Tietosuojavaltuutetun toimisto (Finland) - 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
 
 
(One intermediate revision by one other user not shown)
Line 54: Line 54:
}}
}}


Finnish DPA imposed a 7,000 euro fine to a company that sent out direct marketing communications without obtaining prior consent from data subject, and for also neglecting data subjects’ rights.  
The Finnish DPA imposed a 7,000 euro fine to a company that sent out direct marketing communications without obtaining prior consent from the data subjects and for also neglecting data subjects’ rights.  


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The Finnish DPA received 11 complaints regarding Acc Consulting (Independent Consulting Oy) company’s direct marketing communication practices. According to the national law section 200 of the Information Society Code (917/2014), consent must be obtained from data subjects in the context of direct marketing. Furthermore, the consent must comply with Article 4(11) of GDPR. 
The Finnish DPA received 11 complaints regarding Independent Consulting Oy’s direct marketing communication practices. The direct marketing communications were sent to the data subjects via SMS. The SMS contained instructions on how to opt-out from the direct marketing communications. However, the opt-out feature did not work and users kept receiving marketing messages. The controller claimed that the direct marketing communications were targeted at companies, and under section 202 of the Information Society Code, no prior consent was needed in such a case. Furthermore, some of the data subjects had submitted requests to the controller regarding exercising their rights under GDPR. The controller failed to answer the data subjects in a timely manner.  
The direct marketing communication was sent to the data subjects via SMS. The SMS contained instructions on how to opt-out from the direct marketing communications. Despite data subjects opting out, they still continued to receive marketing messages.  
===Dispute===
The controller claimed that the direct marketing communications were targeted at companies, and under section 202 of the Information Society Code, no prior consent is needed to send direct marketing communications to companies. The DPA ruled that as the work phone numbers were specific to an employee and not the company as a whole, and the marketing message content did not relate to the data subject’s work activities, the communication was seen directed to natural persons instead of companies.


Furthermore, some of the data subjects had submitted requests to the controller regarding exercising their rights under GDPR. The controller failed to answer the data subjects in a timely manner and in accordance with the GDPR. The controlled had not taken any action regarding these requests either.  
According to the applicable national law, Section 200 of the Information Society Code (917/2014), user's consent must be obtained prior to the sending of any marketing communication. The DPA has to assess whether the phone numbers used for the direct marketing belonged to the individual or to the employer and whether the content of the communication referred to the individual working activities or not.
 
===Holding===
 
The DPA found that the phone numbers used were specific to the employee and not to the company. Moreover, the marketing message did not relate to the data subject’s work activities. Finnish DPA imposed a 7.000 euro fine to the company for sending out direct marketing communications without prior consent and also for neglecting data subjects’ rights. When imposing the fine, the DPA considered it as a mitigating factor that the data subjects had not suffered any financial harm. Furthermore, as per Article 58(2)(c) and (d) GDPR, the DPA ordered the controller to comply with the data subjects’ requests and to bring its practices in line with the Regulation. The decision is not yet final.
=== Dispute ===
==Comment==
 
 
=== Holding ===
Finnish DPA imposed a 7,000 euro fine to the company for sending out direct marketing communications without prior consent and also for neglecting data subjects’ rights. When imposing the fine, the DPA considered it as a mitigating factor that the data subjects had not suffered any financial harm.
Furthermore, as per Article 58(2)(c) and (d) GDPR, the DPA ordered the controller to comply with the data subjects’ requests and to bring its practices in line with the Regulation.  
The decision is not yet final  
 
 
== Comment ==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.



Latest revision as of 13:03, 3 March 2024

Tietosuojavaltuutetun toimisto - 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 4(11) GDPR
Article 58(2)(c) GDPR
Article 58(2)(d) GDPR
Information Society Code (917/2014)
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.07.2020
Published: 23.07.2020
Fine: 7000 EUR
Parties: n/a
National Case Number/Name: 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

The Finnish DPA imposed a 7,000 euro fine to a company that sent out direct marketing communications without obtaining prior consent from the data subjects and for also neglecting data subjects’ rights.

English Summary

Facts

The Finnish DPA received 11 complaints regarding Independent Consulting Oy’s direct marketing communication practices. The direct marketing communications were sent to the data subjects via SMS. The SMS contained instructions on how to opt-out from the direct marketing communications. However, the opt-out feature did not work and users kept receiving marketing messages. The controller claimed that the direct marketing communications were targeted at companies, and under section 202 of the Information Society Code, no prior consent was needed in such a case. Furthermore, some of the data subjects had submitted requests to the controller regarding exercising their rights under GDPR. The controller failed to answer the data subjects in a timely manner.

Dispute

According to the applicable national law, Section 200 of the Information Society Code (917/2014), user's consent must be obtained prior to the sending of any marketing communication. The DPA has to assess whether the phone numbers used for the direct marketing belonged to the individual or to the employer and whether the content of the communication referred to the individual working activities or not.

Holding

The DPA found that the phone numbers used were specific to the employee and not to the company. Moreover, the marketing message did not relate to the data subject’s work activities. Finnish DPA imposed a 7.000 euro fine to the company for sending out direct marketing communications without prior consent and also for neglecting data subjects’ rights. When imposing the fine, the DPA considered it as a mitigating factor that the data subjects had not suffered any financial harm. Furthermore, as per Article 58(2)(c) and (d) GDPR, the DPA ordered the controller to comply with the data subjects’ requests and to bring its practices in line with the Regulation. The decision is not yet final.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.