulation. Legal question The EDPS will assess and resolve the matter on the basis of the General Data Protection Regulation (EU) 2016/679 mentioned above. The following legal issues are involved: 1. whether the controller had the grounds provided for in Article 6 of the General Data Protection Regulation for the processing of personal data in question in connection with the data subject's requests; 2. contrary to Article 12 (5) of the General Data Protection Regulation, whether the controller has charged the data subject for the exercise of the data subject's rights; 3. whether the matter concerns a situation in which Oy Suomen Henkilötieto Ab has also acted as a processor of personal data; 4. whether the consent obtained by the controller to electronic direct marketing has complied with Article 4 (11) of the General Data Protection Regulation; and 5. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation. The EDPS must also assess whether the other remedies provided for in Article 58 of the General Data Protection Regulation should be exercised. Decision of the EDPS Decision The processing of personal data of the persons who made the requests in question (ie the data subjects) does not fulfill the conditions for informed consent set out in Article 4 (11) of the General Data Protection Regulation. Consequently, the controller did not have the grounds for processing personal data referred to in Article 6 (1) (a) of the General Data Protection Regulation. With regard to electronic direct marketing, there has been no question of consent fulfilling the conditions laid down in Articles 4 (11) and 7 (2) of the General Data Protection Regulation. Regulation To the extent that the controller continues to process personal data such as in this case, the EDPS will instruct the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring his processing into compliance with the provisions of the General Data Protection Regulation. The controller must have the processing grounds provided for in Article 6 of the General Data Protection Regulation for the processor of personal data. If the controller processes the data on behalf of companies as processors of personal data, it must have an agreement on the processing in accordance with Article 28 of the General Data Protection Regulation. If the controller continues to process personal data without the legal basis required by Article 6 of the General Data Protection Regulation and if the controller continues to process personal data on behalf of other undertakings without an agreement under Article 28 of the General Data Protection Regulation, the EDPS General conditions for the payment of administrative penalties provided for in Article 83. Note The EDPS shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The controller has acted in a particularly reprehensible way in constructing his business by exercising the fundamental right to data protection. It has not been a question of individual complaints and related disagreements, but of the core of the controller's business. Reasoning On the lawfulness and consent of the processing Article 6 of the General Data Protection Regulation provides for the lawfulness of the processing of personal data. Processing shall be lawful only if and to the extent that at least one of the conditions referred to in this Article is fulfilled. The report states that the controller processes the personal data of data subjects on the basis of consent. The processing of personal data is lawful under Article 6 (1) (a) of the General Data Protection Regulation when the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes. According to Article 4 (11) of the General Data Protection Regulation, the data subject's consent is any voluntary, specific, informed and unambiguous expression of consent by which the data subject consents to the processing of his or her personal data by giving a statement of consent or by taking explicit consent. According to recital 32 of the General Data Protection Regulation, consent should be given by means of an explicit consent, such as a written, including electronic, or oral statement indicating the data subject's voluntary, individualized, informed and unambiguous consent to the processing of his or her personal data. An action could be, for example, for the data subject to tick the box when visiting a website, to choose the technical settings for information society services or to make any other statement or act in a way that clearly indicates that he or she accepts the proposal to process his or her personal data. Consent should therefore not be given by silence, pre-ticked boxes or omissions. The consent should cover all processing operations carried out for the same purpose or purposes. If the processing has several purposes, consent should be given for all processing purposes. It should be noted that the General Data Protection Regulation strengthens the requirement for informed consent. Data subjects must be provided with information so that they can make genuinely informed decisions and understand what they are agreeing to. In the absence of sufficient information, consent cannot be considered a valid ground for processing. According to recital 42 of the General Data Protection Regulation, in order to give informed consent, the data subject should know at least the identity of the controller and the purposes for which the personal data are to be processed. The Article 29 Working Party, which preceded the European Data Protection Board, has issued a guidance document on consent, an updated version of which has been published by the European Data Protection Board. As stated in these guidelines, consent can be considered to have been given if the data subjects have been provided in advance with all the information that is decisive for the decision on consent. This guide refers to Opinion 15/2011 of the Article 29 Data Protection Working Party prior to the European Data Protection Board on the definition of consent, which states that the data subject's consent must be based on an understanding of the facts and consequences of the processing of personal data in question. The data subject must actually understand what he is giving his consent to. According to the answer given in the case, 99.9% of the company information available on the Henkilötieto.fi service is free of charge. In other words, it is a matter of non-company information that Oy Suomen Henkilötieto Ab holds, for example, on the basis of a contractual or customer relationship. In this respect, it is particularly important that the data subject is not provided with information on whether or not a company acting as a registrar is a contractual partner of Oy Suomen Henkilötieto Ab. The data subject may thus have reasonably been of the opinion that Oy Suomen Henkilötieto Ab would have duly agreed with the data controller subject to the request that the data subject could also exercise his or her rights under the General Data Protection Regulation in the Henkilötieto.fi service provided by a third party. However, this has not really been the case. It is also important that the companies acting as registrars have been offered the opportunity to get acquainted with the request only by registering as an annual customer of the Henkilötieto.fi service. Thus, the company acting as registrar has not been provided with information about the data subject who made the request, if the company acting as registrar has not registered as a customer of the service for an annual price of approximately EUR 300. The relative small number of contractors is likely to indicate that registrars have been reluctant to pay an annual service fee and register as a customer of the service. In the case of a requesting data subject, this means that the probability of obtaining an appropriate response to a request is quite low. In the light of the above, the EDPS considers that there was no question of consent fulfilling the conditions set out in Article 4 (11) of the General Data Protection Regulation. On the basis of the report received by the EDPS Office, the data subject has not been provided with relevant information to assess the purposes for which his or her personal data will be used, and thus there has been no informed consent as required by the General Data Protection Regulation. Consequently, the controller did not have the justification provided for in Article 6 (1) (a) of the General Data Protection Regulation for the processing of personal data in question. If the processing of personal data continues without the justification provided for in Article 6 of the General Data Protection Regulation, the present case will be taken into account when setting the administrative penalty fee. Right of access to information and free of charge The information provided pursuant to Articles 12 and 14 of the General Data Protection Regulation and all information and measures based on Articles 15 to 22 and 34 of the General Data Protection Regulation shall be free of charge. If the data subject's requests are manifestly unfounded or unreasonable, in particular if repeated, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information or messages or taking the requested action, or refuse to perform the requested action. In such cases, the controller shall demonstrate that the request is manifestly unfounded or unreasonable. Oy Suomen Henkilötieto Ab has charged a fee of five euros to cover the administrative costs of the persons who have applied for the rights of the data subject. As stated above, the costs of carrying out the requested action can only be recovered if the data subject's requests are manifestly unfounded or unreasonable. However, the requests made in the present case have not been addressed to Oy Suomen Henkilötieto Ab, but have been addressed to other companies acting as registrars. It is significant, however, that in the majority of cases, there has been no contractual relationship between Oy Suomen Henkilötieto Ab and the company acting as registrar in connection with the service called Henkilötieto.fi. Oy Suomen Henkilötieto Ab did not have any other authority on the basis of which it could have acted on behalf of the other registrars referred to in this case. Consequently, the persons who made the requests concerning the right of the data subject have rightly been able to understand that the fee would be charged expressly for the right of the registered person and not for the use of the services of Oy Suomen Henkilötieto Ab. It may not have been clear to the users of the platform provided by Oy Suomen Henkilötieto Ab that they could have submitted the request directly to the company that was the registrar at the time. However, although a fee of five euros has been charged to the data subjects, Oy Suomen Henkilötieto Ab cannot be considered to have charged the data subject a fee for the exercise of the registered rights, contrary to the provisions of Article 12 (5) of the General Data Protection Regulation. The concept of controller and processor of personal data According to Article 4 (7) of the General Data Protection Regulation, “controller” means any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. According to Article 4 (8) of the General Data Protection Regulation, "processor" means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. According to Article 28 (3) of the General Data Protection Regulation, the processing carried out by a controller must be determined by an agreement or other legal instrument in accordance with Union law or the law of a Member State binding the controller on the controller. groups, responsibilities and rights of the controller. The European Data Protection Board has issued guidance on the concepts of controller and processor. As stated in this guide, the processing of personal data on behalf of the data controller means, first of all, an activity in which an actor separate from the data controller processes personal data for the benefit of the data controller. Further, as stated in this guide, the processing of personal data on behalf of the controller means serving the interests of another. The processing of personal data on behalf of the controller thus means the processing in which the processor processes personal data explicitly on behalf of the controller in order to serve the interests of the controller. It should be noted that on the website of the Henkilötieto.fi service, based on the information provided on 25 October 2018, it is easy to form the impression that the service has been used by 283,805 companies. However, when investigating the matter, it has become clear that 99.9% of the company information available on the Henkilötieto.fi service concerns companies that do not have a contractual relationship with Oy Suomen Henkilötieto Ab. The registrants are not given information on whether or not a company acting as a registrar is a contractual partner of Oy Suomen Henkilötieto Ab. It is therefore clear that in relation to the company information that has been found on the Henkilötieto.fi website, the majority have not been subject to the relationship between the controller and the processor of personal data that is provided for in the general data protection regulation. In view of the complaints, it is clear that the present case does not concern a situation in which the companies which complained about the operations of Oy Suomen Henkilötieto Ab even intended to outsource the response or other processing of requests concerning the data subject to Oy Suomen Henkilötieto Ab. The Data Protection Commissioner states that Oy Suomen Henkilötieto Ab has acted in a way that may have rightly given the impression that it is a processor of personal data. However, Oy Suomen personastieto Ab must be considered a registrar on the grounds set out in more detail in this decision. Therefore, it is not assessed whether the procedure created by Oy Suomen Henkilötieto Ab would meet the requirements of the General Data Protection Regulation for the processing of personal data if it also actually acted as a processor of personal data on behalf of companies. Electronic direct marketing and the present case According to section 200 (1) of the Electronic Communications Services Act (917/2014), direct marketing by means of automated calling systems and facsimile machines, e-mails, text messages, voice messages, voice messages or picture messages may only be targeted at natural persons who have given their prior consent. Article 2 (2) (f) of the ePrivacy Directive 2002/57 / EC (nationally enacted by the Electronic Communications Data Protection Act 516/2004, repealed on 1 January 2015, the current Act on Electronic Communications Services) defines the consent of the user or subscriber. Consent in the ePrivacy Directive has the same meaning as with the consent of the data subject in Directive 95/46 / EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Personal Data Directive). The Personal Data Directive has been repealed by the General Data Protection Regulation. As provided for in Article 94 of the General Data Protection Regulation, references to the repealed Directive shall be construed as references to the General Data Protection Regulation. The European Court of Justice has also ruled in the Planet case49 that the conditions for consent to the ePrivacy Directive and the General Data Protection Regulation must be read together. Therefore, the rules on consent in the General Data Protection Regulation will apply as regards the conditions for consent. As stated above, the data subject's consent means any voluntary, specific, informed and unambiguous expression of intent by which the data subject consents to the processing of his or her personal data by giving a statement of consent or by taking an explicit act of consent. Article 7 of the General Data Protection Regulation sets out the conditions for consent. If the data subject gives his consent in a written notice which also covers other matters, the request for consent shall be clearly separated from other matters in a clear and simple language in an easily understandable and accessible form, as provided for in Article 7 (2) of the General Data Protection Regulation. No part of such notice that violates this Regulation shall be binding. According to Article 4 (4), the assessment of the voluntary nature of consent must take into account, as far as possible, whether consent to the processing of personal data which is not necessary for the performance of the contract is a condition for the provision of the service or other contract. Thus, if the controller processes personal data under Article 6 (1) (a) of the General Data Protection Regulation, the data subject must give his or her consent for each of the different uses. The consent given may cover different functions when these functions serve the same purpose. In the present case, there have been two different uses (at the request of the data subject for access to the data and consent to electronic direct marketing). In the present case, since the registration form contained a default consent for electronic direct marketing, there was no consent fulfilling the conditions laid down in Articles 4 (11) and 7 (2) of the General Data Protection Regulation. Applicable law Mentioned in the explanatory memorandum. Appeal According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is lodged with the Helsinki Administrative Court. Service The decision shall be served by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt. Further information on this decision will be provided by the rapporteur Laura Varjokari, tel. 029 566 6771. The decision is not final.