Tietosuojavaltuutetun toimisto (Finland) - 4359/163/2018

From GDPRhub
Revision as of 13:02, 5 May 2020 by AL (talk | contribs)
Tietosuojavaltuutetun toimisto - 4359/163/2018
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(e) GDPR
Article 58(2)(c) GDPR
Section 12 Act on the Registration of Debtors
Sections 5 and 10 Accounting Act
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 19.03.2020
Fine: None
Parties: Complainant's name not disclosed
Respondent's name not disclosed / collection agency
National Case Number/Name: 4359/163/2018
European Case Law Identifier: unknown
Appeal: Unknown
Original Language(s): Finnish
Original Source: FINLEX (in FI)
Initial Contributor: n/a

The Data Protection Authority of Finland instructed a debt collection agency to delete personal data pursuant to the request of the data subject. According to applicable obligations arising from the Finnish Accounting Act, the personal data concerned should not to be retained.

English Summary

Facts

The complainant had requested access to his/her personal data from the respondent and received i.a. emails and other information which had been stored in the respondent's archives and also criticised, that the respondent's privacy notice did not did not mention the retention period and also led him/her to believe that the respondent could have disclosed personal data to external credit institutions. On request, the respondent stated, that personal data relating to the complainant are kept in the respondent's records for six years.

Subsequently the complainant requested the erasure of personal data related to him/her; in the applicant's vie only so-called accounting data and related data can be retained under accounting law.

Dispute

The legal dispute in the case revolved around the retention period of personal data processed by a debt collection agency. The Finnish national law stipulates certain retention periods which were taken into consideration:

On the one hand, under Article 12 of the Act on the Registration of Debt Recovery Operators, unless a longer retention period is mandatory, data are to be retained for five years from the date on which the debt collection activities were completed.

On the other hand, Section 10 (1) of the Accounting Act requires that certain data relating to accounting are kept for at least ten years from the end of the financial year. Further, under Chapter 2, Section 10 (2) of the Accounting Act, unless otherwise provided by law, records for the financial year, correspondence relating to transactions, and accounting records other than those referred to in paragraph 1 shall be kept for at least six years from the end of the financial year.

The Data Protection Authority had to decide which of these retention periods was applicable in the case at hand.

Holding

The Data Protection Authority held that the respondent was entitled to retain the information in question for a period of five years after the debt collection measures have been completed.

The complainant's personal data, however, were not considered to be information within the meaning of Section 10 of the Accounting Act. Only the personal data of the complainant contained in the supporting documents on the basis of which the debt respondent's accounting obligations have been recorded, can be retained for the six-year period provided for in Section 10 (2) of the Accounting Act. Data other than this data should not be retained beyond the above five-year retention period.

The Data Protection Authority emphasised, that emails between a data subject and a controller are not to be considered as accounting material within the meaning of Section 10 (2) of the Accounting Act and must be deleted after the five-year retention period under Article 12 of the Act on the Registration of Debt Recovery Operators.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Retention periods of personal data and the right of the data subject to have their personal data deleted
Keywords: access to information
the right to be forgotten
data deletion
Legal basis: Decision in accordance with the EU General Data Protection Regulation
Registration: 4359/163/2018

THING
The applicant has stated that he has entered into an agreement with the telecommunication operator, who had subsequently instructed the debt collection agency to recover its claims from the applicant. Subsequently, the applicant had requested the collection agency to verify the information concerning him. The applicant had also asked the debt collection agency to remove the personal data concerning him, which had been refused. The applicant has stated that, according to his privacy statement, the debt collection agency could have disclosed the personal data in his possession to external credit institutions, which led the applicant to consider that his personal data had been processed by the debt collection agency for a wider purpose than the applicant had consented to under the original contracts.

The applicant further stated that the retention office's privacy statement did not mention the retention period. Information on the shelf life was only provided on request. The applicant has questioned the debt collection agency's procedure for keeping records of pending recovery orders for six years. In the applicant's view, only so-called accounting data and related data can be retained under accounting law.

The applicant stated that he had been provided with information from the debt collection agency's archives, which included, for example, copies of e-mails. The applicant is strange that more information might have been stored in the archive register than in the actual recovery register. As a result, the applicant has suspected that he was not given all the information concerning him.

STATEMENT BY THE Registrar
In his statement, the controller considers that he has exercised his right of access to the data. Due to human error, some of the duplex pages and recorded emails were missing from the first reply to the applicant. However, this information was subsequently provided to the applicant.

Initially, the data controller did not disclose to the data subjects information on the score based on the scroring score in the collection, nor the full names of the persons who responded to requests for information. However, this policy has been modified following the decision of the Data Protection Supervisor, 1710/523/16 (issued on 6/11/2018). As far as disclosure of information is concerned, it has been established that the controller discloses personal credit information contained in active databases only in accordance with Chapter 4 of the Credit Information Act (527/2007). Information contained in archival databases will be processed solely for the purposes of the Accounting Act (1336/1997) and the Act on the Registration of Debt Collection Operators (411/2018), and for the fulfillment of other statutory obligations such as money laundering and anti-terrorism legislation and data protection law.

The report states that data processed in the recovery and recovery procedures will be transferred from the active databases of the recovery systems to separate archive databases six months after the end of the mandate. The personal data processed in these proceedings will be retained for five years from the end of the assignment, in accordance with Section 12 of the Act on the Registration of Debt Recovery Operators. Thereafter, the data will continue to be stored until the end of the retention period in accordance with Section 10 of the Accounting Act.

The statement also states that the Accounting Act requires the retention of accounting documents, correspondence relating to transactions and other accounting material for at least six years from the end of the year in which the financial year ended. Because the data and transactions stored under accounting law are located in the collection systems used by the debt collection agency, the Company maintains all records of the systems in accordance with the accounting period.

Upon transfer to archival databases, personal data is pseudonymised and stored in a pseudonymised form. After the retention period in accordance with the Accounting Act, the information is anonymised. Eight years after the end of the mandate, all data shall be permanently deleted. Access and use of the data in the archive databases is restricted to persons working in the financial administration and at the interface of the recovery agent.

Finally, the controller indicated that he had taken steps to remove the correspondence with the applicant from the archive database after the five-year retention period provided for in Article 12 of the Act on the Registration of Debt Recovery Operators.

DECISION OF THE ASSISTANT DATA PROTECTION SUPERVISOR
The Assistant Data Protection Officer shall instruct the controller in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the applicant's request for the deletion of his or her personal data relating to

Have expired five years ago, and

(2) which are not to be retained by the debt collection agency in order to comply with the accounting obligations arising from the Accounting Act, with more detailed reasons for the decision.

Article 5 (1) (e) of the General Data Protection Regulation provides for restrictions on the retention of personal data. Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed. The period of retention of personal data must therefore be as short as possible. According to recital 39 of the General Data Protection Regulation, personal data should only be processed if the purpose of the processing cannot be reasonably achieved by other means. Personal data should therefore not be kept longer than necessary. According to recital 65 of the General Data Protection Regulation, a natural person should, in turn, have the right to 'be forgotten' if the retention of the data infringes this Regulation or the Union law applicable to the controller or the law of the Member State. In particular, the data subject should have the right to have his or her personal data deleted and not further processed when the personal data are no longer needed for the purposes for which they were collected or otherwise processed, or have objected to the processing of his or her personal data. otherwise does not comply with the provisions of this Regulation.

It should be noted that under Article 12 of the Act on the Registration of Debt Recovery Operators, unless otherwise provided by law, a longer period of retention is to be retained by the debtor for five years from the date of termination. The Government's proposal states that the purpose of the provision is to safeguard the right of access to information of the Regional Government Office under its control over debtors. It is also stated in the Government's submission that documents and information relating to debt collection activities refer, firstly, to written material, such as assignment agreements, claim documentation, payment reminders, payment claims and payment plans. Electronic material which can be stored and printed at the disposal of the supervisory authority, such as e-mails between the debtor and the debtor, shall be treated in the same way as written material to be retained. The records and information shall be kept for a period of five years from the date on which the recovery measures were completed. Should documents and information be required to be retained under another law for a longer period than the proposed period, this longer retention period will be respected (HE 206/2017 vp, pp. 29-30).

Chapter 2, Section 10 (1) of the Accounting Act, on the other hand, requires that the annual accounts, annual report, accounts, list of accounts and records be kept for at least 10 years from the end of the financial year. Further, under Chapter 2, Section 10 (2) of the Accounting Act, unless otherwise provided by law, records for the financial year, correspondence relating to transactions, and accounting records other than those referred to in paragraph 1 shall be kept for at least six years from the end of the year.

Chapter 2, Section 5 of the Accounting Act provides for a receipt. Voucher means a dated and identified written statement of the transaction, such as a receipt. The Board's proposal, for its part, refers to the Accounting Board's General Guideline of 1 February 2011 on Accounting Methods and Materials for the definition of business correspondence, which states in paragraph 4.2 that business records correspond to documents other than supporting documents. Such material includes, for example, statements made by the authorities on the basis of accounts (eg tax returns), and notices to pension insurance corporations or other entities and other statutory notices (HE 89/2015 vp, p. 49).

On the basis of the above points, the Assistant Data Protection Officer considers that the recovery office has grounds to retain the information in question for a period of five years after the recovery measures have been completed. However, the applicant's personal data in question are not, as a rule, to be considered as information within the meaning of Chapter 2, Section 10 of the Accounting Act. The Assistant Data Protection Officer considers that only the personal data of the applicant contained in the supporting documents, that is to say, on the basis of which the debt collection agency's accounting obligations have been recorded, can be retained for the period provided for in Chapter 2, Section 10 (2). Data other than this data should not be retained beyond the above five year retention period. It should be noted that, for example, e-mails between the data subject and the controller are not to be considered as accounting material within the meaning of Chapter 2, Section 10, paragraph 2 of the Accounting Act.

For the reasons set out above, the Assistant Data Protection Officer instructs the controller to comply with Article 58 (2) (c) of the General Data Protection Regulation to comply with the applicant's request for the removal of personal data relating to . Where such entries are made, the data shall be deleted six years after the end of the year to which the accounts relate.

APPLICABLE LAWS
General privacy setting
Section 12 of the Act on the Registration of Debtors
Chapter 2, Sections 5 and 10 of the Accounting Act