Tietosuojavaltuutetun toimisto (Finland) - 7587/163/20

From GDPRhub
Tietosuojavaltuutetun toimisto - 7587/163/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 17(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.07.2022
Published: 27.07.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 7587/163/20
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Vadym Kublik

The Finnish DPA reprimanded a bank for violating Articles 12(3), 12(4) and 17(1)(a) GDPR by not responding to the data subject's request to have their data deleted when it was no longer necessary for processing.

English Summary

Facts

On 28 September 2020, the data subject filed a complaint with the Finnish DPA against a bank (the controller) where they used to be a customer. On multiple occasions, the data subject had requested the controller to delete their data which was no longer necessary for processing after they ceased being a customer. However, the controller did not comply with the requests and did not provide the data subject with the required information under Articles 12(3) and 12(4) GDPR. When responding to the DPA, the controller explained that the violation happened because of a human error in the customer service department. The controller subsequently complied with the data subject's deletion request.

Holding

The DPA held that the controller violated Article 17(1)(a) GDPR by not complying with the data subject's right to have their data deleted. Instead, the controller should have deleted the data to the extent that it was no longer necessary to store it. Additionally, the controller violated Articles 12(3) and 12(4) GDPR by providing the data subject neither with information on the measures taken in response to the request nor with the reasons for not taking any actions. As a result, the DPA reprimanded the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The registrant's right to have his data deleted from the bank's system

Keywords: Right to delete data
Retention period

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 7587/163/20

Decision of the Data Protection Commissioner

Thing

The matter concerns the data subject's right to have their data deleted

Registrar

Bank

Statement received from the applicant

On September 28, 2020, the applicant has initiated a case at the data protection commissioner's office regarding the data subject's right to delete data. According to what he said, the applicant had visited the registrar to terminate his customership and had also requested the deletion of his data. The customer service representative had stated to the applicant that his data had been deleted from all customer databases, where they are not required by law. Despite this, the applicant later received a customer letter from the registrar. The applicant had made a new request to the data controller first by email on 28 August 2020 and later by phone on 17 September 2020 to delete the data. According to the applicant, he had not received confirmation from the controller as to whether his personal data had been deleted.

Statement received from the registrar

The Office of the Data Protection Commissioner has requested an explanation from the data controller on July 2, 2021. The Office of the Data Protection Commissioner has tried to find out, 1) whether the data controller has implemented the applicant's right to have their data deleted according to Article 17 of the General Data Protection Regulation (EU) 2016/679 (Data Protection Regulation) 2) if the right has not been implemented, whether the data controller could now implement the right, and 3 ) on what basis the data controller has processed the applicant's data after the end of the customership. The registrar has responded to the clarification request on 13 August 2021.

According to the report given by the registrar, the applicant visited the branch in 2017 to terminate his service. In that context, according to his own account, he wanted to delete all the information. However, according to the controller, this request cannot be found in the controller's system and the controller has not implemented it. On September 17, 2020, the applicant called the data controller and stated that there should be no information about him and that he wants his data to be deleted from the data controller's system.

According to the registrar, it has not implemented the applicant's right to have his data deleted. According to the controller, it has kept customer data based on legislation and legitimate interest.

According to the registrar, it can implement the applicant's request to the extent that legislation or a compelling legitimate interest does not prevent it. According to the controller, the failure to delete the data was due to human error in customer service.

According to the registrar, the applicant has had an investment service agreement and its removal requires manual measures when terminating the customership. In the internal instructions of the registrar, it is specified that the cancellation of the contract is part of the customer termination process. In this case, however, the contract in question has not been deleted due to human error, and as a result the applicant has received a letter. According to the registrar, the applicant's personal data has also been processed in connection with the January and June 2020 loan negotiations. For the sake of clarity, the controller notes that the applicant has not been sent a marketing letter, but rather a customer letter regarding the end of the Check-in customership.

According to the controller, it will contact the applicant and delete the applicant's personal data to the extent that the personal data is not processed on the basis of a legal obligation or a compelling legitimate interest.

According to the data controller, it will also organize additional training for its customer service unit in question on the implementation of data subjects' rights and related processes of the data controller.

The applicant's equivalent

The data protection commissioner's office has asked the applicant for compensation after the explanation given by the data controller on August 19, 2021. The applicant's reply was received on 3 September 2021.

In his reply, the applicant wants to specify that he has always meant that the data controller would delete the information that the legislation does not require to be kept. If he has forgotten to specify this in the call, according to the applicant, it has been due to the reluctance of the registrar regarding the matter. According to the applicant, he has already been allowed to repeat the request so many times. The applicant would like clarification from the data controller on what the data controller means by "legitimate interest". According to the applicant, he does not understand what the words "legitimate interest" or "compelling legitimate interest" mean in this context.

The applicant states that he understands the human error, but hopes that the bank would even bother to apologize for the matter. The applicant hopes for an apology, especially because, according to the applicant, the matter has caused a lot of work and effort.

In return, the applicant hopes for additional training regarding interaction skills for the legal department of the registrar. According to the applicant, it has been extremely difficult for him to communicate with the data controller. According to the applicant, his first request was directed to a person whose responses (and in some cases non-response) left the impression that the person had not read the request or understood the situation. According to the applicant, even the requests made after that could have been handled more transparently. According to the applicant, he did receive the information by mail, but I would have liked a short confirmation message that the information will be delivered on paper.

According to the applicant, it is still unclear to him what information the controller has about him that can be deleted and what information is still kept for legal reasons. The applicant hopes that if he or anyone else ever needs to request data verification or deletion from the data controller, the matter would be handled more smoothly.

Consultation request of the Office of the Data Protection Commissioner

On February 25, 2022, the controller is scheduled to have the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to present an opinion on the preliminary assessment of the representative of the Data Protection Commissioner's office and the confusion of facts presented in the hearing request. At the same time, the data controller is given the opportunity to bring forward such matters referred to in Article 83, paragraph 2 of the General Data Protection Regulation, which, in the data controller's opinion, should be taken into account when making a decision. For the sake of clarity, it must be stated that the subject of the consultation request was 2 separate complaints made to the data protection commissioner's office. The second complaint has been processed under diary number 1601/452/18.

The controller has given his answer on March 25, 2022. In his reply, the controller says, among other things, the following.

On the facts of case 7587/163/20

The controller considers that he has implemented the rights of the registered person in accordance with Articles 15 and 17 of the Data Protection Regulation in that case.

According to the data controller, in the consultation request, it has been stated that the data subject would have terminated his services in 2007. According to the database data controller, the data subject has terminated his services on September 12, 2017. After this, the registered person contacted the registrar regarding mortgage matters on 13 January 2020 and was given a loan promise on 19 January 2020, and in addition, the registrar met with the registrar on 26 June 2020.

The controller notes that the data subject has said that he was in contact with the controller via e-mail on 28 August 2020. The registrar points out that it cannot disclose or process information subject to bank secrecy, including personal information, in an open e-mail.

According to the registrar, it mainly uses the online bank's message service or Omaposti service to communicate with personal customers, which can be used without bank IDs with a strong electronic identification device. The purpose of using these services is to guarantee secure communication with customers as required by the Financial Supervisory Authority. For this reason, the data controller states that he has directed the registrant to a secure communication channel, which allows the data controller to verify the identity of the data subject using his rights and verify the correctness of the request.

The controller considers that, in connection with customer service, the registrant has not been properly guided in making an information request and deletion request. In this regard, the controller has taken corrective measures, such as instructing and training its personnel in similar customer service situations.

The controller states that in the consultation letter it has been stated regarding the facts that "the controller has stated in the report given to the data protection commissioner's office that the personal data has not been deleted." The controller points out in his report that this only applies to a small part of the data subject's personal data. According to the controller, most of the data has been deleted after the end of the storage periods after the end of the customer relationship. The information that was not deleted was related to an investment service agreement, which the employee of the registrar should have terminated manually upon termination of the agreement. According to the data controller, the incorrect storage of this data has had very little effect on the data subject's rights and obligations, because most of the data subject's data is still covered by a statutory or other reason for storage.

According to the data controller, the data subject has also been in contact with the Bank after the deletion requests and applied for credit from the data controller. In this regard, the registered person's data is stored in accordance with the previously mentioned storage criteria and the data could not yet be deleted at that time.

The controller notes that the basis of the controller's retention periods has not been discussed in the consultation letter in any way. According to the controller, it has clearly had a reason to store personal data, and the controller has given clear examples in its response of situations where it is necessary to store personal data also on grounds other than statutory ones. According to the controller, it has sent the data subject a confirmation of data deletion on March 21, 2022.

About legal matters

In his report, the controller draws attention to the fact that the controller's mistakes have been considered to be repeated in the consultation request. According to the controller, it processes millions of customer data every day and constantly invests to develop its systems and personnel. According to the controller, it is clear that due to the obligations arising from several pieces of legislation, the processing sometimes has to be done manually, and that because of this, errors can also occur. According to the data controller, it is therefore unreasonable that the data protection commissioner considers the data controller to have acted repeatedly in violation of the data protection regulation based on a few cases.

The controller considers that the principles of good administration and Article 58, paragraph 4 of the Data Protection Regulation and Article 41 of the Charter of Fundamental Rights of the European Union require that the authority is obliged to act impartially and fairly in administrative matters. In stating that the bank has repeatedly acted in violation of Article 12, Sections 3 and 4, the Data Protection Commissioner has, in the view of the data controller, assumed that the data controller acts in such cases consistently incorrectly on the basis of two cases. However, according to the data controller, this is not based on anything other than two cases where in both cases it is largely a question of human error, which the data controller has undertaken to correct immediately after receiving information about the error.

According to the controller, in 2020 it implemented almost 500 requests related to the rights of the registered person in the Nordic countries and more than 200 requests in Finland. According to the controller, it implements the request within ten days on average. In this respect, according to the data controller, it does not "repeatedly" fail to implement the rights of the data subjects, but in this case it was a single error.

The registrar states that the Administrative Committee of the Parliament has stated in its report on the Data Protection Act that the data protection regulation is not based on strict liability or reversed burden of proof. Therefore, the data controller considers that the data protection commissioner cannot consider the data controller's actions to be repeatedly incorrect and infringing the rights of data subjects. The individual cases in question have come to the data protection commissioner's attention, but at the same time the data controller has implemented a significant number of requests regarding the rights of data subjects in accordance with the data protection regulation.

In its report, the registry keeper has referred to a consultation request, which states that "even if the deletion of the data was justified, the applicant's earlier request to access the data should have been implemented before the data is deleted." According to the registrar, in case 1601/452/18 it has delivered to the registered an extract of its personal data on 4 June 2018, and in case 7587/163/20 the registrar has delivered to the registered an extract of its personal data by mail on 1 March 2021. According to the registrar, the statement presented in the consultation request is incorrect in this respect.

According to the controller's understanding, the data subject has specifically asked the controller to delete the data and that he has considered access to the data secondary to the deletion. According to the data controller, it started implementing the data subject's request as required by the data subject. Therefore, according to the controller, the above-mentioned statement presented in the consultation request is incorrect.

In the consultation request, it has been considered that the data controller has not implemented the request of both applicants to have their personal data deleted as required by Article 17, paragraph 1, subparagraph a of the data protection regulation. The clarification request states that the data controller implemented the deletion requests only after the data protection commissioner's office has been in contact with the data controller.

The controller considers that it has only been able to implement the registered request in part, because the controller has had a clear reason to keep the personal data to the extent that it has been necessary for some reason other than the original customer relationship. According to the registrar, the issue in case 7587/163/20 was that there was no basis for deleting the data. In case 1601/452/18, the data controller has, according to his report, kept the data due to a single error, which has been corrected.

In the consultation request, it has been considered that in both cases the right to have their personal data deleted could have been exercised to the extent that the personal data was no longer needed, but the data controller implemented the applicants' deletion requests only after the data protection commissioner's office had been in contact with the data controller. The controller considers that it did not have enough information to delete the data before contacting the data protection authorized office. The controller states that it had a reason to keep the data despite the deletion request. According to the data controller, the deletion of the data has been started with the contact of the data protection authorized office, because it has been possible to verify that part of the data can be deleted according to a risk-based assessment. According to the controller, it has also been in contact with the data subjects regarding the implementation of deletion requests.

About punishment

The controller considers that it has taken action to correct the detected error and that it has taken action quickly, however no later than after contacting the data protection officer. The controller also considers that it has not been repeatedly and intentionally negligent in the processing of personal data with regard to the request for deletion of registered users and the request for access to personal data. According to the registrar, its operation cannot be considered intentional in the light of legal practice.

According to the registrar, the duration, nature and severity of the error is not significant. According to the registrar, the rights of the data subjects have not been significantly jeopardized as a result of the error, and there have been no financial effects for the data subjects either.

According to the registrar, its error is a matter of human error in the bank's services. As stated above, the data controller usually fulfills the requests of the data subjects within ten days, i.e. clearly within the schedule and scope required by the data protection regulation. It is therefore not a case of the data controller's deliberate or negligent conduct in exercising registered rights.

In addition to this, the data controller states that he has taken corrective measures after noticing the error, which, according to the data controller, is partly due to the fact that the matter has only come to the bank's attention through the data protection officer, because the data subject has not made the request in a securely verifiable way.

In addition, it is a human error made by an employee of the data controller, both in the deletion and in the way in which the rights of the data subjects have been implemented. In this respect, according to the data controller, it is not a systematic error, but a situation that is unfortunately possible due to the data controller's high number of customers.

According to the registrar, the target of its erroneous procedure has been very ordinary personal data, such as name, address and telephone number. In these respects, according to the data controller, the nature of the data has been such that it does not cause significant loss of rights for the data subject. In addition, in both cases, according to the data controller, the information of a total of two registrants has been involved, so it is also a minor error in that regard.

The controller considers that the sanctions panel should not impose an administrative penalty on it in the case, but at most a notice in accordance with Article 58 of the Data Protection Regulation.

The registrar has announced that in 2021 the combined annual turnover of the companies belonging to the same group as the bank was 11,502 million euros. According to the registrar, the turnover does not include the negative interest expense of financial liabilities, because it is a cost item by nature.

Assessment of the cross-border nature of the matter

The main office of the data controller is located in Finland, but the data controller has offices in several member countries. In the matter, it has therefore been necessary to assess whether the processing of personal data that is the subject of the investigation is related to the controller's offices in other EU/EEA countries and whether the processing of personal data that is the subject of the investigation possibly significantly affects data subjects in other EU/EEA countries. In its report on 2 December 2021, the controller has stated that the controller's operating methods and instructions related to the exercise of the rights of the data subject, which are the subject of the evaluation, have been defined in Finland by the controller. According to the controller's opinion, the processing of personal data that is the subject of the evaluation does not significantly affect the data subjects in other EU/EEA countries. According to the registrar, it has separate operating instructions for the rights of the data subject that are the subject of evaluation in other Nordic countries.

Based on the explanation received from the data controller, it can be stated that the initiated case is only related to the data controller's place of business in Finland, and the data controller's way of exercising the applicant's rights has not had any significant effects on the data subjects in other member countries. Accordingly, the Data Protection Commissioner considers that the matter in question can be handled locally in accordance with Article 56, paragraph 2.

A legal question

The applicant's case involves the following legal questions:

1) whether the data controller's actions to implement the applicant's right to erasure according to the data protection regulation have met the requirements laid down in paragraphs 3 and 4 of Article 12 of the data protection regulation,

2) whether the data controller has implemented the applicant's right to have his personal data deleted in accordance with Article 17, paragraph 1, subparagraph a of the data protection regulation.

If the processing of personal data has not been in accordance with the provisions of the Data Protection Regulation, the matter to be decided is which sanction for the activity according to Article 58, paragraph 2 of the Data Protection Regulation should be imposed.

Decision of the Data Protection Commissioner

The Data Protection Commissioner considers that the data controller has not complied with the following sections of the General Data Protection Regulation: 1) Sections 3 and 4 of Article 12 2) Subsection a of Article 17 Section 1.

Note

The Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Section 2, Subsection b of the Data Protection Regulation. The Data Protection Commissioner points out that the data controller's actions to implement the applicant's rights did not fulfill the obligations stipulated in Article 12, Sections 2-4 of the Data Protection Regulation. The Data Protection Commissioner also points out that the data controller has not implemented the applicant's request to have his personal data deleted in accordance with Article 17 of the Data Protection Regulation.

The Data Protection Commissioner considers that the matter was an individual case, which is why the notice is a sufficient sanction. However, the decision can be taken into account in the future in connection with possible other control measures concerning the controller.

Reasoning

Obligations regarding the exercise of rights

Article 12 of the Data Protection Regulation provides for the rules on the exercise of the data subject's rights. In accordance with Article 3, the data controller must provide the data subject with information on the measures taken as a result of the request made pursuant to Articles 15–22 without undue delay and in any case within one month of receiving the request. If necessary, the deadline can be extended by a maximum of two months, taking into account the complexity and number of requests. The controller must inform the data subject of such a possible extension within one month of receiving the request and the reasons for the delay.

If the data controller does not implement measures based on the data subject's request, according to Article 12, Section 4 of the Data Protection Regulation, the data controller must inform the data subject of the reasons without delay and no later than one month after receiving the request. The controller must also inform about the possibility of filing a complaint with the supervisory authority and using other means of legal protection.

According to what he said, the applicant has requested the deletion of his data on several occasions, both on site at the office, by e-mail, and by phone. However, based on the explanation received from the controller and the applicant, the deletion of the data was not successful through these channels. According to the registrar, in connection with customer service, the registrant has not been properly guided in making the information request and deletion request. In its response to the consultation request, the controller has stated that the applicant's information has now been deleted to the extent that it can be deleted. According to the controller, it has sent the data subject a confirmation of data deletion in March 2022.

The Data Protection Commissioner considers that the data controller has not implemented the applicant's right in accordance with Article 12 paragraphs 3 and 4 and Article 27 without undue delay. The controller should have provided the applicant with information on the measures taken as a result of the request made under Article 17 without undue delay and in any case within one month of receiving the request. To the extent that the request could not be implemented, the data controller should have, in accordance with Article 12, Section 4 of the Data Protection Regulation, informed the applicant of the reasons without delay and no later than one month after receiving the request.

About the registry keeper's procedure for deleting the applicant's data

Article 17 of the Data Protection Regulation provides for the data subject's right to have his/her data deleted. According to the regulation, the data subject has the right, under certain conditions, to have the data controller delete personal data concerning the data subject without undue delay. The controller is obliged to delete personal data without undue delay, for example, if the personal data is no longer needed for the purposes for which it was collected or for which it was otherwise processed (Article 17, paragraph 1, subparagraph a).

The applicant had ended his customership with the bank in 2017 and requested the deletion of his data. According to the controller, the failure to delete the data was due to human error in customer service. According to the registrar, the cancellation of the investment service agreement the applicant had requires manual measures when terminating the customership. In this case, however, the contract in question has not been deleted due to human error.

The Data Protection Commissioner considers that the data controller had not implemented the applicant's right to have the data deleted as required by Article 17, paragraph 1, subparagraph a. The controller should have implemented the deletion request to the extent that it was no longer necessary to store the data.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision is not legally binding.