Tietosuojavaltuutetun toimisto (Finland) - 3592/152/2019: Difference between revisions

From GDPRhub
 
Line 55: Line 55:


=== Facts ===
=== Facts ===
In the course of business, a private trader having the status of a self-employed person (the Complainant) had a phone call with a company (the Company) which was recorded by the latter. The Complainant later requested access to the recording on the basis of [[Article 15 GDPR|Article 15 GDPR]]. The Company said that it could not provide a copy of the phone call in audio format, but instead provided the Complainant with a transcript of the recording in text format.
In the course of business, a private trader having the status of a self-employed person (the Complainant) had a phone call with a company (the Company) which was recorded by the latter. The Complainant later requested access to the recording of the phone call on the basis of [[Article 15 GDPR|Article 15 GDPR]]. The Company said that it could not provide a copy of the phone call in audio format, but instead provided the Complainant with a transcript of the recording in text format.


The Complainant filed a complaint with the Finnish DPA, asking the latter to clarify whether the Company had the right to provide a written transcript of the recording of the call.
The Complainant filed a complaint with the Finnish DPA, asking the latter to clarify whether the Company had the right to provide a written transcript of the recording of the call.

Latest revision as of 11:39, 1 December 2021

Tietosuojavaltuutetun toimisto (Finland) - 3592/152/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 21.10.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 3592/152/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finnish DPA (in FI)
Initial Contributor: Florence D'Ath

The Finnish DPA held that a controller, upon receiving an access request from a data subject, was not obliged to provide a copy of a phone call between them in audio format, but could instead provide a written transcript of the call as long as its contents were not edited.

English Summary

Facts

In the course of business, a private trader having the status of a self-employed person (the Complainant) had a phone call with a company (the Company) which was recorded by the latter. The Complainant later requested access to the recording of the phone call on the basis of Article 15 GDPR. The Company said that it could not provide a copy of the phone call in audio format, but instead provided the Complainant with a transcript of the recording in text format.

The Complainant filed a complaint with the Finnish DPA, asking the latter to clarify whether the Company had the right to provide a written transcript of the recording of the call.

Holding

On the application of the GDPR to an audio recording involving a private trader

The Finnish DPA first examined whether the audio recording of a phone conversation consists of personal data in the sense of Article 4(1) GDPR. Referring to the wording of that Article, as well as to both Finnish and EU case-law, the Finnish DPA concluded that the voice of an individual must be considered as personal data.

Referring to the CJEU judgment C-92-09 Volker und Markus Schecke, the Finnish DPA further stressed that the fact that the Complainant was acting in its capacity as a self-employed trader during the call did not change that finding. As explained in paragraph 53 of that CJEU judgment indeed, EU data protection law also applies to legal persons in so far as a natural person is identifiable as a legal person (as was the case here).

As a consequence, the Finnish DPA concluded that the Complainant had a right of access to the recording in accordance with Article 15 GDPR.

Form in which information is to be provided

The Finnish DPA then examined in which format the Company had to provide a copy of the personal data, in light of Article 15(3) GDPR. In this respect, the Finnish DPA noted that in some instances, personal data itself may impose an obligation to provide the data in a certain format. Where the personal data to be processed consist, for example, of the data subject's voice, the data subject may have the right to access the audio recording of that voice as such. The Finnish DPA noted however that in the present case, there were no indications that the information should be provided as an audio recording, since the Complainant wanted to have access to the content of the phone call rather than to his voice. As a consequence, the Finnish DPA found that the Company was not obliged to provide the personal data in its original form, as long as the data could also be properly provided in another way, for example in writing.

The Finnish DPA stressed however that the Company must ensure that the format in which the data are provided allows the Complainant to verify the accuracy of the personal data. In other words, the possibility for the Company to provide the personal data in a non-original form does not mean that the Company may alter the content of the personal data (i.e. the written transcript of an audio recording must correspond to the actual conversation which took place between the Complainant and the Company).

No injunction

Given that, in this case, the Company had provided a written transcript of the phone call to the Complainant, the Finnish DPA did not find any violation of Article 12 GDPR or Article 15 GDPR, and did not issue any injunction against the Company.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The right of a private trader to have access to data relating to a call recording and the format of the information to be provided
    Decision of the EDPS
    Thing
    Right of access to information and format for submission of information
    Applicant 's claims and reasons
    On 30 April 2015, the applicant requested the EDPS to take measures under Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC. to order access to the information.
    The applicant has asked the EDPS to clarify whether the controller has the right to provide a text-only recording of the call between the applicant and the controller.
    Statement received from the applicant
    The applicant has asked the controller to listen to the call recording of the call with the controller. According to the applicant, the controller has stated that he will only supply the recording in text format.
    The applicant has been a self-employed person. The call record in question relates to a call in which the applicant has dealt with the data controller as a private trader.
    Statement received from the controller
    The Office of the Data Protection Supervisor has requested clarification from the controller by request for clarification dated 29.9.2020. The registrar submitted his report on 15.10.2020. In the report, the data controller has stated, among other things, the following.
    The controller has stated that it does not have the personal data of the applicant. The registrar has stated that the business register it maintains is not a personal data register and does not store, collect or maintain personal data.
    According to the registrar, for security reasons, the registrar will not send the recordings via e-mail. The controller considers that it cannot be sure that a recording will end up in the unprotected context.
    Applicant 's reply
    The Office of the Data Protection Officer has reserved the possibility for the applicant to lodge a response following a statement from the controller. The applicant has not submitted a response by the deadline of March 24, 2021.
    Applicable law
    The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. According to section 8 of the Data Protection Act (1050/2018), the Data Protection Commissioner acts as the national supervisory authority within the meaning of the General Data Protection Decree in connection with the Ministry of Justice.
    General privacy setting
    According to recital 14 of the General Data Protection Regulation, the protection afforded by this Regulation should apply to natural persons irrespective of their nationality or place of residence as regards the processing of personal data. This Regulation shall not apply to the processing of identification data of legal persons, in particular companies formed in the form of a legal person, such as the name, legal form and contact details of the legal person.
    According to Article 4 (1) of the General Data Protection Regulation, “personal data” shall mean all information relating to an identified or identifiable natural person, hereinafter “data subject”; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to identification data such as name, identity number, location, online identification or one or more characteristic physical, physiological, genetic, mental, economic, cultural or social factors.
    Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate measures to provide the data subject with all processing data in accordance with Article 15 in a concise, transparent, easily understandable and accessible form in clear and simple language. The information shall be provided in writing or by other means and, where appropriate, in electronic form. If the data subject so requests, the information may be provided orally, provided that the data subject's identity is otherwise established.
    Article 15 (3) of the General Data Protection Regulation requires the controller to provide a copy of the personal data processed.
    Legal question
    The EDPS will assess and decide on the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679. The matter needs to be assessed
    whether the applicant, as a private trader, has a right of access to the data recorded in accordance with Article 15 of the General Data Protection Regulation; and
    if the applicant, as a private trader, has the right of access to the data in the call record, in what form the data controller must provide the data, in this case the call record.
    If the controller has not exercised the applicant's right under the General Data Protection Regulation, the EDPS must assess whether the remedial powers under Article 58 (2) of the General Data Protection Regulation should be exercised.
    Decision and justification of the EDPS
    Decision
    No order.
    As a private trader, the applicant has the right of access to the data recorded in accordance with Article 15 of the General Data Protection Regulation.
    The controller has acted in accordance with the terms of the General Data Protection Regulation by providing information in accordance with Article 15 of the General Data Protection Regulation in writing.
    Reasoning
    
      On the application of the General Data Protection Regulation to private traders in respect of telephone recordings
    
    In the present case, the right of inspection has been specifically recorded in the recording of a call between the applicant and the controller. The EDPS considers it undisputed that the call record contains personal data within the meaning of Article 4 (1) of the General Data Protection Regulation. In its decision of 30 July 2010 (2094/1/09), the Supreme Administrative Court ruled that the sound recorded on the tape was personal data and thus covered by the right of inspection provided for in section 26 of the Personal Data Act (523/1999), which was repealed on 1 January 2019. Similarly, on 11 March 2009, the Court of First Instance of the European Communities ruled in Case T-166/05 that a person could be identified by voice (recital 39). Voice is thus considered personal information. The entry into force and application of the General Data Protection Regulation has not changed the definition of personal data, so that the sound recorded on tape as personal data should be assessed differently.
    The applicant has operated as a private trader and the call recording in question has been between a private trader and a data controller.
    In its judgment of 9 November 2010 in ECLI: EU: C: 2010: 662 (Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, Bundesanstalt für Landwirtschaft und Ernährungin, Joined Cases C-92/09 and C-93/09 ) considered that the right to privacy with regard to the processing of personal data, recognized in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (2012 / C 326/02), applies to all data concerning an identified or identifiable natural person (recital 52). The judgment stated that that right to privacy applies to legal persons only in so far as the natural person is identifiable as a legal person (paragraph 53 of the judgment).
    In a decision pursuant to the repealed Personal Data Act (10.5.2011 dnro 2680/41/2010), the Data Protection Commissioner has held that a representative of a public limited company has the right to obtain a call record pursuant to the right of inspection pursuant to section 26 of the Personal Data Act (523/1999). In his decision, the EDPS has stated that the conversations recorded by the controller have contained personal data, regardless of whether the limited liability company was a party to the telephone conversation. Thus, a recorded voice is considered to be personal data relating to him that can be associated with a natural person.
    In order to address this issue, recital 14 of the General Data Protection Regulation should also be taken into account, according to which the General Data Protection Regulation does not cover the processing of personal data of legal persons, in particular legal entities, such as legal personality, legal form and contact details. The General Data Protection Regulation, and the data subject's rights under it, therefore do not apply to the processing of personal data of companies established in the form of a legal entity.
    The EDPS draws particular attention to the fact that the request for access in this case concerned a voice recording containing the personal data of an identifiable natural person. This is therefore not information within the meaning of recital 14 of the General Data Protection Regulation. Nor is it the processing of personal data of a legal person because the private trader is not a legal person within the meaning of the recital of the General Data Protection Regulation. In the present case, the EDPS therefore considers that the applicant has a right of access to the data recorded in accordance with Article 15 of the General Data Protection Regulation.
    
      Form in which information is to be provided
    
    The applicant has requested that the call recording be listened to. The registrar has stated that he will only provide the recording in writing.
    Article 15 (3) of the General Data Protection Regulation requires the controller to provide a copy of the personal data processed. Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate measures to provide the data subject with all processing data in accordance with Article 15 in a concise, transparent, easily understandable and accessible form in clear and simple language. The information shall be provided in writing or by other means and, where appropriate, in electronic form.
    The EDPS considers it the duty of the controller to assess what is the appropriate format in each case for providing information in accordance with Article 15. The EDPS considers that the controller is not always obliged to provide the data in the original form, if the data can be properly provided in another way, for example in writing. However, the controller must ensure that the format in which the data are provided is such that the data subject can verify the accuracy of the personal data processed by the controller. However, the possibility to provide data in a non-original form does not mean that the controller may modify the personal data provided by him in such a way that the data provided to the data subject do not correspond to the data processed by the controller.
    In some cases, personal data itself may impose an obligation to provide the data in a certain format. Where the personal data to be processed consist, for example, of the data subject's voice, the data subject may in some cases have the right to access data relating specifically to the voice. In the present case, however, there is no evidence to suggest that the information should be provided as an audio recording. The EDPS considers that the right of access to information on voice can be exercised by the controller recording the contents of the call recording. However, the EDPS emphasizes that the spelled out must correspond to the content of the call record in order for the data subject to be able to verify that the personal data processed are lawful.
    Finally, the EDPS notes that the controller may also, if he so wishes, offer data subjects the opportunity to listen to the recording, for example by telephone or on the spot at the controller 's premises. However, the possibility to intercept a call recording, for example at the controller's office, does not correspond to the format in which the data is provided under Articles 12 (1) and 15 (3) of the General Data Protection Regulation, so the interception should not be the only form of exercise.
    Applicable law
    EU General Data Protection Regulation (2016/679) Article 4 (1), Article 12 (1), Article 15 (3)
    Appeal
    According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).
    Service
    The decision shall be served by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt.
    Guidance of the Data Protection Officer
    In its report, the registrar has stated that the business register it maintains is not a personal data register and does not store, collect or maintain personal data.
    According to Article 4 (1) of the General Data Protection Regulation, personal data means any information relating to an identified or identifiable natural person. Personal information includes, for example, the person's voice, name, and phone number. According to paragraph 2 of the same Article, the processing of personal data shall mean any activity or activities which are carried out on personal data or sets of data containing personal data, either by automatic data processing or manually, such as data collection, storage and use.
    If the controller processes the personal data of the data subjects, for example a telephone number in order to provide their services to the data subjects, the data controller processes the personal data. If the data controller records the telephone conversations with the data subjects and keeps them for a specified period of time, the data controller shall process the data subject's personal data. Thus, it is irrelevant whether the controller keeps a separate register of personal data.
    In addition, the EDPS notes in this context that the controller has an obligation to comply with the provisions of the General Data Protection Regulation when processing personal data. Under Article 58 (2) (i) of the General Data Protection Regulation, the EDPS has the power to impose an administrative penalty fee under Article 83 if the controller infringes the provisions of the General Data Protection Regulation.
    This Data Protection Supervisor's control cannot be appealed.