Tietosuojavaltuutetun toimisto (Finland) - TSV/12/2019

From GDPRhub
Revision as of 16:22, 12 October 2024 by Fred (talk | contribs)
Tietosuojavaltuutetun toimisto - TSV/12/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(6) GDPR
Article 15(3) GDPR
Article 58(2)(b) GDPR
Article 58(2)(c) GDPR
§ 134 Act on Electronic Communications Services
§ 303 Act on Electronic Communications Services
Type: Complaint
Outcome: Partly Upheld
Started: 19.12.2019
Decided: 17.09.2024
Published: 02.10.2024
Fine: n/a
Parties: n/a
National Case Number/Name: TSV/12/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA ordered a telecommunications operator to provide personal data to the data subject in electronic form, instead of by post, because the data subject had made the access request electronically.

English Summary

Facts

The Finnish DPA was notified that a telecommunications operator (the controller) had refused to provide a copy of the personal data generated by the use of the data subject's mobile phone subscription by email and had partially refused to provide traffic data. The DPA then asked the controller to explain how it facilitated the exercise of data subject rights.

In response to the request, the controller clarified that it had provided the data subject with the bill breakdown and the location and base station information, as the data subject had not specified that the access request concerned other traffic data. The controller emphasised that it could not provide all traffic data because, for example, the invoice breakdown shall not include the traffic data of free calls according to Section 134 of the Finnish Act on Electronic Communications Services.

The controller also stated that the data subject could view their personal data on the controller’s online service, which is accessed through electronic authentication. The contact details provided by the data subject did not allow the controller to verify the data subject's email address, and the controller did not consider the email address to be secure. Therefore, the controller had provided the personal data in the form of a letter, which ensured that the data would be delivered to the correct recipient without violating the confidentiality of the communication.

The data subject claimed that not all the personal data processed by the controller were available on the controller's online service. Furthermore, the controller had not asked the data subject to provide additional information in order to provide the data by email, and had not informed the data subject that it was unable to verify their email address.

Holding

On the basis of the information provided by the controller, the DPA considered that the Finnish Transport and Communications Agency had supervisory competence over traffic data pursuant to Section 303 of the Finnish Act on Electronic Communications Services. Therefore, the DPA was not competent to decide which data should be considered as traffic data, which traffic data a party to communication is entitled to process under the Finnish Act on Electronic Communications Services or whether the controller should be ordered to comply with the data subject's access request regarding the traffic data.

However, the DPA stated that traffic data is often also personal data, but this does not necessarily mean that all traffic data generated by the use of the data subject's telephone subscription can be attributed to the data subject.

Regarding the provision of personal data, the DPA noted that under Article 12(6) GDPR, where the controller has reasonable doubts concerning the identity of the natural person making the access request, the controller may request the provision of additional information necessary to confirm the identity of the data subject. The DPA found that the GDPR does not specify what is meant by a commonly used electronic form, and therefore the format is left to the discretion of the controller.

On the basis of the information gathered, the DPA held that the controller violated Article 15(3) GDPR by failing to provide the personal data electronically, despite the data subject’s request.

As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(c) GDPR, the DPA also ordered the controller to provide the data subject with the personal data already provided by post in a commonly used electronic form. The order concerned personal data that were still being processed by the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing
The right to access information

Registrar
[telecom operator]

The initiator's requirements with reasons
On 23 December 2019, the initiator has initiated a case at the data protection commissioner's office, which concerns the data subject's right to access information. The initiator has requested access to all information generated by using his mobile phone subscription. The initiator has listed the start and end times of calls, recipients of calls, location information, forwarding information and other technical information as such information. According to the initiator's understanding, the above-mentioned information is personal information referred to in the General Data Protection Regulation. The initiator has requested to receive the information in a machine-readable format. However, the registrar has delivered the call breakdown information as well as the location and base station information to the initiator in paper form by post. The controller has partially refused to provide proxy information.

Statement received from the registrar
The registrar has been asked to clarify the matter. The registrar has issued his statement on 28 September 2021.

Confidentiality regarding the processing of proxy data
In the given report, it has been stated at the beginning that the data controller is a telecommunications operator referred to in the Act on Electronic Communication Services (917/2014), which processes traffic data and forwarding data related to electronic communication in its operations. As stipulated in section 3, subsection 1, point 40 of the above-mentioned law, relay data means data that can be linked to a legal or natural person, which is processed to transmit a message, as well as information about the identifier of the radio station, the type of radio transmitter or the user, and information about the start time, duration or place of transmission of the radio broadcast. According to the explanation provided, for example IP address information, the telephone number of the communication party, the time and duration of the communication, base station information and other information that is processed in the communication network to forward, distribute or keep the message available and which can be connected to the subscriber or user of the communication service.

It has been established that the processing of relayed information and communications is protected by the Constitution. As stipulated in section 136 subsection 1 of the Act on Electronic Communication Services, the party to the communication may process its own electronic messages and related transmission data, unless otherwise provided by law. As stipulated in section 137 subsection 1 of the aforementioned law, the telecommunications operator, as a communication intermediary, is allowed to process transmission data only to the extent required by the purpose of the processing and may not limit the protection of confidential messages and privacy more than is necessary. Furthermore, as stipulated in subsection 2 of the same section, it is permitted to hand over proxy information only to those entities that have the right to process the information in the relevant situation.

In the report given, it has been established that the data controller processes the proxy data of its consumer customers pursuant to the Act on Electronic Communication Services for both its own and the authorities' needs (See Chapter 19 of the Act on Electronic Communication Services). Brokerage data can be processed, for example, to investigate a fault or for technical development and invoicing. Unjustified processing of proxy data and violation of communication confidentiality have been found to be criminalized in the Criminal Code.

The report also refers to the special provisions of the Act on Electronic Communications Services regarding the processing of certain transmission data (See Section 134 and Chapter 20 of the Act on Electronic Communications Services). The Finnish Transport and Communications Agency, as the general supervisory authority in accordance with the Act on Electronic Communication Services, has been found to have issued more detailed regulations, general guidance and decisions on the processing of transmission data and their delivery to the subscriber and user of the communication service.

On the delivery of information to the initiator
The initiator's personal information has been made available to the submitted initiator in the self-service channel maintained by the controller. In the self-service channel, the registrant receives an electronic summary and a more detailed summary of their own personal data. In the self-service channel, the registered person can also download their invoice in pdf format. Log in to the self-service channel by identifying yourself electronically.

However, the initiator had not been satisfied with the information that had been provided to him in the self-service channel. Later, at his request, a more detailed breakdown of calls was provided to the initiator. With respect to connection-specific breakdowns of calls, reference has been made to Section 134 of the Act on Electronic Communication Services and the guidelines of the Finnish Transport and Communications Agency (See https://traficom.fi/fi/veistinta/laajakaista-ja-puhelin/laskueritletyt-telehunilaskuin [visited 24.6.2024 ].). According to the given explanation, a connection-specific breakdown can be given to the subscriber and user of the communication service. The connection-specific breakdown shows the call's i) start time, ii) duration, iii) call type (call, text message, data transfer) and iv) the recipient's number. Received calls and text messages are only shown in the connection-specific breakdown if they are paid for.

Regarding location and base station information, the initiator had been asked to fill out a separate form to ensure that the initiator had been a user of the communication service at the time specified in the request. The initiator had filled out the form in such a way that he had mentioned his name, phone number and social security number as his identifying information. The initiator had submitted the form to the controller from an email address ending in msn.com. In his request, the initiator had also assured that he was a user of the subscription at the time in question. With the help of the mentioned information, the controller had identified the initiator, but according to the report given, had not identified him with certainty in such a way that the e-mail address referred to above could have been considered the e-mail address of the initiator. According to the report, the controller did not consider the aforementioned e-mail address secure.

Both the call breakdown information and the location and base station information had since been delivered to the initiator in paper form as a registered letter to his home address. According to the report given, this way it was possible to ensure that the information is delivered to the right recipient without violating the confidentiality of communications.

Delivery of proxy information to the initiator
Regarding the forwarding information, the initiator has been provided with a connection-specific billing breakdown as well as location and base station information as mentioned above. According to the report, the initiator has not specified that his request for information should target other brokerage information. In this context, the registrar has emphasized that the law does not allow the delivery of all proxy information at all. For example, as stipulated in Section 134 of the Act on Electronic Communication Services, data on incoming free calls should not be entered in the connection-specific breakdown of calls.

The equivalent of an initiator
The initiator has been given the opportunity to give a response in the case. The initiator has given his response on 1 October 2021. The initiator has stated that not all personal data of the initiator that the controller has processed has been available in the self-service channel of the data controller. For example, the call, location, forwarding and other technical information requested by the initiator has not been available in the self-service channel.

In his reply, the initiator has confirmed that the data controller had subsequently provided him with the call specification, location and base station information in paper form by post. The registrant had not requested additional information from the initiator in order to deliver the information to him electronically. According to the initiator, the controller had not informed the initiator that it had not recognized him or been able to confirm his e-mail address. The initiator has emphasized that the e-mail address he uses has been marked as the e-mail address of his customer account since 2014, and this e-mail address has been used, among other things, for invoicing the data controller.

Finally, the initiator has stated that he has requested a copy of all data generated from the use of his mobile phone subscription. The initiator is surprised that he has not been provided with all the information he requested and, on the other hand, that all the information provided to him has not been provided to him electronically, even though the data controller maintains a self-service channel where customers can log in by identifying themselves electronically.

The initiator has also been asked to specify what he means by the proxy information that has not been provided to him. The initiator has responded to the request for additional information on the matter on July 5, 2024. The initiator has said that he does not know how to identify the information that the data controller has referred to in his response on 28 September 2021. In its reply, the controller has referred to other information that is processed in the communication network to transmit, distribute or keep the message available, and which can be connected to the subscriber or user of the communication service. The registrar has also referred to all proxy information. The initiator has also stated that the data controller separately mentioned the data of incoming calls as an example of forwarding information that has not been provided to the initiator.

With regard to other technical data, the initiator has referred to the data protection principles document of the data controller, the wording of which he has interpreted when making his request in such a way that technical data other than transmission data can be generated from making phone calls. The initiator has emphasized that he has requested all information generated from the use of his telephone subscription.

On applicable legislation
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) applies in this case. As a regulation, the legislation is immediately applicable law in the member states. The general data protection regulation is specified in the national data protection act (1050/2018). In addition, the Act on Electronic Communication Services (917/2014) applies to the matter.

A legal question
The Deputy Data Protection Commissioner assesses and decides the initiator's case on the basis of the General Data Protection Regulation as mentioned above. The Deputy Data Protection Commissioner must resolve:

1) is there an order to be given to the data controller to implement the initiator's request to get to know the data generated by using his mobile phone subscription; and

2) whether the provision of Article 15, Paragraph 3 of the General Data Protection Regulation has been complied with when submitting personal data to the initiator.

Decision
The Deputy Data Protection Commissioner is not competent to resolve the question of which information is to be considered proxy data or the question of which proxy data the party to the communication has the right to process pursuant to section 136 subsection 1 of the Act on Electronic Communication Services. Therefore, the deputy data protection commissioner leaves the case uninvestigated as it is not part of his jurisdiction.

In the case at hand, the Deputy Data Protection Commissioner does not assess whether the information requested by the initiator or part of it is personal information. Consequently, the deputy data protection commissioner does not assess in this context whether the controller should be ordered to implement the initiator's request.

The provision of Article 15, paragraph 3 of the General Data Protection Regulation has not been followed in the provision of personal data to the initiator.

The Deputy Data Protection Commissioner orders the data controller, pursuant to Article 58(2)(c) of the General Data Protection Regulation, to deliver the personal data already provided to the initiator in the commonly used electronic format stipulated in Article 15(3) of the General Data Protection Regulation. This information is ordered to be resubmitted to the extent that the data controller is still processing it. (Due to the passage of time, it is possible that some of the personal data in question has already been deleted.)

Note
The Deputy Data Protection Commissioner issues a notice to the data controller pursuant to Article 58, Section 2, Subsection b of the General Data Protection Regulation. Although the initiator had not only submitted his request electronically, but also emphasized that he specifically requested information in an electronic format, the personal data provided to the initiator had not been provided to him in the commonly used electronic format stipulated in Article 15, paragraph 3 of the General Data Protection Regulation.

Reasoning
The initiator has requested access to all information generated by using his mobile phone subscription. The initiator has listed the start and end times of calls, recipients of calls, location information, forwarding information and other technical information as such information. According to the initiator's understanding, these are personal data referred to in the General Data Protection Regulation.

Information about the start and end times of calls, call recipients, and location and base station information is information that has already been provided to the initiator. Since this information has already been delivered to the initiator, it is not necessary to further assess the issue regarding access to said information. In this respect, this decision therefore takes a position on the question only with regard to the mediation information that has not already been delivered to the initiator.

About proxy information
Chapter 38 of the Act on Electronic Communication Services (917/2014) provides for guidance, supervision and other duties of the authorities. Paragraph 1 of Section 305 of the said Act lists the provisions of the Act on Electronic Communication Services that are supervised by the Data Protection Commissioner. These include, for example, Chapter 18 on the processing of the community subscriber's proxy data and Chapter 20 on the processing of location data. For the sake of clarity, it must be stated in this context that the initiator is not in the position of a community subscriber.

Section 134 of the Act on Electronic Communication Services provides for the breakdown of the bill and breakdown by connection. The supervision of this section has not been separately provided for the responsibility of any named authority. Section 303, subsection 1 of the said law stipulates, however, that the task of the Finnish Transport and Communications Agency is to monitor compliance with the law on electronic communication services and the regulations and decisions issued pursuant to it, unless otherwise provided in this law. Consequently, the supervision of the legal section governing the above-mentioned invoice itemization and connection-specific itemization falls under the jurisdiction of the Finnish Transport and Communications Agency.

On the other hand, the definition of proxy data is regulated in section 3, subsection 1, point 40 of the Act on Electronic Communication Services. Furthermore, as stipulated in Section 136 subsection 1 of the Act on Electronic Communication Services, the party to the communication may process its own electronic messages and related transmission data, unless otherwise provided by law. According to § 137 subsection 2 of the same law, it is permitted to hand over electronic messages and transmission data only to those entities that have the right to process the data in the relevant situation. The supervision of the sections mentioned in this paragraph is also not provided for the responsibility of any of the authorities mentioned by name. Therefore, pursuant to section 303 subsection 1 of the Act on Electronic Communication Services, the Finnish Transport and Communications Agency has the authority to monitor and interpret the mentioned sections.

Based on the reasons presented above, it can be stated that the Deputy Data Protection Commissioner is not competent to resolve the question of which information is to be considered proxy data in general or the question of which proxy data the party to the communication has the right to process pursuant to section 136 subsection 1 of the Act on Electronic Communication Services. Consequently, the deputy data protection commissioner leaves the case uninvestigated as it does not fall within his jurisdiction.

It should be noted, however, that to the extent that the proxy data is about personal data, the general data protection regulation applies. The law on electronic communications services is based, among other things, on the electronic communications data protection directive [European Parliament and Council Directive 2002/58/EC on the processing of personal data and the protection of privacy in the field of electronic communications has been amended by Directive 2009/136/EC (European Parliament and Council Directive 2009/136/EC, issued on November 25, 2009, Directive 2002/22/EC on universal service and user rights in the field of electronic communications networks and services, Directive 2002/58/EC on the processing of personal data and protection of privacy in the field of electronic communications and the Regulation on cooperation between national authorities responsible for the implementation of consumer protection legislation (EC ) No. 2006/2004 on amendment).]. The purpose of the Electronic Communications Data Protection Directive is to supplement the European Parliament and Council Directive on the protection of individuals in the processing of personal data and the free movement of this data (95/46/EC, hereinafter the Personal Data Directive) [see Article 94 paragraph 2 of the General Data Protection Regulation. References to the repealed directive are considered references to this regulation] regulation as far as it concerns the communications sector [HE 221/2013 vp, p. 46.]. The Electronic Communications Data Protection Directive does not contain special provisions on the right to access information. The provisions of the General Data Protection Regulation concerning the said right will be applied in the case [See also statement 5/2019 on the interaction of the electronic communications data protection directive and the general data protection regulation, especially with regard to the competence, tasks and powers of data protection authorities (issued on March 12, 2019), p. 18.]. It can also be noted as a curiosity that during the repeal of the Personal Data Act, the data protection commissioner has considered that the data subject had the right to get to know, among other things, the IP address information loaned to the subscriber by the telecom operator. [See Statement of the Data Protection Commissioner on using the right of inspection according to the Personal Data Act (3118/05/2016, 23 November 2016).]

With the exception of information regarding free incoming calls, the initiator has not been able to identify in more detail what information considered to be proxy information has not been delivered to him. The same applies to other requested technical information. Since the information referred to above has not been specified in more detail, and since the Finnish Transport and Communications Agency has the authority to define which information is transfer information in general, the deputy data protection commissioner does not assess in this context whether the information in question or part of it is personal information. Therefore, in this case, the deputy data protection commissioner does not assess whether the controller should be ordered to implement the initiator's request in this regard.

In this context, attention should also be drawn to the wording of Section 134, subsection 6 of the Act on Electronic Communication Services. Therefore, according to the above-mentioned legal section, the contact-specific breakdown of the bill may not contain information on forwarding free services. Since, as mentioned above, the Finnish Transport and Communications Agency has the authority to define which information is transmission information in general, the deputy data protection commissioner does not assess in this context whether the information in question or part of it is personal information. Therefore, the deputy data protection commissioner does not assess whether the controller should be ordered to implement the initiator's request.

Finally, for the sake of clarity, it must be stated that proxy data is often also personal data. (See e.g. HE 221/2013 vp, p. 83.) In this regard, let's refer to the wording of the provision on the definition of proxy information. Even though proxy data means information that can be linked to a legal or natural person as stipulated in § 3 subsection 1 point 40 of the Act on Electronic Communication Services, this does not directly mean that in the case at hand all the proxy data generated from the use of the initiator's telephone connection can be linked to the initiator. (Compare to the provisions in Article 4, Section 1, Subsection 1 of the General Data Protection Regulation. Personal data refers to all information related to an identified or identifiable natural person; an identifiable natural person is considered to be a natural person who can be directly or indirectly identified, in particular through identifying information such as name, social security number, location information, online identification information or on the basis of one or more physical, physiological, genetic, psychological, economic, cultural or social factors characteristic of him.) This assessment must be made separately for each piece of information.

About the form of data delivery
The initiator had made the request in question electronically. Call breakdown information and location and base station information had been delivered to the initiator in paper form as a registered letter to his home address. According to the registrar, the purpose of doing this was to ensure that the information is delivered to the right recipient without violating the confidentiality of communications.

The Act on Electronic Communication Services does not provide for the form of delivery of the information provided for delivery. However, as stated above, the General Data Protection Regulation will be applicable to the extent that the matter concerns personal data.

If the data subject submits the request electronically, the information must be submitted in a commonly used electronic format as stipulated in Article 15, Section 3 of the General Data Protection Regulation. In the present case, the personal information that has been provided to the initiator has been delivered to him in paper form, despite the fact that the initiator had submitted his request electronically. Therefore, the provision of Article 15, Paragraph 3 of the General Data Protection Regulation has not been followed in the provision of personal data to the initiator.

Pursuant to Article 5(1)(f) of the General Data Protection Regulation, personal data must be processed in a way that ensures appropriate security of personal data, including protection against unauthorized and illegal processing using appropriate technical or organizational measures ("integrity and confidentiality"). Personal data must be processed in accordance with the above-mentioned principle of integrity and confidentiality, also when exercising the rights of the data subject. If the data controller has reasonable grounds to suspect the identity of the natural person who made the request in accordance with Article 15, the data controller may, as stipulated in Article 12, Paragraph 6 of the General Data Protection Regulation, request the submission of additional information that is necessary to confirm the identity of the data subject.

In this context, however, attention should be drawn to the fact that the data controller maintains an electronic self-service channel, through which the data controller already supplies certain personal data to the data subjects. Likewise, the initiator's personal information has been made available to the submitted initiator in the aforementioned self-service channel. Log in to the self-service channel by identifying yourself electronically. Despite the mentioned facts, not all information had been delivered to the initiator via the self-service channel.

Since the call breakdown information and location and base station information had been delivered to the initiator in paper form as a registered letter to his home address, the controller has identified the initiator. However, according to the report given in the case, the controller had not been able to make sure in a sufficient way that the e-mail address in question had been used by the initiator. According to the report, the controller did not consider the e-mail address used secure.

In this regard, attention must be paid to the fact that the general data protection regulation does not specify what is meant by a commonly used electronic format. Thus, there are several possible formats that can be used. The format to be used is indeed left to the discretion of the data controller in the General Data Protection Regulation. It should be noted that, if necessary, a copy of the personal data can be saved on an electronic storage device, such as a CD or USB memory. Depending on the situation, the controller may decide to deliver a copy of the personal data being processed, for example by e-mail, post or using a self-service tool. [Instructions 1/2022 on the rights of data subjects – the right to access information, version 2.1 (approved on March 28, 2023), p. 50. Instructions 1/2022 on the rights of data subjects – the right to access information, version 2.1 (approved on March 28, 2023), p. 46 .]

The Deputy Data Protection Commissioner issues a notice to the data controller pursuant to Article 58, Section 2, Subsection b of the General Data Protection Regulation. Although the initiator had not only submitted his request electronically, but also emphasized that he specifically requested information in an electronic format, the personal data provided to the initiator had not been provided to him in the commonly used electronic format stipulated in Article 15, paragraph 3 of the General Data Protection Regulation.

In addition, the Deputy Data Protection Commissioner orders the data controller, pursuant to Article 58(2)(c) of the General Data Protection Regulation, to deliver to the initiator the personal data already provided in the generally used electronic format stipulated in Article 15(3) of the General Data Protection Regulation. This information is ordered to be resubmitted to the extent that the data controller is still processing it. (Due to the passage of time, it is possible that some of the personal data in question has already been deleted.)