Tietosuojavaltuutetun toimisto (Finland) - 10587/161/21

From GDPRhub
Tietosuojavaltuutetun toimisto - 10587/161/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 15 GDPR
Article 58(2)(c) GDPR
Article 83(2) GDPR
Article 83(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.04.2022
Published:
Fine: 8300 EUR
Parties: n/a
National Case Number/Name: 10587/161/21
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Vadym Kublik

The Finnish DPA fined a telemarketing company €8,300 for not giving the data subject access to the sales call recording even after the DPA ordered it to do so.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject exercised its right to access under Article 15 GDPR to obtain a copy of the sales call recording with a telemarketing company (controller). On 25 February 2021, the data subject complained to the Finnish DPA about the controller's inaction on the request. On 23 July 2021, the DPA exercised its power under Article 58(2)(c) GDPR and ordered the controller to comply with the access request.

However, the controller did not take any steps to comply with the order even after multiple follow-ups from the DPA. As a result, on 30 December 2021, the DPA sent a request for clarification to the controller, allowing it to express its opinion, provide an explanation, or raise issues under Article 83(2) GDPR that the DPA would assess when imposing a fine.

On 31 January 2022, the controller replied that it improved its way of processing the data subject access requests. It also sent a copy of the call recording to the data subject and paid them €995 compensation for delays and inconvenience.

Holding[edit | edit source]

The DPA decided to fine the controller €8300 under Article 83(6) GDPR for not complying with its previous order within a reasonable time and without undue delay. It considered the controller's compensation to the data subject as a mitigating circumstance. However, it held the payment itself did not release the controller from the obligation to respect the DPA's order. Furthermore, the lack of cooperation with the DPA aggravated the controller's breach of the GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Failure to comply with a supervisory order

Keywords: Penalty payment
Right of inspection
Regulation

Legal basis: Decision in accordance with the EU General Data Protection Regulation

Diary number: 10587/161/21

Decision of the Sanctions Chamber on the administrative penalty fee

Registrar

Telemarketing company

Thing

A complaint concerning the data subject's right of inspection has been lodged with the Office of the Data Protection Officer on 25 February 2021. The initiator has stated that he has requested the telemarketing company to access the call record regarding the telemarketing company 's sales call to the initiator, but the telemarketing company had not complied with this request. The request concerns a request pursuant to Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (later the General Data Protection Regulation).

On 23 July 2021, the EDPS issued a decision ordering the telemarketing company to give the data subject access to the call recording. The registered or telemarketing company has not appealed the decision of the Data Protection Officer to the Administrative Court within 30 days of being notified, so the decision is final.

Following notification of the EDPS 'decision, the telemarketing company has not taken steps to enforce the registered right, and a request for consultation of the EDPS's office was sent to the telemarketing firm on 30 December 2021, requesting further clarification. The telemarketing company has given the data subject access to the call recording after receiving the request for consultation.

Background

On 23 July 2021, the EDPS issued a decision ordering the telemarketing company to comply with the data subject's request to exercise the data subject's rights under the General Data Protection Regulation. The case concerned the data subject's access to a recording of a telemarketing call.

On 4 October 2021, the Office of the Data Protection Officer received information from the initiator that the telemarketing company had not been in contact with the data subject since the decision of the Data Protection Officer. The Office of the Data Protection Officer has reached the CEO of the telemarketing company by telephone on 5 October 2021, and the CEO has stated that the decision issued by the Data Protection Officer has not been complied with. In this context, the Executive Director has provided the Office of the Data Protection Officer with an address to which the decision can be resubmitted. The decision has been sent to this address on 7.10.2021.

The initiator has informed the Office of the Data Protection Officer on 21 October 2021 that the telemarketing company has still not been in contact. The rapporteur of the Office of the Data Protection Commissioner has called the CEO of the telemarketing company on 21 October 2021 and inquired about the situation. The CEO has said that the resubmitted decision has not been complied with and there has been a delay in dealing with the matter due to the autumn holidays. The CEO has said he will take action.

The CEO of the telemarketing company has been in contact with the Office of the Data Protection Commissioner by e-mail on October 25, 2021. The CEO has thanked the Data Protection Commissioner for his decision and said that the company has ensured that similar errors will not occur in the future. According to the CEO, in the future, in a situation where the customer requests information electronically, the telemarketing company will deliver the tape electronically, unless the customer wishes another method of delivery. In this connection, the CEO has also stated that he has sought an initiator.

On October 25, 2021, the initiator confirmed to the Office of the Data Protection Officer that the telemarketing company had tried to contact him. The initiator has provided the Office of the Data Protection Officer with a screenshot of the text message received from the telemarketing company on 25.10.2021. In a text message, the telemarketing company has apologized for its actions and said that it has changed its practices as a result of the decision of the Data Protection Commissioner. The telemarketing company has also stated in its message that it wants to reimburse two bills paid by the initiator in the spring. The initiator has also forwarded to the Office of the Data Protection Officer an e-mail received from the telemarketing company on 21 October 2021, in which the telemarketing company regretted the incident and expressed its willingness to compensate for the inconvenience and damage caused. The initiator has informed the Office of the Data Protection Officer on 27 October 2021 that he will contact the telemarketing company and agree to reimburse the costs of the bills. On 27 October 2021, the initiator confirmed to the Office of the Data Protection Officer that the telemarketing company had still not granted access to the call record.

By e-mail of 25 October 2021, the Office of the Data Protection Officer asked the telemarketing company to confirm that it had granted registered access to the call record. The telemarketing company has not responded to the email or has otherwise contacted the Office of the Data Protection Officer. On 17 December 2021, the initiator informed the Office of the Data Protection Officer that the telemarketing company had not contacted him to grant access to the call record or to handle the refund. The initiator has indicated that he still wishes access to the call recording.

Consultation of the controller

Consultation

The telemarketing company has the opportunity referred to in section 34 of the Administrative Procedure Act (434/2003) to be heard and to express its opinion on the matter and to give an explanation of such claims and explanations that may affect the resolution of the matter. At the same time, the telemarketing company is given the opportunity to raise issues within the meaning of Article 83 (2) of the General Data Protection Regulation which, in the telemarketing company's view, should be taken into account in reaching a decision. For this purpose, a request for a hearing and a request for further clarification were sent to the telemarketing company by electronic and ground mail on 30 December 2021, to which it was requested to reply by 31 January 2022. The telemarketing company has responded to the request for consultation and further clarification on 31 January 2022.

In its reply to the request for consultation, the telemarketing company stated that it had made changes to the data subject's request for rights. According to the telemarketing company, the initiator has been paid EUR 995 for the inconvenience and delay in dealing with the case.

According to its response to the consultation, the telemarketing company processes the data of more than 6,000 data subjects. The telemarketing company has also argued that a possible administrative penalty payment could be fatal to the company’s operations and employability.

The telemarketing company has provided its response as an attachment to the relevant call recording in MP3 format. On 12 January 2022, the initiator confirmed to the Office of the Data Protection Officer that the telemarketing company had provided him with a call recording as an MP3 file on 10 January 2022. In addition, on 24 March 2022, the initiator confirmed that the telemarketing company had paid him EUR 995 in January 2022.

Call recording content (partial transcription)

“[…] [Name of caller] will call [name of data subject] from you [telemarketing company], I would reach out to you in a very short matter when you had answered our survey last year asking questions about health and well-being […] And when this big and extensive survey now it's finally finished, so thank you for answering the questionnaire, you would have been given a usage benefit of 40 euros, which means that i have been allowed to send you a three-month package of bone calcium product made in finland. two-month dose of magnesium. […] And all that two-month dose of magnesium will come to you completely free of charge as a gift. The only cost you will have for that skeletal product is only € 2 90 cents a week from your thank you package and there will be no other costs. […] And of course the [name of the data subject] does not need to handle those two euro payments separately, so all the weekly payments combined will take care of the expenses at a time from below, so it is 35.60 that will be the full three-month dosing of the bone calcium product and the two-month dosing magnesium product. "

The Office of the Data Protection Commissioner will notify the Finnish Competition and Consumer Authority of the matter regarding the procedure used in marketing.

Background information

Service description

The registrar is a telemarketing company. The company operates part of its activities under the auxiliary name XX. On the website www.xx.fi, the registrar sells and markets health products under the name XX Oy.

Sales

The turnover of the telemarketing company in the financial year 1 August 2020 - 31 July 2021 has been approximately EUR 2 million.

Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The Data Protection Regulation contains a national margin of maneuver on the basis of which national law can supplement and clarify matters specifically defined in the Regulation. The general data protection regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previous Personal Data Act (523/1999).

Under Article 15 of the General Data Protection Regulation, the data subject has the right to obtain confirmation from the controller that personal data concerning him or her are being processed or not processed and, if processed, the right to access personal data and data under Article 15 (1) (a) to (h). Paragraph 3 requires the controller to provide a copy of the personal data processed. If the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.

Article 58 (2) of the General Data Protection Regulation provides for remedial powers of the Supervisory Authority. According to point (c), the supervisory authority may instruct the controller or the processor to comply with the data subject's requests concerning the exercise of the data subject's rights under the General Data Protection Regulation.

Pursuant to Article 83 (6) of the General Data Protection Regulation, failure to comply with an order of the supervisory authority referred to in Article 58 (2) is subject to an administrative penalty of up to EUR 20 000 000 or 4% of its total annual worldwide turnover for the preceding financial year. whichever is the greater.

Decision of the Sanctions Chamber

The Sanctions Chamber considers that the telemarketing company has not properly complied with the EDPS order to give the data subject access to the call record, but has only taken action after receiving a request for consultation on the non-compliance with the EDPS order. An administrative penalty is imposed on a telemarketing company for non-compliance with a supervisory authority order referred to in Article 58 (2) of the General Data Protection Regulation in accordance with Article 83 (6) of the General Data Protection Regulation.

The Sanctions Chamber, composed jointly of the EDPS and the Assistant EDPS, orders the controller to pay the State an administrative sanction of EUR 8 300 (8 000) pursuant to Articles 58 (2) (i) and 83 (6) of the General Data Protection Regulation.

Grounds for imposing an administrative penalty fee

Article 83 of the General Data Protection Regulation lays down the general conditions for the imposition of an administrative penalty fee. According to the article, the imposition of an administrative penalty must be effective, proportionate and dissuasive in each individual case. An administrative penalty fee shall be imposed in accordance with the circumstances of each individual case, in addition to or instead of the remedial powers provided for in Article 58. The factors listed in Article 83 (2) of the General Data Protection Regulation shall be taken into account in each individual case when deciding on the imposition of an administrative penalty fee and the amount of an administrative penalty fee.

The guidelines of the Article 29 Data Protection Working Party on the application and imposition of administrative fines shall also be taken into account in the assessment.

In the present case, the controller has not complied with the provision of Article 58 (2) of the Authority's General Data Protection Regulation. Pursuant to Article 83 (6) of the General Data Protection Regulation, non-compliance with an order issued by the Supervisory Authority pursuant to Article 58 (2) is subject to an administrative penalty fee.

In the present case, the telemarketing company has not complied with the order issued by the Data Protection Supervisor on 23 July 2021. In that case, the data subject's right would have been enforceable quickly and easily by the controller. The controller has also had the ability to exercise the right immediately upon receipt of the order. However, the telemarketing company has not taken the appropriate steps to comply with the order and has instead communicated to the data subject and the Data Protection Officer's office that it will compensate the data subject. Following notification of the order, the controller has not responded at all to the inquiry made by the Data Protection Supervisor's Office on 25 October 2021 as to whether it has granted registered access to the call record. In assessing the time within which the EDPS 'order should have been complied with, the comparison of time elapsed takes into account that, according to Article 12 of the General Data Protection Regulation, the data subject's request must be executed without undue delay and in any case within one month of receipt. The decision of the Data Protection Officer was retrieved by the Telemarketing Company on 21 October 2021, and the decision has become final after the expiry of the 30-day appeal period. It is still 50 days before the decision became legally binding before the telemarketing company provided the registrant with a call recording via email. In the present case, the controller has not complied with the order within a reasonable time and without undue delay. The Sanctions Chamber therefore considers that the controller has not complied with the order issued by the Data Protection Supervisor on 23 July 2021. The data controller recorded the call record on 10 January 2022, ie only after the Office of the Data Protection Officer has taken action for non-compliance. The data subject has had to have access to the call record in order to verify that no agreement has been reached between the telemarketing company and the data subject. This is relevant both for the lawful basis for the processing of personal data and for the legal status of the data subject.

Summary and amount of administrative penalty payment

According to Article 83 (1) of the General Data Protection Regulation, the penalty payment must be effective, proportionate and dissuasive. The assessment is made on the basis of the circumstances of each individual case. When considering an individual case, it must be assessed whether the aim is merely to make the activity lawful or whether the aim is to penalize the controller for the illegal activity.

In the present case, the controller, the telemarketing company, has been ordered to give the data subject access to the call record. The controller has not taken appropriate measures to enforce the right of the initiator, even on the order of the supervisory authority. The controller 's failure to comply with the EDPS' order indicates a serious disregard for data protection regulations.

In the case of a telemarketing company, the maximum amount of the penalty payment in euros is in accordance with Article 83 (6) of the General Data Protection Regulation, as the infringement is a breach of an enforcement order under Article 15 of the Registered General Data Protection Regulation.

The lack of cooperation with the Authority must be taken into account as an aggravating circumstance in the assessment. As an attenuating criterion, the assessment shall take into account the fact that the controller has taken measures to mitigate the damage caused to the data subject. Pursuant to Article 83 (6) of the General Data Protection Regulation, failure to comply with an order of the supervisory authority referred to in Article 58 (2) is subject to an administrative penalty of up to EUR 20 000 000 or 4% of its total annual worldwide turnover whichever is the greater.

Nature and gravity of the infringement

The nature and gravity of the breach will be assessed in the light of the factors set out in Article 83 (2) (a) of the General Data Protection Regulation.

This is not a minor breach within the meaning of recital 148 of the General Data Protection Regulation, and in the present case the breach of the data subject's rights constitutes a significant risk to the data subject's rights and affects the substance of the breach.

As regards the nature and gravity of the infringement, the controller is a telemarketing undertaking and the right of access to the call record is essential for data subjects who are its customers. Access to the call record may involve the controller in proving the existence of a lawful basis for the processing of personal data. Although the data subject's right of access to personal data under Article 15 of the General Data Protection Regulation does not require a valid reason from the data subject, this was a situation where there was a need to determine whether a telemarketing company had lawfully marketed and sold health products to an elderly data subject.

Assessment of aggravating and mitigating factors

Measures taken by the controller to mitigate the damage caused to data subjects

As a mitigating circumstance, the Sanctions Chamber takes into account the fact that the telemarketing company has paid compensation to the data subject, which, according to the report received, takes into account the inconvenience caused to the data subject in addition to the payment of invoices already paid by the data subject.

With regard to the reimbursement, it should be noted that although it is in itself in the interests of the data subject to be reimbursed, the controller cannot, on this basis, disregard the order of the EDPS. The compensation paid to the data subject is different from the exercise of the data subject's rights under the General Data Protection Regulation, and the payment of the compensation does not mean that the controller does not have to comply with the order issued by the Data Protection Supervisor.

Cooperation with the Authority

The telemarketing company has only retrieved the decision issued by the Data Protection Supervisor on 23 July 2021, following its retransmission on 21 October 2021, at the request of the Data Protection Supervisor's Office. By e-mail of 25 October 2021, the Office of the Data Protection Officer asked the telemarketing company to confirm that it had granted registered access to the call record. The telemarketing company did not reply to this e-mail or otherwise contacted the Office of the Data Protection Officer before responding to the request for consultation. The controller has not cooperated with the supervisory authority and has not shown any initiative on its own initiative. The inaction of the controller in taking the measures required by the order of the EDPS must be considered as an aggravating circumstance.

The decision to impose an administrative penalty fee has been taken by the members of the Sanctions Chamber of the Data Protection Supervisor.

Applicable law

Mentioned in the explanatory memorandum.

Appeal

Pursuant to section 25 of the Data Protection Act (1050/2018), the decisions of the Deputy Data Protection Commissioner and the Sanctions Chamber may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court.

The decision is not final.