Tietosuojavaltuutetun toimisto (Finland) - 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019

From GDPRhub
Revision as of 14:02, 4 December 2020 by SR (talk | contribs)
Tietosuojavaltuutetun toimisto - 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 4(11) GDPR
Article 58(2)(c) GDPR
Article 58(2)(d) GDPR
Information Society Code (917/2014)
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.07.2020
Published: 23.07.2020
Fine: 7000 EUR
Parties: n/a
National Case Number/Name: 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

The Finnish DPA imposed a 7,000 euro fine to a company that sent out direct marketing communications without obtaining prior consent from the data subjects and for also neglecting data subjects’ rights.

English Summary

Facts

The Finnish DPA received 11 complaints regarding Independent Consulting Oy’s direct marketing communication practices. The direct marketing communications were sent to the data subjects via SMS. The SMS contained instructions on how to opt-out from the direct marketing communications. However, the opt-out feature did not work and users kept receiving marketing messages. The controller claimed that the direct marketing communications were targeted at companies, and under section 202 of the Information Society Code, no prior consent was needed in such a case. Furthermore, some of the data subjects had submitted requests to the controller regarding exercising their rights under GDPR. The controller failed to answer the data subjects in a timely manner.

Dispute

According to the applicable national law, Section 200 of the Information Society Code (917/2014), user's consent must be obtained prior to the sending of any marketing communication. The DPA has to assess whether the phone numbers used for the direct marketing belonged to the individual or to the employer and whether the content of the communication referred to the individual working activities or not.

Holding

The DPA found that the phone numbers used were specific to the employee and not to the company. Moreover, the marketing message did not relate to the data subject’s work activities. Finnish DPA imposed a 7.000 euro fine to the company for sending out direct marketing communications without prior consent and also for neglecting data subjects’ rights. When imposing the fine, the DPA considered it as a mitigating factor that the data subjects had not suffered any financial harm. Furthermore, as per Article 58(2)(c) and (d) GDPR, the DPA ordered the controller to comply with the data subjects’ requests and to bring its practices in line with the Regulation. The decision is not yet final.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.