Tietosuojavaltuutetun toimisto (Finland) - 6633/182/2018, 6707/154/2018 and 7685/152/2020

From GDPRhub
Revision as of 14:18, 11 January 2023 by Ex4 (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finnland) |...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - 6633/182/2018, 6707/154/2018 and 7685/152/2020
[[File:|center|250px]]
Authority: Tietosuojavaltuutetun toimisto (Finnland)
Jurisdiction: Finland
Relevant Law: Article 15(1) GDPR
Article 15(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.12.2022
Published: 11.01.2023
Fine: 750000 EUR
Parties: Alektum Oy
National Case Number/Name: 6633/182/2018, 6707/154/2018 and 7685/152/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Eetu Salpaharju

DPA imposed a fine of 750,000 euros for Alektum Oy for declining data subjects to review their information.

English Summary

Facts

Alektum Oy has declined to answer data subjects request to review their data. The case is based on three different complaints.

Holding

The DPA held that right to review and correct information recorded in a register is fundamental right that should not be violated.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The sanctioning panel of the Office of the Data Protection Commissioner has imposed a penalty payment of EUR 750,000 on the debt collection company Alektum Oy. The debt collection company had not responded to the requests regarding the data subject's rights. The company also complicated and slowed down the investigation by avoiding the supervisory authority. The Office of the Data Protection Commissioner started investigating the matter after receiving three complaints from private individuals. In two complaints, it was reported that Alektum Oy had not responded to requests to access their own information. One of the complainants had received a response from Alektum Oy, but he was still not provided with the requested copy of the personal data. "The right to access your personal data is a key data protection right. If a person does not have access to his own data, he does not have the opportunity, for example, to correct incorrect data or monitor the legality of the processing of personal data," states Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa. The investigation by the Office of the Data Protection Commissioner revealed that Alektum Oy had regularly failed to respond to requests regarding the data protection rights of the data subject. The organization that processes personal data is obliged to respond to requests regarding the rights of the data subject within one month. If there are many requests or they are complex, the organization acting as a data controller can state that it needs an additional time of up to two months. In the case of one complainant, Alektum Oy explained the non-response by saying that it no longer processed the data subject's personal data. Even then, the company should have responded to the request and said that the company no longer processes the data subject's personal data. The Sanctions Board considers that the company was not sufficiently familiar with the requirements of the data protection legislation and that the operation has shown disregard for the legislation. The company did not comply with the obligation to cooperate with the supervisory authority. During the investigation, the data protection commissioner's office tried to consult Alektum Oy in many different ways. The Sanctions Board considers that the company has been unwilling to provide an explanation of its operations and cooperate with the data protection authorized office. According to the Data Protection Regulation, the organization acting as data controller must cooperate with the supervisory authority and provide the information requested by the data protection authority. In its evaluation, the Sanctions Board took into account the fact that the case also involved the legal protection of individuals. Collection costs can ultimately be enforced by coercive means by the authority, and the debtor has the right to know about the threat of a legal claim related to collection. The decisions of the deputy data protection commissioner and the sanctions panel are not yet legally binding. They can be appealed to the administrative court. Decisions of the Deputy Data Protection Commissioner and Sanctions Board (pdf) More information: Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. 029 566 6787 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the national data protection act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros.