Tietosuojavaltuutetun toimisto (Finland) - 310/161/23

From GDPRhub
Tietosuojavaltuutetun toimisto - 310/161/23
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 83(6) GDPR
Type: Investigation
Outcome: Violation Found
Started: 09.11.2021
Decided: 17.02.2023
Published: 02.03.2023
Fine: 440,000 EUR
Parties: Suomen Asiakastieto Oy
National Case Number/Name: 310/161/23
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA imposed a fine of €440,000 on a consumer credit information service provider pursuant to Article 83(6) GDPR for failing to erase incorrect payment default entries stored in the credit information register due to inadequate practices, as previously ordered by the DPA.

English Summary

Facts

On 9 November 2021, the DPA ordered the controller (Suomen Asiakastieto Oy, a consumer credit information service provider) to rectify its practices in registering payment default entries based on final decisions and erase all incorrect payment default entries resulting from such practices. The controller was also ordered to submit a report of the measures taken due to the order and to report the number of erased payment default entries to the DPA.

In its first report, the controller stated that it had changed its practice but argued that it was practically impossible for it to find and erase the entries related to disputed cases from its register retrospectively since it had not been informed by the Legal Register Centre of which decisions had been delivered to it on inaccurate grounds.

In its second report, the controller stated that it had interpreted the DPA's order incorrectly and had now erased all payment default entries based on final decisions from its register. According to the controller, it was unclear whether the order only concerned the erasure of the payment default entries of the data subject who initiated the case or the erasure of all incorrect payment default entries.

The controller argued that it would be impossible to re-read all the decisions handed over to it, to re-evaluate the registration eligibility of each decision, assess whether the matter is possibly registered as a payment default entry and, if necessary, erase the entry after this assessment.

Holding

First, the DPA considered that it was clear from the order that the controller must have erased all incorrect payment default entries resulting from its general practices. Furthermore, the DPA pointed out that the controller would have had the opportunity, if necessary, to request additional information about the order from the DPA.

Second, the DPA stated that the incorrect payment default entries could have been erased, contrary to what was stated by the controller, because the Legal Register Centre discloses payment default information based on final decisions to the controller in the format in which they are stored in the register of court decisions.

Third, the DPA held that by not complying with the order, the controller had avoided the costs in its business caused by the amount of work required to comply with the order.

Due to the breach of Article 83(6) GDPR for failure to comply with an order of the DPA, the DPA imposed an administrative fine of €440,000 on the controller pursuant to Article 58(2)(i) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The decision of the Data Protection Commissioner and Sanctions Board
Thing

Failure to comply with the order of the supervisory authority
Registrar

Suomen Asiakastieto Oy
Background of the matter

1. The Data Protection Commissioner's office has dealt with a complaint regarding the correction of an error in the personal credit information registers, as a result of which the office also initiated a self-initiated supervisory case regarding the marking of payment default information based on legally binding judgments as a payment default entry in the personal credit information registers. As a result of the investigation carried out in the whole case, the data protection commissioner and the deputy data protection commissioner issued orders on November 9, 2021 to the Legal Registry Center and personal credit information companies to change the procedures for processing payment default information based on legally binding judgments based on the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation).

2. In cases 834/532/18 and 8212/161/19, the data protection commissioner ordered the registrar to remove incorrect payment default entries from the credit information register as a result of its procedure and to change the procedure for entering payment default information based on legally binding judgments as a payment default entry in the credit information register.

3. As a result of the order, in the report submitted to the data protection commissioner's office, the data controller stated that it is impossible to identify and remove the cases ordered to be deleted from the credit information register, because the Legal Registry Center was unable to provide the data controller with information about the decisions that it had submitted to it in accordance with its previous operating method.
Order of the Data Protection Commissioner in cases 834/532/18 and 8212/161/19

4. In cases 834/532/18 and 8212/161/19, the data protection commissioner evaluated the registrar's method of entering payment default information based on legally binding judgments as a payment default entry in the credit information register. According to the registrar, the decision to register payment default information based on a final judgment handed over by the Legal Registry Center as a payment default entry in the credit information register was based on an assessment made by the registrar's staff as to whether the judgment statement of the judgment describes the person's ability to pay or unwillingness to pay. According to the registrar, this assessment was always to some extent a case-by-case human judgment.

5. In the order, the data protection commissioner stated that when the court evaluates the arguments put forward by the defendant, after he has applied for recovery in the case or contested the lawsuit that was initiated as uncontested, the data controller should no longer start evaluating the contentiousness of the case based on the sentence of the judgment given in the case. If the defendant has contested his payment obligation and the court has deemed it appropriate to transfer the case to the usual litigation procedure, the defendant should have the opportunity to have his case processed without the threat of a payment default notice. The Data Protection Commissioner considered that the judgment given in such a case does not fulfill the condition that is the basis for making a default entry, that the entry must show the registrant's insolvency or unwillingness to pay and it should not be entered as a payment default entry in the credit information register.

6. In the order, the data protection commissioner considered that the course of action chosen by the data controller had led to the fact that it entered payment default entries in the credit information register, the basis of which is a legally binding judgment that cannot be considered to describe the registered person's inability to pay or unwillingness to pay as required by section 6, subsection 1 of the Credit Information Act. In the case of such payment default entries, the controller had processed personal data without a legal basis for the processing according to Article 6 of the General Data Protection Regulation, because the conditions for payment default entries set out in the Credit Information Act had not been met.

7. In his order, the data protection commissioner considered that the controller's method of processing payment default information based on legally binding judgments did not meet the requirements set by the built-in data protection obligation according to Article 25(1) of the General Data Protection Regulation, because the controller had failed to implement Article 5(1)(a) of the General Data Protection Regulation the principle of compliance with the law according to subsection as required by that obligation. In addition, the data protection commissioner considered that the controller's method of operation was also not in accordance with good credit information practices according to section 5 subsection 1 subsection 3 of the Credit Information Act.

8. As a result of the violations in question, the data protection commissioner gave the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation, and an order pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities into compliance with the provisions of the General Data Protection Regulation. The Data Protection Commissioner ordered the registrar to remove incorrect payment default entries from the credit information register as a result of its procedure and to change the procedure for registering payment default entries based on legally binding judgments. In the order, the data protection commissioner emphasized the risks posed to the data subject by the processing of the personal data in question.

9. The Data Protection Commissioner left the more precise determination of appropriate measures to the discretion of the data protection officer, but ordered that a report on the measures taken, including the number of payment default entries removed from the credit information register, be submitted to the Data Protection Commissioner's office by 31 January 2022, unless the data protection officer applies for an amendment to the decision in question.
Statement received from the registrar as a result of the order

10. In the report submitted as a result of the order, the registrar states, referring to the report given by the Legal Registry Center in the case, that the Legal Registry Center has already changed its procedure so that it will no longer hand over cases resolved with the resolution code "36" meaning contested claim to the credit reference company. Citing the report issued by the Legal Registry Center, the registrar considers that the matters in question would therefore no longer be handed over to credit information operators, which the registrar considers has already corrected the situation.

11. In its explanation, the controller also states that, due to the order of the Data Protection Commissioner, in accordance with the procedure it has introduced, it registers only those legally binding judgments in which the defendant has admitted the claim as valid or has failed to respond to the claim as a non-payment entry in the credit information register.

12. According to the report provided by the registrar, payment default information will be removed from the credit information register in accordance with Section 18 of the Credit Information Act. According to the registrar, payment default entries caused by the Court Registry Center's previous operating method have already been removed from the credit information register in accordance with the retention periods for payment default entries according to the Credit Information Act. According to the report, the registrar is not able to provide information on how many payment default entries marked on the basis of a final judgment it has manually deleted before the end of the legal storage period, because the number of deleted payment default entries has not been monitored. In his report, the controller states that the calculation cannot be done even after the fact, because the data in question has been deleted.

13. In its report, the registrar states that the Legal Registry Center was unable to provide the registrar with information about the decisions that it had delivered in accordance with its previous operating method, and the identification and removal of cases from the credit information register is thus impossible. According to the registrar, payment default entries based on legally binding judgments have been removed in accordance with the requests made by the data subjects.

14. In addition, in its report, the registrar states that it is unable to say how many judgments it has left unregistered since 2017 on the basis that it has considered the matter to have been "disputed". According to the registrar, the number of such cases has not been monitored. According to the registrar, the matter cannot be clarified afterwards, because copies of the judgments have naturally not been saved.
The report received from the Legal Registry Center in the matter

15. As a result of the order, for a more detailed evaluation of the report submitted by the data controller, on 11.1.2023, the data protection commissioner's office requested from the Legal Registry Center an explanation about the transfer of payment default information based on legally binding judgments to the data controller.

16. The Legal Registry Center submitted to the Data Protection Commissioner's office decision 113/32/10 regarding the data controller's application for a license to use, according to which the Legal Registry Center has granted the data controller on 31 May 2011 permission to receive from the decision and decision notification system of the judicial administration's national information system, as credit information, information on final court judgments and unilateral judgments in which non-payment has been established. According to the decision, the data will be handed over to the licensee in the form in which they are in the register.

17. According to the report provided by the Court Registry Center, the Court Registry Center delivers to the registrar once a day the judgments it is entitled to receive. According to the Legal Registry Center, the registrar can extract the necessary information from this material.

18. According to the Court Register Center, the district court usually sends the decision to the Judgment Register on the same day it has made a decision in the case, after which it is available to the credit information companies the following day. According to the Court Registry Center, the decisions handed over by it can be retrieved by the registrar from the Conviction Register for 10 years from the date of the decision.
Consultation and request for additional information from the Office of the Data Protection Commissioner

19. As a result of the explanation received in the matter, the controller has been reserved the opportunity referred to in § 34 of the Administrative Act to be heard and to present an opinion on the preliminary assessment of the representative of the Office of the Data Protection Commissioner and the confusion of facts presented in the consultation request.
The facts of the case

20. The following facts were presented in the hearing request of the Office of the Data Protection Commissioner.

21. In the order issued in cases 834/532/18 and 8212/161/19, the data protection commissioner considered that the controller's method of entering non-payment data based on legally binding judgments as a non-payment entry in the credit information register did not meet the requirements set by the obligation regarding built-in data protection according to Article 25, paragraph 1 of the General Data Protection Regulation. In addition, the data protection commissioner considered that the controller's method of operation was also not in accordance with good credit information practices according to section 5 subsection 1 subsection 3 of the Credit Information Act.

22. As a result of the violations, the data protection commissioner gave the data controller a notice in accordance with Article 58(2)(b) of the General Data Protection Regulation and an order in accordance with Article 58(2)(d) to bring the processing activities into compliance with the provisions of the General Data Protection Regulation. The Data Protection Commissioner ordered the registrar to remove incorrect payment default entries from the credit information register as a result of its procedure.

23. The Data Protection Commissioner left the more precise determination of appropriate measures to the discretion of the data protection officer, but ordered that a report on the measures taken, including the number of payment default entries removed from the credit information register, be submitted to the Data Protection Commissioner's office by January 31, 2022, unless the data protection officer applies for an amendment to the decision. The controller submitted the requested report and did not apply for an amendment to the data protection commissioner's decision.

24. In the report submitted as a result of the order, the registrar stated that identifying and removing cases from the credit information register is impossible, because the Legal Registry Center had not been able to provide the registrar with information about the decisions it had delivered to the registrar in accordance with its previous operating method.

25. Furthermore, the registrar stated that it is unable to tell how many judgments it has left unregistered since 2017 on the grounds that it has considered the matter to have been "disputable", as the number of such cases has not been monitored. According to the registrar, the matter cannot be clarified afterwards, because copies of the judgments that are the basis for payment default entries have naturally not been saved.

26. According to the decision of the Legal Registry Center of 31.5.2011, 113/32/10 regarding the license holder's application for a license, payment default information based on legally binding judgments will be handed over to the licensee in the form in which they are in the Judgment Register. According to the Court Registry Center, the decisions handed over by it can be retrieved by the registrar from the Conviction Register for 10 years from the date of the decision.

27. In the consultation request, the controller was asked to clarify the following points:

1. How many registrants have been affected by the breach? If the exact number cannot be given, we ask you to provide an estimate of the number.

2. How many payment default entries based on a final judgment have there been in the personal credit data register of the registrar on 9 November 2021 and 16 January 2023? If it is not possible to provide exact numbers, we ask you to provide an estimate of the numbers.
The registrar's response to the consultation and additional information request

28. As stated above, the registry keeper has an opportunity to be heard and to present his views on the presenter's preliminary assessment and the facts presented in the hearing request.

29. The registry keeper is given the opportunity to give his explanation of such demands and explanations that might affect the resolution of the case. At the same time, the data controller is given the opportunity to bring forward such matters referred to in Article 83, Paragraph 2 of the General Data Protection Regulation, which, according to the data controller's opinion, should be taken into account when making a decision and imposing a possible administrative fine.

30. The registrar has given an answer to the consultation request on February 2, 2023. In his reply, the controller says, among other things, the following.

31. In its response, the controller initially clarifies that the entries referred to in cases 834/532/18 and 8212/161/19 had already been removed from the register on November 9, 2021, when the data protection commissioner issued a relevant order. According to the registrar, the fact that this issue was not clearly brought up in the report submitted by the registrar was due to the fact that the order has been interpreted to mean more broadly all potentially disputed matters in the register.

32. In its response, the registrar states that it has now removed all default entries from its register based on a final judgment (section 13 subsection 1.4 of the Credit Information Act) and will not register any new default entries based on this for the time being. The registrar states that before it possibly starts re-registering the payment default entries in question, it will verify the correctness of the procedure together with the data provider.

33. In its response, the registry keeper states that it is supplementing the statement it gave on January 28, 2022 by saying that it is now able to state that there have been 6 decisions regarding deleted disputed receivables in the registry in the years 2019–2022. In four of these cases, the registrar has himself stated that the matter is disputed, and in two cases the district court has been in contact with the registrar and announced that it entered the wrong decision code in the case.

34. The registrar now interprets the reason for this penalty payment consideration to be that the registrar has stated "that it is impossible to identify and remove cases from the credit information register", meaning that without the contribution of the Legal Registry Center, it is impossible to find and remove "disputed" cases that may still be in the register. In this case, the controller has not responded to the data protection commissioner's order to provide information on the number of deleted payment default entries. The keeper of the register can now say that there have been 6 deleted entries regarding disputed receivables in the register in the years 2019–2022.

35. According to the registrar, it has been unclear what the content of the provisions in question has been. According to the registrar, if the order only refers to payment default entries concerning one person dealt with in cases 834/532/18 and 8212/161/19, the relevant payment default entries had already been removed from the credit information register before 9 November 2021. The registrar considers that it has thus not failed to comply with the given order.

36. According to the registrar, it had understood, however, more broadly than what was meant by the order, whether all possible payment default entries based on disputes have been removed from the register, i.e. payment default entries other than those relating to the specific data subject in question. Since there was no certainty about this at the time and it seemed impossible to find out afterwards, the controller did not clearly answer that the entries referred to in the decisions in question had already been removed.

37. In contrast to the presenter of the case, the controller considers, based on the reasons presented above, that the violation has not continued after the issuance of the decision in the cases referred to in those decisions. The registrar states that it has found it practically impossible to find decisions concerning potentially disputed matters in its register afterwards. The registrar has not deemed it necessary to appeal, because the entries referred to in those cases had already been removed.

38. According to the registrar, the fact that decisions can be retrieved from the Conviction Register for 10 years does not help in finding out which of the entries in the credit information register should not have been registered. The register keeper has not been able to know what information and decisions it would have sought from the Conviction Register. According to the registrar, it is impossible to think that it should have re-read all the decisions handed over to it, make a new assessment of the registrability of each decision, check whether the matter is possibly registered as a non-payment entry and, if necessary, remove the entry after this assessment.

39. According to the registrar, the fact that the registrar has not given the number of payment defaults removed from the credit information register as disputed in its report on January 28, 2022, cannot be considered as such a basis for imposing an administrative penalty fee. The data controller notes that it has now given this number in response to the data protection commissioner's consultation request.

40. In its response, the registrar refers to what was stated in the consultation request regarding the fact that even after the introduction of code 36, information has been released to the credit information companies that does not meet the requirements for the credit information act's non-payment indication. The data controller states that the data protection commissioner has not shown that the data controller would have registered such cases (with the exception of two cases, which were due to a code incorrectly entered by the district court) as payment failures or that it would not have deleted them by January 28, 2022. According to the registrar, the fact that the Legal Registry Center has handed over information that does not meet the requirements for registration does not mean that the registrar has registered it, because manual checks are also in use.

41. In its response, the controller states the inconsistency in the reports given by the controller in cases 834/532/18 and 8212/161/19 raised in the consultation request. According to the request for a hearing, in its report, "the data controller stated that the information provided to it by the Legal Registry Center only rarely contains information that can be screened out, and that such data was not included in the time period for which the data was requested to be submitted to the data protection commissioner's office" and "in response, however, the data controller stated that it had not entered a non-payment entry in the credit information register for the three specified in the response request for the solution."

42. The registrar states in his answer that no specific register of how many decisions have not been registered has been kept. According to the registrar, the matter has been clarified in different ways afterwards. According to the data controller, the different answer given in a different document, which was inadvertently given, does not indicate that the data controller's "degree of cooperation" with the supervisory authority as referred to in Article 83, paragraph 2, letter f of the data protection regulation has decreased.

43. With reference to the points he raised above, the controller does not consider the imposition of a penalty fee to be proportionate in the case. In this regard, the data controller has brought up in its response issues related to the application of Article 83, paragraph 2, subparagraphs a-k of the General Data Protection Regulation, which, according to the data controller's view, the sanctions panel of the data protection authorized office should take into account when making a decision on the sanction. The matters in question are brought out in the section of the decision of the sanctioning board, Justifications for the imposition of an administrative penalty, where the sanctioning board assesses the weight to be given to each point according to subsection 2 of Article 83 in considering the sanction.

44. According to the controller, it does not have the activity referred to in this matter, i.e. the processing of personal data based on corresponding regulation outside of Finland.

45. The registrar was asked how many registrants have been affected by the violation. According to the registrar, between 2019 and 2021, it has removed six payment default entries that were based on a dispute. According to the registrar, in two of these cases, the district court made the wrong decision code. In its response, the data controller emphasizes that the violation does not apply to all "Lainvoimainen doomio" entries. According to the registrar, it has deleted several entries. In these cases, however, the reason for the correction has been, for example, the fact that the debt underlying the payment default has been paid before the judgment was issued.

46. The registrar was also asked how many payment default entries based on a final judgment there were in the registrar's personal credit data register on November 9, 2021 and January 16, 2023. There have been 14,285 entries by the registrar on 9 November 2021 and 8,782 entries on 16 January 2023. According to the registrar, these entries have now been deleted. The registrar also submitted its 2021 financial statements and an estimate of the 2022 turnover.
Applicable legislation

47. According to Article 58(2)(d) of the General Data Protection Regulation, the supervisory authority has the remedial authority to order the controller or personal data processor to bring the processing activities into compliance with the provisions of this regulation, if necessary in a certain way and within a certain period of time.

48. According to Article 58(2)(i) of the General Data Protection Regulation, the supervisory authority has the remedial authority to impose an administrative penalty fee based on Article 83 in addition to or instead of the measures referred to in Article 58(2), depending on the circumstances of each individual case.

49. According to Article 83, Paragraph 6 of the General Data Protection Regulation, failure to comply with the order of the supervisory authority referred to in Article 58, Paragraph 2 above shall result in an administrative penalty fee of a maximum of EUR 20,000,000 in accordance with Paragraph 2 of this Article, or, in the case of a company, four percent of the annual turnover of the previous financial year of total worldwide turnover, whichever is greater.
A legal issue

50. On the basis of the General Data Protection Regulation and the Data Protection Act, the Data Protection Commissioner resolves the following legal question:

i. Has the data controller failed to comply with the order issued by the data protection commissioner on 9 November 2021 in cases 834/532/18 and 8212/161/19, by which the data protection commissioner ordered the data controller to remove incorrect payment default entries from the credit information register as a result of its procedure?

51. If the data controller has not complied with the data protection commissioner's order, the sanctions panel must also decide whether the data controller should be ordered to pay an administrative penalty in accordance with Article 83, paragraph 6 of the General Data Protection Regulation.
The data protection officer's decision and reasons
Decision

52. The Data Protection Commissioner considers that the data protection officer has not complied with the order given by the Data Protection Commissioner in cases 834/532/18 and 8212/161/19 to remove incorrect payment default entries from the credit information register as a result of the data protection officer's procedure.

53. For this reason, the data protection commissioner considers that the assessment of whether the data controller should be ordered to pay a penalty fee in accordance with article 83, paragraph 6 of the General Data Protection Regulation for non-compliance with the data protection commissioner's order pursuant to Article 58, paragraph 2, subparagraph i of the General Data Protection Regulation, should be submitted to the sanctioning board for evaluation.

54. Pursuant to Section 24 of the Data Protection Act, the administrative sanction fee stipulated in Article 83 of the General Data Protection Regulation is determined by the sanctioning panel formed by the data protection commissioner and deputy data protection commissioners.
Reasoning

55. Due to the violations found in cases 834/532/18 and 8212/161/19, on 9 November 2021, the data protection commissioner gave the data controller a notice pursuant to Article 58(2)(b) of the General Data Protection Regulation and an order pursuant to Article 58(2)(d) of the General Data Protection Regulation to suspend the processing activities to comply with the provisions of the General Data Protection Regulation. The Data Protection Commissioner ordered the registrar to remove incorrect payment default entries from the credit information register as a result of its procedure and to change the procedure for registering payment default entries based on legally binding judgments.

56. The Data Protection Commissioner left the more precise determination of appropriate measures to the discretion of the data protection officer, but ordered a report on the measures taken, including the number of payment default entries removed from the credit information register, to be submitted to the Data Protection Commissioner's office by January 31, 2022, unless the data protection officer applies for an amendment to the decision in question.

57. In the report submitted as a result of the data protection commissioner's order, the registrar stated that it is impossible to identify and remove the non-payment entries that were the subject of the order from the credit information register, because the Legal Registry Center had not been able to provide the registrar with information about the decisions that it had submitted to it in accordance with its previous operating method.

58. In his response to the consultation request, the controller tells him that it was unclear what the content of the given orders was. According to the registrar, the payment default entries had already been removed from the credit information register before November 9, 2021, if the order only refers to the payment default entries of the person initiating the case and thus has not failed to comply with the given order. However, the registrar says that he understood the order to apply to all payment default entries based on disputes that may have been registered in the credit information register, i.e. payment default entries other than those of the person who initiated the case. Since there was no certainty about the matter at the time and it seemed impossible to clarify the matter afterwards, the controller did not clearly answer that the entries referred to in the decisions in question had already been removed.

59. Contrary to what the data controller states in his statement to the consultation request, it is clear from the data protection commissioner's order that in addition to the payment default entries of the person who initiated the case, it has also been ordered to remove incorrect payment default entries caused by the general procedure of the data controller. It is noteworthy that the two provisions in question were based on different jurisdiction provisions. The order regarding the removal of the payment default notes of the initiator has been issued on the basis of Section 35 of the Credit Information Act, which was in force at the time. On the other hand, the order for the removal of all incorrect payment default entries caused as a result of the controller's procedure has been issued on the basis of Article 58(2)(d) of the General Data Protection Regulation.

60. In the case, it should also be noted that the data controller would have had the opportunity, if necessary, to request additional information from the case presenter, who was notified as the provider of additional information, based on the data protection commissioner's order.

61. According to the registrar, the fact that the Legal Registry Center has handed over to it information that does not meet the conditions for registration of a payment default note does not mean that the registrar has registered them, because manual checks are also in use. According to the registrar, the data protection commissioner has not shown that the registrar would have registered such cases (with the exception of two cases, which were due to a code incorrectly marked by the district court) as payment failures or that it would not have deleted them by January 28, 2022.

62. The Data Protection Commissioner considers that the manual checks used by the registrar have not guaranteed that payment default information erroneously provided by the Legal Registry Center to the registrar would not have been entered as a payment default entry in the credit information register.

63. With regard to the above, the data protection commissioner refers to the fact that in the order given to the data controller, it was expressly stated that the method of operation chosen by the data controller to assess the fulfillment of the requirements for the payment default entry on a case-by-case basis based on the judgments of the judgments had led to the fact that it has entered payment default entries in the credit information register that did not meet the requirements for the payment default entry. In the case, it was considered that the occurrence of incorrect payment failure entries was the result of the systematic operation of the registrar, and therefore the case could not be considered to be a matter of errors only concerning an individual data subject.

64. In this regard, the Data Protection Commissioner also draws attention to the fact that, as a result of the order, the controller announced on 28 January 2022 that it had changed its operating method in registering payment default entries based on legally binding judgments. Taking into account the retention period of a maximum of three years in accordance with Section 18, subsection 1, point 6 of the Credit Information Act regarding payment default information determined by the authority, the retention period of payment default entries based on legally binding judgments entered in the credit information register before that time has still been in progress after the registry controller deleted all said. non-payment entries based on the basis as a result of a consultation request from the Office of the Data Protection Commissioner.

65. The Data Protection Commissioner considers that the data controller has agreed with the Data Protection Commissioner's point of view on the matter, because it has not applied for an amendment to the Data Protection Commissioner's decision or the provision contained therein. The report on the measures taken as a result of the order was ordered to be submitted only in the event that the data controller does not apply for an amendment to the decision by which the order was issued.

66. Based on the above grounds, the Data Protection Commissioner considers that the data controller has not complied with the Data Protection Commissioner's order referred to in Article 58, Section 2 of the General Data Protection Regulation to remove incorrect payment default entries from the credit information register due to its incorrect procedure.

The decision was made by data protection commissioner Anu Talus and was presented by chief inspector Silja Kantonen.

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel, which has issued the following decision on imposing the penalty fee.
Decision of the Sanctions Board on the administrative penalty payment
Registrar

Suomen Asiakastieto Oy
Decision

67. An administrative penalty fee is imposed on the controller for non-compliance with the order of the supervisory authority referred to in Article 58, paragraph 2 of the General Data Protection Regulation, in accordance with Article 83, paragraph 6 of the General Data Protection Regulation. The sanction fee imposed in the case is therefore in accordance with the higher sanction fee category.

68. Article 83 of the General Data Protection Regulation provides for the general conditions for imposing an administrative fine. According to paragraph 1 of the article, the imposition of an administrative fine must be effective, proportionate and dissuasive in each individual case. When deciding on the imposition and amount of an administrative fine, the factors listed in Article 83, Paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.

69. The turnover of the registrar in 2021 has been 65,500,000 euros. In the current case, the administrative penalty imposed on the controller may not exceed EUR 20,000,000.

70. The sanctioning board formed by the Data Protection Commissioner and Deputy Data Protection Commissioners orders the data controller to pay an administrative penalty fee of 440,000 euros to the state pursuant to Article 58(2)(i) and Article 83(6) of the General Data Protection Regulation.
Reasons for imposing an administrative penalty
Applicable legislation

71. According to Article 83(1) of the General Data Protection Regulation, each supervisory authority must ensure that the imposition of administrative fines for violations of the General Data Protection Regulation referred to in paragraphs 4, 5 and 6 in accordance with this article is effective, proportionate and dissuasive in each individual case.

72. According to Article 83(2) of the General Data Protection Regulation, administrative penalty fees are determined in accordance with the circumstances of each individual case in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative penalty fee and the amount of the administrative penalty fee, the following points must be duly taken into account in each individual case:

a) taking into account the nature, severity and duration of the breach, the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected by the breach and the extent of the damage caused to them;

b) the intentionality or negligence of the violation;

c) actions taken by the controller or personal data processor to mitigate the damage caused to the data subjects;

d) the degree of responsibility of the controller or processor of personal data, taking into account the technical and organizational measures taken by them pursuant to Articles 25 and 32;

e) possible previous similar violations of the controller or personal data processor;

f) the amount of cooperation with the supervisory authority to correct the violation and mitigate its possible adverse effects;

g) groups of personal data affected by the breach;

h) the way in which the violation came to the attention of the supervisory authority, in particular whether the controller or personal data processor reported the violation and to what extent;

i) if measures referred to in Article 58 paragraph 2 have previously been imposed on the relevant data controller or personal data processor for the same matter, compliance with these measures;

j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

k) any other aggravating or mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation.

73. According to Article 83, Paragraph 6 of the General Data Protection Regulation, non-compliance with the order of the supervisory authority referred to in Article 58, Paragraph 2 above is subject to an administrative penalty fee of a maximum of EUR 20,000,000, or, in the case of a company, four percent of the annual turnover of the previous financial year, in accordance with Paragraph 2 of this Article of total worldwide turnover, whichever is greater.
Assessment of the severity of the breach

74. In the assessment of the seriousness of the breach, Article 83, paragraph 2, subparagraphs a, b and g of the General Data Protection Regulation are taken into account.
Nature of the breach

75. According to the response given by the data controller to the hearing request, the data controller has stated that the violation was an unintentional error in the interpretation of the law. In this regard, the sanctioning board considers the controller to be referring to violations that the data protection commissioner found in cases 834/532/18 and 8212/161/19. In considering the sanctions related to the order it issued in the cases, the data protection commissioner took into account, among other things, the interpretation of Section 13 subsection 1 subsection 3 of the Credit Information Act in force at the time and considered that the notice in accordance with Article 58 subsection 2 subsection b of the General Data Protection Regulation was a sufficient sanction in the case.

76. Unlike the registrar, the sanctions panel considers that the nature of the violation in the case at hand is non-compliance with the order issued by the supervisory authority. In this regard, the sanctions panel draws attention to the fact that the remedial powers given to data protection authorities in accordance with Article 58(2) of the General Data Protection Regulation are to ensure the effective implementation of the General Data Protection Regulation throughout the Union.

77. If the data controller could fail to comply with the order issued by the supervisory authority without an appropriate sanction, the effective and uniform implementation of the General Data Protection Regulation would be jeopardized, which would cause a significant risk to the rights and freedoms of data subjects. The purpose of the order issued by the Data Protection Commissioner was to ensure that the data controller processes only such personal data that it has grounds to process under the legislation. In practice, this means that data subjects would be evaluated based on correct information. This has not been realized because the data controller has not complied with the data protection commissioner's order. The sanctions panel considers this fact to be in favor of the imposition of an administrative penalty fee.
Severity of the violation

78. When assessing the seriousness of a violation, the nature, scope or purpose of the data processing in question must be taken into account, as well as the number of data subjects affected by the violation and the extent of the damage caused to them.

79. With regard to the nature of the processing of personal data, the sanctions panel draws attention to the fact that a payment default entry registered in the credit information register typically has significant and wide-ranging effects on the rights and freedoms of the data subject. As a result of a non-payment notice, for example, the registered person's credit card may be required to be returned, and obtaining a new loan, rental apartment, and home insurance will probably become more difficult. Getting a job can also be difficult if the job involves financial responsibility.

80. In the order issued in cases 834/532/18 and 8212/161/19, the data protection commissioner considered the effects of a non-payment notice on the data subject to be so extensive that a non-payment notice resulting from a final judgment may reduce the defendant's opportunities and desire to defend his case in court. The possibility of getting a court's assessment of the payment obligation in a dispute may be jeopardized if a possible judgment may lead to a default in payment.

81. In its response to the consultation request, the data controller states that the data protection commissioner's reasoning is incorrect in its view. According to the registrar, the registrar's actions after the judgment is rendered do not reduce the defendant's chance of getting a court assessment in the dispute. According to the registrar, the defendant has been given the opportunity, even if the decision has in individual cases been incorrectly entered as a payment default entry in the credit information register.

82. If the registrar were to continue to enter a non-payment entry based on a final judgment of the court in the credit information register based on the case-by-case assessment of the verdict by the registrar's staff, the risk described above would arise from the processing of personal data for the data subjects.

83. Regarding this matter, the sanctioning board draws attention to the fact that in the report it issued following the order issued by the Data Protection Commissioner, the data controller announced that it had changed its operating method in registering payment default entries based on legally binding judgments. With the change in the method of operation in question and the amendment to section 13, subsection 1, point 3 of the Credit Information Act, which entered into force on June 1, 2022, this risk is no longer relevant for the evaluation of the matter at hand.

84. However, the Sanctions Board draws attention to the fact that, as a result of the procedure previously used by the registrar, payment default entries incorrectly entered in the credit information register may have affected, among other things, the registrants' ability to obtain credit, a rental apartment or a job, as presented above.

85. Regarding the nature of the processing of personal data, the controller considers the credit information activity to be an activity in the public interest, which by its nature can be extensive. The Sanctions Board considers that regarding the nature of the processing of personal data, it must also be taken into account that the processing of personal data in question takes place as part of the data controller's business activities, which is based on large-scale processing of personal data.

86. With regard to the scope of the processing of personal data, the sanctions panel draws attention to the fact that in the order issued in cases 834/532/18 and 8212/161/19, the Data Protection Commissioner considered that large-scale processing of personal data was involved in the marking of payment default information handed over from the national information system of the judicial administration as payment default entries to the credit information register. Payment default information is handed over daily from the national information system via a technical interface to the relevant registrar who conducts credit information activities nationwide for entry into the credit information register.

87. The Sanctions Board also pays attention to the extent of the processing, that payment default entries entered in the credit information register are widely released for various purposes. Pursuant to Section 19 of the Credit Information Act, payment default information can be disclosed for, among other things, the granting of credit and credit monitoring, the conclusion of a room rental agreement, and the evaluation of job seekers and employees.

88. With regard to the purpose of processing personal data, the sanctioning board draws attention to the fact that marking payment default data as a payment default and handing it over for use as credit data is the core activity of the data controller. The sanctions panel considers this fact, together with the nature and scope of the processing of personal data discussed above, to reflect the seriousness of the violation and the imposition of an administrative penalty fee.

89. With regard to the number of registrants who were the subject of the violation, the controller has stated that the incorrect operation did not affect a large group of persons. According to the registrar, it is only a matter of situations for which the registrar has (as has now been established erroneously) considered that the entry indicates insolvency or unwillingness to pay.

90. Regarding the number of those registered, the sanctions panel draws attention to the fact that the registrar has deleted all payment default entries based on legally binding judgments after receiving a consultation request from the Data Protection Commissioner's office and, according to its information, it has not kept a record of how many payment default entries based on disputes it has deleted from the credit information register based on registered requests.

91. In this respect, the Sanctions Board also draws attention to the fact that, according to the report given by the registrar, its personal credit data register has a total of 14,285 payment default entries based on the court's final judgment at the time of the issuance of the order issued by the data protection commissioner in cases 834/532/18 and 8212/161/19 on November 9, 2022.

92. In addition to the points presented above, with regard to the number of registrants, the sanctioning panel also draws attention to the fact that in its order, the data protection commissioner stated that, based on the report obtained in the case, the occurrence of incorrect payment failure entries was a result of the systematic way of operation of the registrar, as a result of which the case cannot be considered to be a matter of errors concerning only a single registrant.

93. Regarding the extent of the damage caused to the registrants, the controller states in his response to the consultation request that no damage has been shown to have been caused to the registrants in the case. The sanctions panel considers that proof of damage caused to registered users cannot be considered a prerequisite for imposing a penalty fee. Even though the concrete damage caused to the data subject has not come to light, the sanctioning board nevertheless draws attention to the effects of the payment failure notice on the data subject discussed in paragraph 79 above.

94. In addition, the sanctions panel draws attention to the complexity of the legal issue resolved in the order of the Data Protection Commissioner, which can be considered to have affected the possibilities of data subjects to monitor the realization of their own rights and interests.
Duration of infringement

95. The report on the measures taken as a result of the order was ordered to be submitted only in the event that the data controller does not apply for an amendment to the decision by which the order was issued. In the case, the data controller did not comply with the data protection commissioner's order and did not apply for an amendment to the data protection commissioner's decision or the order included in it. The violation must therefore be considered to have lasted from the result of the Data Protection Commissioner's decision as legally binding from 20 December 2021 until the data controller has removed all payment default entries based on legally binding judgments stored in its personal credit data register as a result of the Data Protection Commissioner's consultation request.

96. The sanctions panel considers that the processing time of the case in the data protection commissioner's office has affected the duration of the violation. Because of this, the duration of the violation cannot be considered to reflect the seriousness of the violation, and this is not taken into account in the assessment of the penalty payment as a factor in favor of the penalty payment.
Intentional or negligent breach

97. According to the answer given by the registry keeper to the consultation request, there has been no intention in the activity in question and it is at most a matter of slight negligence. According to the registrar, the open interpretation of Section 13, Subsection 1, Section 3 of the Credit Information Act, which has since been repealed, and the operation of the Legal Registry Center have had an impact on the matter. According to the registrar, the fact that in 2022 the phrase "provided that the basis or amount of the payment claim had not been disputed" was added to Section 13, subsection 1, paragraph 3 of the Credit Information Act, shows that the original wording of the provision is open to interpretation.

98. In this regard, the sanctions panel draws attention to the fact that in the consideration of sanctions related to the order it issued in cases 834/532/18 and 8212/161/19, the data protection commissioner expressly took into account the points raised by the data controller regarding the interpretation of the provision of the Credit Information Act and the effect of the operation of the Legal Registry Center on the whole case. Citing the facts in question, the Data Protection Commissioner considered that the notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation was a sufficient sanction in the case.

99. The Sanctions Board considers that the current sanction consideration does not, however, deal with the violations that the Data Protection Commissioner stated in the order he issued. The sanction consideration being carried out now is due to the fact that the data controller has not complied with the data protection commissioner's order in question, in which the data protection commissioner has presented his views on the interpretation of section 13 subsection 1 point 3 of the Credit Information Act, which was in force at the time. The controller must be considered to have agreed with the data protection commissioner's point of view on the matter, because it did not apply for an amendment to the decision or the provision included in it.

100. The Data Protection Commissioner ordered the data controller to submit a report on the measures taken as a result of the order, unless it applies for an amendment to the order. According to the report submitted by the registrar, it was impossible to identify and delete the cases because the Legal Records Center was unable to provide information about the decisions it had mistakenly handed over to the registrar.

101. In contrast to the registrar, the sanctions panel considers that it would have been possible to remove incorrect payment default entries, because payment default information based on legally binding judgments is handed over to the registrar in the form it is in the Conviction Register, and the registrar can retrieve the solutions from the Conviction Register for 10 years from the date the case was decided.

102. The sanctions panel also draws attention to the fact that in its statement to the hearing request, the controller has described one way in which it would have been possible to identify erroneous cases. In its statement, the registrar states that it is impossible to think that it should have reread all the decisions handed over to it, reassess for each decision there whether it could be entered into the register and if it considers that it cannot, check whether it has possibly been entered into the register and if so , to remove it. It is also necessary to take into account the fact that in its response to the hearing request, the controller has said that it has now removed all payment default entries based on legally binding judgments.

103. Regarding the assessment of the intent or negligence of the violation, the sanctions panel finally refers to what was stated in point 59 of the data protection commissioner's decision, according to which it is clear from the data protection commissioner's order in cases 834/532/18 and 8212/161/19 that in addition to the payment default notes of the person who initiated the case, it is also clear that the data controller's incorrect payment default entries caused as a result of the general procedure.

104. Based on the reasons presented above, the sanctions panel considers that the data controller has made a conscious decision not to comply with the data protection commissioner's order, which is why the procedure must be considered intentional. The sanctions panel considers this fact to be in favor of the imposition of an administrative penalty fee.

Personal data groups affected by the breach

105. With regard to the groups of personal data that are the subject of a violation, the sanctions panel draws attention to the fact that personal data that are sensitive in terms of fundamental rights and freedoms must be protected especially carefully, because the context of their processing could cause considerable risks to fundamental rights and freedoms. Such personal data groups should also be emphasized when considering sanctions. The Sanctions Board considers that this is not only limited to the personal data groups that fall within the scope of Articles 9 and 10 of the General Data Protection Regulation, but also covers personal data groups that do not fall under the scope of those articles, but the dissemination of which would cause immediate damage or anxiety to the registered.

106. Payment default entries based on final court judgments refer to credit information in accordance with section 3, paragraph 1 of the Credit Information Act. According to the Constitutional Law Committee, some credit information may include sensitive information, which is kept secret, for example about the person's activities in private life and financial status. The processing of credit information may therefore involve special risks. The committee considered detailed legal regulation of the processing of credit information to be necessary within the framework of the data protection regulation.

107. The Sanctions Board considers that the non-payment notices that were the subject of the violation are related to sensitive information as intended by the Constitutional Law Committee, which in part supports the imposition of an administrative penalty fee.
Assessment of aggravating and mitigating factors

108. When deciding on the imposition and amount of the administrative fine, in the current case, subsections c - f and h - i and k of Article 83, paragraph 2 of the General Data Protection Regulation have been taken into account.
Actions by the data controller to mitigate the damage caused to the data subject

109. Regarding the actions taken to mitigate the damage caused to the registrants, the registrar states in its response to the consultation request that it has removed entries when the dispute that is the basis for the payment default entry has been brought to its attention. In addition, the controller states that in the case no damage has been shown or even claimed to have occurred to the data subjects.

110. The Sanctions Board considers that the descriptive measures of the data controller cannot be taken into account as a mitigating factor in the consideration of sanctions, because the action concerns compliance with the obligations of the data controller according to the General Data Protection Regulation. It is particularly noteworthy that the data protection commissioner's order, for non-compliance of which the current sanction assessment is being carried out, has obliged the data controller to delete the entries in question without a request from the data subjects or a notification from the court or from the creditor that the entry is inappropriate.

111. In its response to the consultation request, the registrar said that it has now removed all default entries based on legally binding judgments from its personal credit data register. The Sanctions Board considers that the measure taken by the data controller in question can be considered to have mitigated the damage caused by the violation to the data subjects. However, the matter in question cannot be taken into account as a mitigating factor in the consideration of sanctions, as the data controller has announced that he has implemented the measure in question only after receiving the request for a hearing from the Office of the Data Protection Commissioner with the threat of sanctions.
The degree of responsibility of the registrar

112. When assessing the degree of responsibility of the data controller, the measures taken by the data controller pursuant to Articles 25 and 32 of the General Data Protection Regulation must be taken into account. In terms of responsibility, it is necessary to assess the extent to which the data controller has taken measures that it could have been expected to take, taking into account the nature, purpose or scope of the processing and the obligations set for that processing in the General Data Protection Regulation.

113. In its response to the consultation request, the controller states that it has used a procedure to verify the registrability of the decision. According to the registrar, this has failed in individual cases. It has not been a question of an explicit intention to act against the provisions of the Credit Information Act. When there has been a provision in the Credit Information Act according to which a legally binding judgment can be entered in the register, it has also been possible to do so. It has been about the incorrect application of regulations in individual cases.

114. Regarding the issue raised by the data controller, the sanctions panel considers that the data controller is referring to the violations that the data protection commissioner noted in his order issued in cases 834/532/18 and 8212/161/19. In this regard, the sanctions panel repeats what was already stated above in paragraph 99 of the decision regarding the fact that the current sanction consideration does not deal with the violations found by the data protection commissioner in that order. The sanction assessment being carried out now is due to the fact that the data controller has not complied with the order in question, in which the Data Protection Commissioner has presented his opinion on the interpretation of section 13 subsection 1 section 3 of the Credit Information Act.

115. In the assessment of the degree of responsibility of the registrar, it must be taken into account which content of the order issued by the supervisory authority the registrar has not complied with. The order has therefore not concerned, for example, the implementation of one registered right, but the established operating method of the data controller. The penalty panel considers the above-mentioned fact to be an aggravating factor in the penalty payment consideration.
Previous similar violations

116. The controller has not been guilty of previous similar violations of the provisions of the General Data Protection Regulation, which would have involved non-compliance with the supervisory authority's order. The penalty panel does not consider this fact to be a mitigating or aggravating factor in the assessment of the penalty payment.
The degree of cooperation with the supervisory authority and the manner in which the breach came to the supervisory authority's attention

117. The data protection group's instruction on the application and imposition of administrative fines states that the degree of cooperation of the data controller can be "appropriately taken into account" when deciding on the imposition of an administrative fine and its amount. According to the instructions, a relevant fact can be taken into account if the controller has reacted to the requests of the supervisory authority during the investigation of the case in question in such a way that it has significantly limited the risk to the rights of individuals.

118. In its response to the consultation request, the data controller states that it cooperated with the authority. According to the registrar, the fact that the authority could not be given the information it wanted because the registrar simply does not have the information cannot be a basis for imposing a fine. The registrar states that it does not have statistics on how many decisions it has not registered because it has considered the matter disputed.

119. Regarding the issue raised by the data controller, the sanctions panel again draws attention to the fact that the sanction assessment at hand is carried out, because the data controller has not taken the measures required by the data protection commissioner's order. The activity of the data controller that violates the provisions of the General Data Protection Regulation has come to the attention of the Data Protection Commissioner's Office from the report submitted as a result of the Data Protection Commissioner's order. In this regard, the data controller has been cooperative with the data protection authorized office. The penalty panel does not consider the aforementioned as a mitigating or aggravating factor in the penalty payment assessment.
The measures previously imposed on the registrar on the same matter

120. With regard to the condition in question, in its response to the consultation request, the data controller points out that it was justified in the opinion that it has acted in accordance with the decision issued on 9 November 2021 and complied with the regulations issued therein. The registrar considers it unreasonable that an administrative penalty fee would be imposed because the registrar did not apply for an amendment to the order given in cases 834/532/18 and 8212/161/19. The registrar repeats that the entries referred to in the cases had been removed from the register on November 9, 2021.

121. With regard to the points raised by the data controller, the sanctions panel again draws attention to the fact that the data protection commissioner's order has not only been limited to removing the payment default entries of the person who initiated the case, but has also covered other incorrect payment default entries caused as a result of the general procedure of the data controller.

122. However, the Sanctions Board does not consider the facts in question as aggravating or aggravating factors in the sanction assessment. Failure to comply with an order issued earlier on the same matter can be taken into account either as an aggravating circumstance according to Article 83(2)(i) or as a separate violation according to Article 83(5)(e) or Article 83(6). Since the situation at hand now concerns the latter situation, failure to comply with the order is no longer taken into account as a mitigating or aggravating factor in the consideration of sanctions, so that failure to comply with the order would not be punished twice.
Any other aggravating or mitigating factors applicable to the case

123. As other possible aggravating or mitigating factors applied to the case, possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation can be taken into account. According to the data protection working group's instruction on the application and imposition of administrative fines, the financial benefit obtained from the violation cannot be compensated by measures that do not involve a payment penalty. The fact that the data controller has benefited from the violation of the regulation can be a clear sign that a fine should be imposed.

124. According to the registrar's answer to the consultation request, no financial benefit has been gained by the violation and no loss has been avoided by the violation. The sanctions panel, on the other hand, considers that, based on the controller's response to the consultation request, the decision not to implement the measures required by the order was influenced by the large workload caused by complying with the order.

125. In this regard, the sanctioning panel draws attention to the fact that in the report given by the Data Protection Commissioner's order, the registrar stated that it was impossible to identify and remove erroneous cases from the credit information register. However, in its response to the consultation request, the controller has described one way in which it would have been possible to identify the cases. It is particularly noteworthy that the data controller has presented in this regard that the implementation of the actions it describes would be an impossible idea. The Sanctions Board considers that this may mainly refer to the large amount of work caused by the measures.

126. Based on the reasons presented above, the sanctions panel considers that by not complying with the data protection commissioner's order, the data controller has avoided the costs in its business caused by the amount of work required to comply with the order. The penalty panel considers the above-mentioned fact to be an aggravating factor in the penalty payment consideration.