Tietosuojavaltuutetun toimisto (Finland) - 6097/161/21

From GDPRhub
Tietosuojavaltuutetun toimisto - 6097/161/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.05.2022
Published: 05.07.2022
Fine: 85,000 EUR
Parties: Otavamedia Oy
National Case Number/Name: 6097/161/21
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Finnish
Original Source: Finlex (in FI)
Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Vadym Kublik

The Finnish DPA fined a magazine publisher €85,000 for deficiencies in facilitating the exercise of data subject rights. The controller, among other things, required data subjects to print, fill, sign and send a paper form to have their data deleted.

English Summary

Facts

Otavamedia Oy (controller) is a publishing company whose online services reach approximately 2 million Finns monthly. Between 2018 and 2021, eleven data subjects complained about the controller to the Finnish Office of the Data Protection Commissioner (DPA). Five complaints concerned the controller's requirement for data subjects to send a filled and signed paper form if they wished to exercise their right for erasure under Article 17 GDPR. The rest reported that the controller did not respond to their subject access requests under Article 15 GDPR that were sent via an online form. With regard to the erasure requests, the controller justified the demand for a person's signature by the need to prevent identity fraud. For the other cases, the controller explained that the requests in question did not reach its customer service staff due to a technical error in its emailing system that lasted for seven months.

Holding

The DPA held that requiring the printing, filling and signing of a separate form to identify the data subject does not conform with Articles 12(2), 12(6), 5(1)(c) and 25(2) GDPR as it complicates the exercise of data subject rights and processes more personal data than necessary for the data subject's identification. The DPA stressed that the unnecessary collection of data subjects' signature data may actually increase, rather than decrease, the potential risks of misuse while making it more difficult for data subjects to exercise their rights. The controller should have also considered the nature of the personal data concerned, the nature of the request, and the context in which the request is made in determining the means of identification. Whilst controllers may offer different options for the exercise of data subjects' rights, digital identification, such as using the same identifiers when logging in online services provided by the controller, should be one of them.

Furthermore, the DPA held that the controller neglected the data protection by design principle of Article 25(1) GDPR by not testing its email system, which was used as a main electronic channel for data subjects to exercise their rights. In conclusion, the DPA ordered Otavamedia Oy to pay an €85,000 fine and bring its subject requests processing system in conformity with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Implementing registered rights, taking care of the functionality of the contact channel and identifying the customer

Keywords: Penalty fee
Rights of the registrant
Identification

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 6097/161/21

The decision of the Data Protection Commissioner and Sanctions Board

Thing

Identification of the data subject and exercise of the data subject's rights

Background of the matter

Between November 27, 2018 and January 11, 2021, 11 complaints have been filed with the Office of the Data Protection Commissioner regarding the processing of personal data carried out by Otavamedia Oy (later the controller). The complaints have concerned the identification of the data subject by requiring the signing of a separate inspection or deletion request form, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and the free movement of this data and the repeal of Directive 95/46/EC (later the General Data Protection Regulation). According to Article 15, the data subject's right to access his own data and Article 17, the right to have his data deleted.

The data protection commissioner deals with the cases initiated pursuant to Section 25 of the Administrative Act (434/2003) together. The above-mentioned issues are dealt with in this decision under diary number 6097/161/2021.

The initiators' demands with justifications

Five initiators have questioned the data controller's practice of identifying the data subject. In order to exercise the right of access according to Article 15 and the right to erasure according to Article 17, the controller requires a separate erasure request form to be printed, filled in and signed and delivered either by mail or email to the address tietosuo-asiat(at)otavamedia.fi. In addition to the signature, the form is required to fill in the data deletion basis by ticking the appropriate box, the registered person's full name and address information.

Other complaints by initiators have concerned the data subject's right to access their own data according to Article 15 and the right to have their data deleted according to Article 17. In their complaints, the initiators have complained that the data controller has not responded to their requests regarding the rights of the data subject submitted by e-mail or post within the time required by Article 12 of the General Data Protection Regulation.

1. The initiator states that he sent the signed request by post on 26 September 2018 in writing and signed as requested by the data controller. On January 4, 2019, the initiator has been in contact with the data controller and inquired by email about why his data has not been deleted. The initiator has not received a response by February 6, 2019. According to the initiator, his personal data is still used, for example, for marketing purposes.

2. The initiator states that he sent an e-mail on 26 October 2018 to the data controller (tietosuoja-asiat(at)otavamedia.fi) regarding the rights and information of the data subject. The request for information has concerned the following matters: the right to access one's own information, the right to know whether the initiator has been subjected to automatic profiling, the right to know to whom the initiator's data has been disclosed, the right to know whether the initiator's information has been disclosed outside the EU and the right to know how the initiator's information has been used. In addition, the initiator has inquired about how and where the initiator has given his consent to the processing of his personal data, why the initiator's data has not been deleted as the data controller has stated in his data protection statement, and how the data controller implements information security regarding the initiator's personal data. The initiator has not received a response to his request by May 23, 2019.

3. The initiator says that he sent the signed request on 13 November 2018 to the controller. The initiator has not received a response to his request by May 23, 2019.

4. The initiator states that he contacted the data controller by sending an e-mail request on 22 November 2018 regarding the inspection and deletion of his own data to the address tietosuo-asiat(at)otavamedia.fi. Later on January 9, 2019, the initiator forwarded his request to the address tietosuo-asiat(at)otavamedia.fi. The initiator has not received an answer to his request by May 27, 2019.

5. The initiator states that he sent a request to the data controller on 27 May 2019 and again on 29 May 2019 by e-mail regarding the origin of his data processed in connection with direct marketing. On June 3, 2019, the initiator received a reply from the registrar confirming that the matter is under investigation and will be returned to as soon as possible. After the message in question, the initiator has not received an answer to his request by June 25, 2019.

6. The initiator says that he has submitted a request to the data controller to have his data deleted in accordance with the instructions given by the data controller by sending a scanned and signed deletion request form to the address tietosuo-asiat(at)otavamedia.fi. 7 May 2020. The initiator has contacted the data controller again by email on June 8, 2020, but according to his account, has not received any kind of response from the data controller by June 23, 2020.

Statement received from the registrar

Identification of the registrant

As a result of the matters that have been initiated, the data protection commissioner's office has on 30 March 2021 submitted a clarification request to the data controller regarding the data controller's modus operandi, which requires filling in a form to be signed in order to exercise the data subject's rights. The registrar has submitted its response to the clarification request on 23 April 2021.

In its report, the registry keeper states that it does not know the identities of the individual initiators, so it has not been able to carry out internal audit procedures regarding possible communications and procedures with individuals.

According to the controller, the data subject can exercise his rights in the following different ways and in the following different channels:

1. by e-mail by sending a request or question regarding rights to the e-mail address tietosuo-asiat(at)otavamedia.fi

2. by calling the data controller's customer service (direct marketing bans and permits, changes to address and phone number information; regarding other rights, the procedure for the written process will be advised by phone)

3. by sending the letter by post

4. using the real-time chat service via the company's website

5. exercising the inspection right by logging into the customer account (at Otavamedia.fi/kirjaudu)

6. by personally visiting the reception of the controller's place of business

According to the data controller, the general data protection regulation requires data controllers to be careful and have sufficient assurance that, if necessary, the data controller can identify the data subject, e.g. in connection with the exercise of these rights. For this purpose, the controller requires the registrants to e.g. first and last name information, home address and country, and the person's signature (for transactions other than at the place of business and for identity verification on the spot with an identity card). Responses to requests regarding the exercise of rights are sent by post using the enquirer's personal data found in the personal registers of the data controller. For this reason, the controller asks the enquirer for this full name and complete home address, in order to compare the information with the information found in their registers. If the data subject informs that he does not have the option to print the form on the website of the data controller, the data controller tells him that he will mail it to him for filling out the form and returning it by mail or scanned.

According to the controller, nowhere is it directly confirmed that the controller could explicitly demand a signed request from the data subjects, but on the other hand, demanding such a request is not prohibited either. According to the controller, submitting a signature is not an unreasonable request in connection with exercising the right, when the right is exercised elsewhere than by logging into an electronic customer account. The controller also emphasizes that the data subject can submit the signed request by mail, but also electronically, by scanning the signed form as an attachment to the email.

The controller says that, within the framework of the planning, privacy by default and security obligations of the General Data Protection Regulation, it has planned and outlined which processes will be used to implement the rights in the company, balancing the rights and obligations of the parties, and guides the processes clearly in its various channels.

In its response, the controller refers to Articles 12 and 15 of the General Data Protection Regulation, its introductory paragraphs 63 and 64, and the instructions on the website of the Data Protection Commissioner's Office regarding the identification of the data subject. According to the registrar, the article texts or introductory paragraphs of the regulation do not expressly take a position on how the request should be implemented, i.e. how the registrar has the right to obtain confirmation that the person is who he claims to be. According to the registrar, the referenced instructions emphasize that the registrar himself determines the way in which the inspection request should be presented, based on planning and privacy by default obligations.

According to the registrar, a person's signature has traditionally been considered to show his will in a reliable way. It is not possible to completely eliminate the risks of identity-related abuse with any method, but with the requested information and their confirmation with a signature, the risk level is very low, which is in the interest of both the registered and the data controllers. The data controller has stated in its report to the data protection commissioner's office that if it receives a lot of feedback from customers about one of its procedures, it is ready to develop the customer experience related to data protection and to consider a model in which the customer is asked for a written deletion request without a signature, on the condition that the data controller can nevertheless reliably identify the customer and minimize the risks of identity-related abuses .

Exercising the rights of the registered person

Before the data protection commissioner's request for clarification regarding the data controller's method of identifying the data subject, the data protection commissioner's office has also requested clarification from the data controller with separate clarification requests dated 17.5.2019, 24.5.2019, 10.9.2019 and 30.3.2021. These clarification requests have concerned cases regarding the exercise of the data subject's rights identified in each clarification request. The registrar has submitted the answers to the reports on 17 June 2019, 24 June 2019, 7 October 2019 and 23 April 2021.

Thing 1

On 26 September 2018, the data subject submitted his request for data deletion by post using the standard signed form required by the data controller. The letter was opened at the registrar's office on October 1, 2018. According to the registrar, due to human error, an incorrect control mark for the internal address has been placed on the opened envelope, so it has not been guided to the data deletion request processing described in more detail in the report. The controller said that after being contacted by the data protection officer's office, he had processed the registered person's deletion request and had sent him an explanation of the regrettable human error. In his reply, the controller states that he has changed his operating model as follows: letter mail is received at customer service (previously at the registry office), scanned into the customer service system and sent to the work queue defined for it. If the customer's case concerns a matter defined in the GDPR guidelines of the data controller, the scanned customer's letter will be sent as an email to the data protection affairs(at)otavamedia.fi email address, from which it will be processed in accordance with the GDPR guidelines. The number of e-mails related to GDPR issues scanned to the Tietosuoja-asiat(at)otavamedia.fi e-mail address is reconciled every month to ensure that all issues are processed on time and in accordance with the instructions.

In its response dated June 17, 2019, the data protection officer submitted to the data protection officer's office that it has implemented the deletion request and provided the data subject with an explanation of the processing error that occurred.

Thing 2

In the case, the registrant had asked the data controller by email on 27 May 2019 about the source of his contact information obtained from elsewhere after receiving direct marketing from him. The registrar has confirmed that the matter is under consideration on June 3, 2019. Based on the information provided by the data subject, the controller checked its database and the data subject was not found in them based on the information provided by the data subject. In the reply submitted to the data protection officer's office, the controller stated that the information was difficult to find based only on the registered name and e-mail. After a manual, lengthy search for information, the controller said that he had found the data subject's magazine order information and verified that the data subject had been assigned a supply of magazines based on the data controller's own personal register during the period indicated by the data subject. It was therefore not a case of data being collected from someone other than the registered person. In addition, according to the data controller, the data search was made more difficult by the change of its enterprise resource planning system in 2019. The data controller admits that it could have asked the data subject for more detailed information in the transaction related to the request in order to clarify the matter. The registrar said that he is refining his internal instructions related to such type of cases.

The controller said that in the case in question, he informed the registrant that his data was not obtained from an external address source and the content of his response to the data protection commissioner's office, and that he would delete the registrant's data. In addition, the controller said that in the future he would inform about difficult or time-consuming processing of the request and that he would use the opportunity to extend the response time by two months and inform the person who made the request about this.

Items 3, 4 and 5

The controller says that he has created his own e-mail box for handling data protection cases. The box is directed to the customer service contact system (Sap/Merlin), from where the issues are handled by customer advisors and sales service. The controller says that the box was put into use and tested well in advance of the entry into force of the General Data Protection Regulation. After this, the data controller's technical e-mail service provider changed and the e-mail changed to a cloud service.

According to the registrar, in connection with the environmental changes in question, the technical integration between the e-mail system and the customer service contact system has been broken (the so-called IMAP configuration has been disabled), and there has been no alert or error message of any kind from the technical problem. Consequently, data protection-related inquiries and requests made by registered users by e-mail during this period have remained beyond the reach of customer advisors. According to the registrar, the number of contacts from consumers is usually so low that it has not identified a technical malfunction during the break in incoming messages. The situation was not detected because privacy messages are also directed to Merlin from other channels. As a result, the data controller has also not been able to process the e-mails sent by the complainants in cases 3, 4 and 5 within the deadline set by the General Data Protection Regulation. Following the data protection authorized officer's request for clarification, the data controller said in his reply dated 17 June 2019 that he had corrected the technical setting of the e-mail control and that he had received all the e-mails sent to the data protection e-mail box during the error. The controller also said that with this, it has introduced an internal repetitive process, which it uses to test the continuous functionality of the data protection email box.

According to the data controller, none of the requests regarding the data subject's rights sent to the data controller using the e-mail channel in question during that period have gone unfulfilled. The controller has the certainty that, despite the technical exceptional situation, all messages sent to its e-mail address regarding data protection matters have arrived, and all of them have been reacted to without delay after the exceptional situation was detected. The controller says that over the years it has received only a small number of contacts from registered users related to checking and/or deleting personal data. At the same time, during the technical state of emergency, the data controller received some requests from registered users in other customer service channels, the processing of which proceeded according to the normal schedule in its process.

Item 6

In the matter, the controller says that he received the personal data deletion request on May 5, 2020 and the deletion form on May 7, 2020, according to the information provided by the initiator. The registrant's request has been processed on May 7, 2020. The data controller says that in the individual case in question, a regrettable processing error has occurred, i.e. the deletion was made only on June 9, 2020, and the data controller has not provided information about the deletion to the data subject within the stipulated time. According to the registrar, a single processing error was caused by a data break between the deletion processing system and the e-mail system. The registrar says that he has changed the processing process for depreciations so that they take place during the same processing process.

The controller informs that a written response has been delivered to the data subject first by post on June 9, 2020, and then additionally by email on April 23, 2021.

Considerations received in cases

The Office of the Data Protection Commissioner has reserved the opportunity for initiators in matters concerning the exercise of the data subject's rights to give a response based on the explanation provided by the data controller. In matters concerning the registration procedure of the registrant's identification procedure, the data protection commissioner's office has deemed the request for a response to be obviously unnecessary according to Section 34, Subsection 1, Section 5 of the Administrative Act. The initiators have given their responses in the 1st case on 1 July 2019 and in the 2nd case on 22 November 2019.

In the response given in case 1, the initiator states that it is good that the data controller has found an error in its processing process and corrected the process. However, the initiator states in the response submitted on July 1, 2019, that he has not received any explanation or even acknowledgment of the processing of the deletion request, even though the data controller has stated this in his response to the clarification request. The initiator states that it is difficult as a private individual to have any confidence that the data controller would still comply with the general data protection regulation, because one important point in the "right to be forgotten" right is the data controller's explanation of the measures. When this "acknowledgment" is missing, it feels like the matter is unfinished. The initiator also refers to the data controller's duty of proof and asks the data protection commissioner's office to find out whether the data controller has documented the processing of the deletion request and to ensure that the data controller also provides the initiator with information on the matter.

In case 2, the initiator states in his response that the report received from the data controller does not say where/how they obtained the initiator's information. In addition, according to the initiator, it is strange to say the least that the registrar does not know how to search with the name of the registered person, which is known to them. The initiator states that in reality the "missing" address is just one excuse among others and is not satisfied with this explanation as far as the acquisition of the initiator's information is concerned. In addition, the initiator attached a picture of one of the marketing letters he received from the data controller in the summer of 2019.

In case 6, the initiator has been contacted by phone on July 1, 2021. The initiator says that he only received the response sent by the controller via e-mail on April 23, 2021, about a year after he submitted his original deletion request.

The facts of the case

As a result of the explanation received in the matter, the controller has been reserved the opportunity referred to in § 34 of the Administrative Act to be heard and present his views on the preliminary assessment of the representative of the data protection authorized office and the facts presented in the consultation request. The following facts are presented in the consultation request of the Office of the Data Protection Commissioner.

Otavamedia Oy is a Finnish media company that publishes 22 public magazines and publishes more than 15 online services in Finland. Otavamedia represents all of Otava's online audiences. The online services of Otavamedia and Otava Markets together reach more than 3.6 million Finns every month. The magazines reach 1.6 million readers per month.

In order to exercise the registrant's right to erasure according to Article 17, the controller requires a separate erasure request form to be printed, filled in and signed and delivered either by post or email to the address tietosou-asiat(at)otavamedia.fi. In addition to the signature, the form is required to fill in the data deletion basis by ticking the appropriate box, the registered person's full name and address information.

In order to exercise his right to access his own data according to Article 15, the data subject can either, after separate registration, log into his customer account at Otavamedia.fi/kirjaudu (the data subject's contact information, order information and marketing permissions are visible) or print, fill in and sign a separate information request form, which must be delivered to the data controller either by mail or email to data protection affairs(at)otavamedia.fi. In addition to the signature, the full name and address information of the registered person must be filled in. In the registration required when logging in to the customer account, the registrant must also fill in his full name and address information.

In the complaints filed with the Data Protection Commissioner's office, the complainants have not received answers to their requests or inquiries regarding the rights of the data subject pursuant to Articles 15 and 17 between October 26, 2018 and June 3, 2019.

The controller has his own e-mail box for handling data protection cases. The box is directed to the customer service contact system (Sap/Merlin), from where the issues are handled by customer advisors and sales service. The box was tested and put into use before the General Data Protection Regulation entered into force in May 2018. After this, the data controller's technical email service provider has changed and the email has changed to a cloud service. In this context, the technical integration between the e-mail system and the customer service contact system has been broken. Inquiries and requests related to data protection made by e-mail during this period have not been forwarded to the data controller's customer advisors and have therefore not been answered.

There has also been no response to the deletion request form submitted by the registered person on September 26, 2018 by mail. The second registrant's request for access to their own data, submitted by email on 27 May 2019 and again on 29 May 2019, was acknowledged by the controller as being processed on 3 June 2019, but the request has not been answered since then. There has also been no response to the deletion request form of another registered person sent by e-mail on May 7, 2020.

Hearing of the controller

On July 2, 2021, the registry keeper has been reserved the opportunity referred to in § 34 of the Administration Act to be heard and to express his opinion on his methods of operation regarding the identification of the data subject and the exercise of the rights of the data subject, and to give his explanation of such requirements and explanations that may affect the resolution of the cases. At the same time, the data controller is given the opportunity to bring forward such matters as referred to in Article 83, Paragraph 2 of the General Data Protection Regulation, which, in the data controller's view, should be taken into account when making a decision and imposing a possible administrative fine.

The registrar has given his answer on 20 August 2021. The questions presented to the data controller in the consultation request and the data controller's answers to them are presented below. For the sake of clarity, it must be stated that the subject of the hearing request was a total of 11 complaints made to the data protection commissioner's office between 27 November 2018 and 11 January 2021. Not all complaints have involved the same legal issues. However, as stipulated in Chapter 5, Section 25 of the Administrative Law, the matters have been prepared together and resolved at the same time.

About identifying the registrant

According to the controller, Article 5(1)(f), Article 5(2) and Articles 12, 24, 25 and 32 of the Data Protection Regulation require the controller to take measures to verify the identity of the user of the rights, as well as to protect the privacy of all registered users, e.g. from attempts at abuse.

The registered person can check his/her personal data continuously independently by logging into his/her customer account on the website of the controller. In the case of other options, the data controller must first verify the identity of the requester in accordance with data protection legislation before the one-month response deadline according to Article 12, Section 3 of the Data Protection Regulation begins to elapse. If the data subject's first contact does not yet meet the criteria required to confirm his identity, the data subject will be informed in the same channel as where he made the contact, which part of his request should be supplemented.

If the data subject wishes to exercise his right to delete his personal data from the register of the data controller, the data controller instructs the data subject to print the deletion form, fill in the requested personal data for identification and then submit the signed form by letter or scanned email using the contact information provided.

The controller sends responses to requests regarding the use of rights by post using the requester's personal information found in the company's personal registers. Therefore, the controller needs the full name and complete home address from the requester, in order to compare the information with the information found in the registers and to make sure that it does not violate the privacy protection of the registered persons by inadvertently or on the basis of the requester's fraudulent activity by handing over personal information to the wrong person.

The registrant's inspection request is processed from the GDPR work queue of the customer service system. The registrant's information is retrieved using the so-called master number from the Power BI report, which is printed and mailed to the registrant's postal address, or attached to the reply of an encrypted email. After this, the case in question is marked as completed in the work queue. In addition, the handling of the case is recorded in the inspection request file of the privacy section of the Teams software with the registered Master number.

The registrant's deletion request is processed from the GDPR work queue of the customer service system. The registrant's information is retrieved using the so-called master number from the customer service system, the existence of the criteria of the General Data Protection Regulation related to the deletion of personal data is checked (e.g. active orders, open invoices). The case is marked as deleted in the GDPR work queue, in which case the data subject's data is immediately removed from the background system. After this, it is checked that the data of the registered person can no longer be found and the matter is registered with the master number in the deletion request file of the privacy section of the Teams software. The registered person will be confirmed to carry out the request through the same channel through which he has submitted the request to the controller. If the deletion cannot be done based on the provisions of the data protection legislation, the data subject will be notified of this through the same channel through which he made the request.

Regarding the deletion of personal data, the controller does not yet have a fully digital, independently implemented alternative. Regarding the deletion of personal data, the controller has e.g. obligations according to data protection and accounting legislation to keep data on different grounds, in which case there is no simple way to implement a fully automated digital erasure request process that is continuously used by the data subject.

According to the registry keeper, the signature requirement is also a structurally effective way, if necessary, to prevent automated rights abuse situations or massive data fishing attempts. The controller also states that, based on the Finlex search service, 376 regulations can be found in Finland's valid, up-to-date legislation that contain articles related to the signature of a natural person.

However, the controller notes that with the registered contacts it has received from the Data Protection Commissioner's office, it has already started in February 2021 to find out which alternative methods of operation it could use to replace the form to be signed.

Regarding the exercise of the rights of the registered person

In the response submitted to the data protection commissioner's consultation request on August 20, 2021, the controller has generally stated that he receives a marginally small number of requests regarding the rights of data subjects each year in proportion to the total size of the company's customer and marketing registers. According to the registrar, about 0.03% of the company's subscriber base approaches the company with requests, and therefore, according to it, the data subjects who contacted the data protection officer's office represent a very small part of the number of people contained in the company's registers, being exceptional individual cases. The controller has stated that it has identified individual technical problems and human errors related to its processes and says that immediately after becoming aware of them, it has taken measures to correct and prevent them in the future.

In accordance with the registrant's operating method, requests from registered users received in all channels are delivered centrally to an email box reserved for data protection matters, where incoming messages are processed by trained professionals. Since the number of requests has always been very small, both in absolute terms and in relation to the size of the data controller's subscriber base, and because requests came through other channels during the state of emergency, unfortunately, according to what the data controller said, he did not know how to suspect that the requests were in some channel, the so-called tucked away.

According to the registrar, during the technical exceptional situation, there were approximately 150 contacts to the data protection e-mail box, and less than 50 of these were related to various matters related to the exercise of registered rights.

The controller has submitted the responses to the data protection commissioner's consultation request as attachments to the six initiators (Appendix 1 of the report and Appendix 2 of the report). The registrar says that he has sent a reply to the initiator in case 5041/157/19 in the form of a letter by post. According to the registrant, in this individual case, unfortunately, there is no copy of the mailed letter, and it has therefore not been able to include the content of the reply letter in the attachment of its response.

In the following, the more detailed questions asked to the data controller in the consultation request and the data controller's answers to them are presented.

1. How long did the technical error described in [3, 4 and 5] exist, and how many requests regarding the data subject's right has the data controller received during this time period, which may not have been implemented due to the technical error in question? If it is not possible to give an exact answer, we would alternatively ask you to give an estimate of the number of requests that were not received due to a technical error.

The technical emergency, which slowed down the response to the complainants' contacts, lasted from November 13, 2018 to May 28, 2019, according to the data controller. During that period, no request regarding the rights of the data subject sent to the controller using the email channel in question has gone unfulfilled. The controller has the certainty that, despite the technical exceptional situation, all messages sent to its e-mail address regarding data protection matters have been received, and all of them have been reacted to without delay after the exceptional situation was detected. Over the years, the controller has only received a small number of contacts from registered users related to checking and/or deleting personal data. At the same time, during the technical emergency, the data controller received some requests from registered users in other customer service channels, the processing of which proceeded according to the normal schedule in the data controller's process.

In accordance with the registrar's modus operandi, data subject requests received in all channels are sent centrally to the registrar's e-mail box reserved for data protection issues, where incoming messages are processed by trained professionals. Since the number of requests has always been very small, both in absolute terms and in relation to the size of the data controller's subscriber base, and because requests came through other channels during the state of emergency, the data controller unfortunately did not know how to suspect that the requests were "hidden" in some channel.

During the technical emergency, there were about 150 contacts to the data protection e-mail box, and of these, less than 50 related to various issues related to the use of registered rights related to the data protection regulation.

2. How does the single processing error described in the answer given in case [6] due to a data break between the deletion processing system and the e-mail system differ from the technical problem described in connection with the explanation given in cases [3, 4 and 5], which the controller has confirmed to have corrected in his answer on 17 June 2019?

According to the registrar, there is an essential difference between the mentioned cases. Things 3, 4 and 5 were related to the IMAP redirection configuration error between the email system and the customer service contact system, i.e. a completely technical and unintentional error situation. In case 6, according to the controller, it was a human error of the employee, as a result of which the processing of the registered request did not proceed from the e-mail system to the personal data deletion process in a manner according to the process. In the answer given by the controller on April 23, 2021 regarding the case in question, the controller states that he used a somewhat open-ended expression for the reason that led to a one-day delay in implementing the registered request (31 days and not 30 days), and specified the facts, confirming that at the time of the case described in case 6, there was no technical fault in the controller's systems .

3. In its response in case [2], the controller has stated that it was difficult to fulfill the request of the registered person in accordance with Article 15 to get access to his data, e.g. because of its enterprise control system that changed in 2019 and the lack of information provided by the data subject (name and email). What information does the data controller consider necessary in order to fulfill the data subject's request according to Article 15 within the deadline according to Article 12?

In its response to the data protection commissioner's consultation request, the controller specified that it delivered a written response to the data subject on October 8, 2019. In addition, the data controller said that, in its opinion, the information necessary to implement the inspection request, in compliance with the data controller's duties of care and protection, are the data subject's first and last name, postal address, and signature. The data controller admits that the degree of necessity of the signature is not as great, however, and the data controller is ready to expand its interpretation if the supervisory authorities receive justifications that the data controller is considered to be acting in compliance with the obligations of the General Data Protection Regulation, i.e. carefully and sufficiently protecting privacy without signature confirmation.

The controller also states in his response that starting from February 2021, he has analyzed and tested an alternative procedure in which the signature has not been required as a mandatory requirement for all registrants. If, for example, the data subject has contacted the data controller's customer service and said that he does not have a printer or scanning device, the inspection request has been received by email or telephone, if the person's identity has otherwise been sufficiently identified. According to the registrar's understanding, a request for inspection of personal data in particular is a procedure that imposes a high obligation on the registrar to verify the identity of the data subject, as the registrar actively discloses information in its register to the requester.

The company's 2020 financial statement and information on the company's turnover

The registrar has submitted the company's financial statements for the 2020 financial year. According to the information obtained from the financial statements, the turnover of the registrar in 2020 was EUR 85,882,379.48.

Corrections to the facts presented in the consultation request

In the facts of the consultation request submitted to the data controller, it was stated that no response had ever been submitted to the requests of the data subjects detailed below. The registrar presented the following corrections to the facts in question.

"There has also been no response to the deletion request form sent by registered post on September 26, 2018." - a written answer has been delivered to the initiator on July 2, 2019.

"The second registrant's request for access to their own data, submitted by email on 27 May 2019 and again on 29 May 2019, has been confirmed by the controller to be processed on 3 June 2019, but the request has not been answered since then." - a written answer has been delivered to the initiator on October 8, 2019.

"There has also been no response to the deletion request form of another registered user sent by e-mail on May 7, 2020." - the initiator has been sent a written response first by post on June 9, 2020, and then additionally by email on April 23, 2021.

Sanction statement

In the view of the controller, according to the presenter's preliminary assessment, there are no grounds defined in the General Data Protection Regulation for the administrative penalty fee. According to the controller, its processes are in accordance with data protection legislation. For the reasons described above, individual, regrettable deviations have occurred in these processes, which have been clarified after they came to the knowledge of the controller. According to the data controller, the deviations are minor, and they have not endangered the privacy of the data subjects or caused damage. After becoming aware of the deviations, the controller has taken measures without delay to avoid similar deviations in the future. Everyone who used their rights during the deviation period has been answered, and the rights have been implemented.

The nature, severity and duration of the breach, taking into account the nature, scope or purpose of the data processing in question

According to the data controller, all data subjects who filed a complaint have had their rights exercised in full, which has been confirmed both for them and the data protection commissioner's office, and that the alleged violation of regulations regarding the rights of the data subject does not pose a significant risk to the data subjects' rights. According to the registrar, these are individual exceptional cases that do not reflect a more systematic violation or a lack of appropriate practices. The controller has had no interest whatsoever in slowing down or making it difficult for registered users to exercise their rights.

The background to the consultation request is a total of 11 people contacting the data protection commissioner's office. According to the data controller, the number is marginal, in relation to the total number of registrants in the data controller's customer and marketing registers. During the technical state of emergency, there were approximately 50 contacts regarding the rights of registered users, and all of them have since been answered without delay and the rights have been implemented.

The number of registrants affected by the breach and the extent of the damage caused to them

According to the controller, the number of registered persons in the sphere of influence is very small, both absolutely and relatively. According to it, the alleged violation by the data controller has rather protected the confidentiality of information subject to the obligation of confidentiality, as the data controller offers an option for exercising the rights, in which the person signs a request form. The controller says that it has not denied anyone their rights and has not prevented them from monitoring their own personal data. Due to regrettable individual deviations in the process, the realization of rights has been slowed down for a few individuals, but not prevented.

According to the data controller, in the decision concerning Posti Oy issued by the sanction panel of the data protection authorized office on 18 May 2020 ("Posti case", dnro 3818/161/2020), the imposition of an administrative penalty fee was deemed necessary because "in addition to the notice, the imposition of an administrative penalty fee on the controller must be evaluated, as the persons in question deficiencies in the processing of personal data by the controller have affected the rights of hundreds of thousands of registered users".

In the case of the registrar, a few, individual exceptions to the otherwise functioning processes have affected a substantially lower number of registrants. The controller states that it has shown what kind of amounts are being talked about in the use of registered rights in its business.

Intentional or negligent breach

The controller states that he has not in any way intentionally or negligently violated the data protection legislation, and the presenter who prepared the consultation request has not claimed such a thing either. In the rapporteur's preliminary assessment of the legal issues to be resolved, it is suggested that the data controller should have sufficient internal instructions for the staff. Such guidance exists and professionals working with personal data are aware of the processes by which data subjects' requests are processed. In the ways described above, in the individual cases of the complainants, there have been regrettable deviations in the processes, which have been addressed immediately after they became apparent. Intentional infringements that manifest a disregard for the law are generally considered more serious than unintentional infringements, and therefore intentional acts would be more likely to be subject to an administrative fine than unintentional ones, according to the WP29 guidelines on administrative fines issued on 3 October 2017. In connection with the development and change projects implemented in the registrar's technical systems, the process-oriented operation has been unintentionally interrupted, and this has been reacted to immediately after it came to light.

According to the guidelines of the WP29 group, circumstances that manifest a willful violation can be illegal data processing, which has been expressly authorized by the controller's top management, or which is carried out regardless of the instructions of the data protection officer or valid operating principles. According to the WP29 guidelines, other factors, such as human error or failure to make technical updates in a timely manner, may indicate negligence. The controller has sufficient resources to meet the requirements of data protection legislation. The controller does not claim that the deviations from the processes were caused by the under-sizing of resources. In 2018–2019, the registrar implemented development and renewal projects for numerous systems, with the aim of modernizing software and operating models to meet changed needs and changed legislation. Several dozens of experts worked on the software projects, both with the data controller and selected supplier partners. The technical deviation in the IMAP specification was such that it could not have been detected in practice as part of normal work.

According to the registrar, with the help of the additional information provided in this report, the sanctioning board will be able to conduct its research even better than the previous material in order to be sure of the facts of the case and to guarantee that the special circumstances of each individual case have been taken into account. In this case, the additional information contained in the report helps, according to the data controller, to confirm that it is not an intentional or negligent violation of the legislation by the data controller, and that corrective measures have already been taken and each data subject has been answered appropriately, and the rights they requested have been implemented. In the Posti case, the sanctions panel stated: "It should also be noted that it is the responsibility of the data controller itself to ensure that it complies with the provisions of the law in its operations. Based on the explanations and answers given in the case, it can be considered that the data controller is not sufficiently familiar with the applicable legislation and the relevant interpretation instructions, which partly shows the negligence of the violation."

According to it, such an allegation of lack of familiarity has not been claimed for the registrar, and such a claim should not be made. According to what he said, the controller has, on the contrary, made an explicit effort to familiarize himself with the legislation and make reasoned interpretations, both with the help of data protection professionals on the company's payroll and external experts specialized in data protection legislation. In addition, support for the interpretation has been sought from the field of industry organizations. The data controller has had a firm understanding when studying the legislation and official instructions that in connection with the exercise of the data subject's rights, the data controller's obligations require sufficiently strong identification of the data subject, including providing a signature on the form. The data controller has used the data controller's freedom of choice expressly permitted by the general data protection regulation and the official guidelines when fulfilling its data protection obligations.

Actions taken by the registrar to mitigate the damage caused to the data subjects

According to the data controller, the data subjects have not been harmed by individual deviations in the data controller's processes. Each complainant has had their request fulfilled, i.e. their data checked and/or deleted (unless the controller has had a legal obligation to continue processing the data).

According to what he said, the registrar has responded to each of the complainants' contacts, contrary to what is wrongly claimed in the presenter's consultation request. According to the registrar, it is possible that the complainants have not confirmed the registrar's responses they received at the Data Protection Commissioner's office, and for this reason the presenter is left with the impression that the registrar has not fulfilled the response obligations set for it in the data protection legislation. According to the WP29 guidelines, in cases where an assessment based on other criteria leads the supervisory authority to doubt the appropriateness of an administrative fine, either as a sole remedial measure or in combination with other measures under Article 58, aggravating or mitigating circumstances may help to select appropriate measures by shifting the focus to measures that prove to be effective, proportionate and to warn in a given case. Based on this provision, the degree of responsibility of the controller is assessed after the breach. It can be applied in cases where the controller has clearly not acted recklessly or negligently and where it has done everything in its power to correct its actions after becoming aware of the breach.

Experience gained from the application of Directive 95/46/EC by supervisory authorities has previously shown that allowing some degree of flexibility may be reasonable when it comes to data controllers who have admitted their violations and taken responsibility for correcting or limiting the effects of their actions. An example of this is, according to the WP29 group, e.g. a situation where the controller takes timely action to prevent the infringement from continuing or from expanding to a level or stage where the effects would be much more serious.

The controller says that immediately after receiving information about the process deviation, he took measures to resolve and correct the situation, which has been confirmed both to the data protection commissioner's office and to the registrants who filed complaints. The measures have prevented the continuation and expansion of the deviation. According to it, the deviation has not been of any benefit to the controller, but it has been in its interest to detect and correct the deviations without delay.

In its response, the controller refers to Posti's case, in which the sanctions panel gave weight to the fact that, in its opinion, Posti had not taken the change measures it intended and confirmed within a reasonable time, contrary to what the controller has done in this case: that 'Posti is investigating the possibilities of adding information about the features of the change of address service and improving the visibility of the non-disclosure in the online service'. With a request for additional clarification on January 10, 2020, Posti was asked what measures had been taken in the matter since then. In the response to the request for additional clarification, the changes that Posti had made were reported. The significance is that these changes were only made after a request for additional clarification in early 2020, even though Posti had already announced in the fall of 2017 that it was investigating the possibilities of improving transparency.

Furthermore, in the Posti case, the sanctions panel stated: "The data controller has announced that it will change the service process of its online service on March 20, 2020, i.e. just under two years after the start of the application of the General Data Protection Regulation. Therefore, the violation cannot be considered short-term in duration. The duration of the violation can be said to reflect the deliberate action of the data controller."

The controller encountered an exceptional situation regarding the IMAP configuration of the e-mail system in early 2019, shortly after the entry into force of the General Data Protection Regulation, and immediately took corrective measures. The end of 2018 and the beginning of 2019 were everywhere, including at the data controller, a very busy time in matters related to data protection, when the processes in accordance with the new legislation, achieved through long and extensive planning, were actually put into use. According to the registrar, unfortunately, in this very extensive change process, the error in the IMAP configuration was left without sufficient attention by the registrar, completely unintentionally. The registrar refers to how in the Posti case the sanctions panel also stated: "Let it be stated that the data subjects have not been shown to have suffered concrete financial or other material damage as a result of the violation in question, which can be taken into account in the evaluation as a factor reducing the amount of the administrative penalty."

The degree of responsibility of the controller, taking into account the technical and organizational measures taken by them under Articles 25 and 32

The controller had implemented both technical and organizational measures to guarantee the principles of built-in and default data protection. It was disappointing for the registrar himself to discover that, despite these measures, technical exceptional situations could arise.

According to the data controller, the technical deviations that led to delays in the use of the data subject's rights lasted for about half a year. Immediately, when the problems have come to the knowledge of the data controller, they have been reacted to, and at the same time it has been ensured that the problems had not led to the blocking of requests from the data subjects, but to a momentary slowdown.

According to the controller, the duration described above was short. According to the controller, it has in no way manifested the controller's deliberate action, neglect of appropriate preventive measures or inability to implement the necessary technical and organizational measures. With its technical and organizational measures and processes regarding the use of the data subject's rights, the data controller explicitly aimed to achieve the appropriate level of security in accordance with Article 32, as well as to protect the privacy of data subjects in ways that the data controller has interpreted as being in accordance with the General Data Protection Regulation (including ensuring the data controller's identity by requiring a signature in one of the request options).

Any previous similar violations by the controller

Employees currently working on data protection issues at the data controller are not aware that the data controller has ever been found by the supervisory authorities to have violated the general data protection regulation or that allegations of a suspected violation have been made.

The degree of cooperation with the supervisory authority in order to correct the violation and mitigate its possible adverse effects

If the actions of the data controller did not have negative consequences on the rights of individuals or the effects were less than they might otherwise have been, this can be taken into account, according to the guidelines of the WP29 group, when choosing a proportionate remedial measure in each case. In addition, as a relevant factor when evaluating cooperation with the supervisory authority, it can be taken into account whether the controller has reacted to the requests of the supervisory authority during the investigation of the case in question in such a way that it has significantly limited the impact on the rights of individuals.

Cooperation with the authorities in the cases referred to in the consultation request has been open, within a deadline and willing to take action. The registrant has responded to every inquiry submitted to it by the authority, provided all the requested information and stated in each response which measures it has already taken or will take. In addition, the controller has justified why it interprets the provisions of the General Data Protection Regulation, which in many places leave room for interpretation, in the way it has chosen. In the Posti case, the sanctions panel stated: "In its reply on 20 March 2020, Posti has stated its desire to correct its operations, should the supervisory authority not consider that it meets the requirements of the data protection regulation in some respects. This must be seen in Posti's advantage."

The controller has cooperated with the authorities and has always been open to corrective measures, and is ready to expand its interpretation of the methods of implementing the identification requirement set for the controller, especially based on feedback from customers. The data controller repeatedly trains the customer service staff about the rights of data subjects and their implementation processes. More verification measures have been introduced into the processes and a clearer written log has started to be kept.

Personal data groups affected by the breach

In the situations covered by the consultation request, only the so-called ordinary personal data, no special personal data groups according to Articles 9 and 10 of the General Data Protection Regulation. The inspection and deletion request forms deal with the registered person's first and last name, postal address, and signature, as well as the choices checked by the registered person regarding the grounds on which he requests his data to be deleted.

According to the data controller, the amount of data to be processed is therefore extremely limited. According to the guidelines of the WP29 group, importance can also be given to whether the processing concerns information, the dissemination of which would cause immediate damage/harm to an individual. In the case of the registrar, it has not even been claimed that personal data covered by privacy protection has been disseminated to outsiders - this is precisely what the registrar has tried to prevent with its appropriate process related to the use of rights and its signature requirement.

The controller states that, taking into account the limited amount of information contained in the request form, it can be concluded in any case that the spread of the information in question would not cause immediate damage/harm to the individual, as the person's name and home address are mostly easily and free of charge/very cheaply available to anyone in Finland.

The manner in which the breach came to the attention of the supervisory authority

According to the registrar, the complaints covered by the consultation request, which have been related to individual deviations in the registrar's processes, have helped the registrar detect these situations that deviate from the operating methods. In each of its responses, the controller has openly and cooperatively stated that the deviations have come to its attention as a result of the complaints made by the registrants, and that it has been grateful to have been informed of them. According to its reasoned interpretation, the controller has not assessed that it should have turned to the data protection authority regarding the signing requirement of its form. The controller has been of the opinion that requiring a signature is still a completely normal way of operating in Finland based on hundreds of different laws and everyday practices, and that the general data protection regulation does not specifically say anything about this detail, nor has anything been found in the official guidelines on this specific matter. In the instructions on the website of the Office of the Finnish Data Protection Commissioner, the supervisory authority states: "Submit an inspection request directly to the data controller. You can get more information about which is the right channel, for example, on the website of the data controller or by contacting the customer service of the data controller." According to the specific instructions of the supervisory authority, it is up to the registry keeper to make choices about which channel and how the inspection requests are instructed to be made.

If measures referred to in Article 58 paragraph 2 have previously been ordered for the same matter to the data controller, compliance with these measures

The data controller has not been ordered to take the measures referred to in Article 58, Paragraph 2 of the General Data Protection Regulation for the same matter. If such had been prescribed by a legally binding decision, the controller would naturally have complied with them in full. The data controller has carried out extensive process and staff training projects before and during the entry into force of the General Data Protection Regulation, so that the data controller's processes comply with the legislation in all respects. The General Data Protection Regulation contains very many provisions that are open to interpretation, and no specific official instructions have been given regarding many provisions – such as the requirement of a registered signature as part of the verification of the registered person's identity and thus the protection of the registered person's privacy. Thus, in some places, data controllers have been left with a broad right and obligation to interpret the law in practice in their own operations, and this is how the data controller has acted, and had the understanding of the legality of their interpretation.

Possible other aggravating and mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation

According to the registrar's opinion, there are no aggravating factors in the cases that are the subject of the consultation request, and the presenter has not presented any such, according to the registrar's opinion.

According to the guidelines of the WP29 group, the information about the benefit obtained from the alleged violation may be particularly relevant for supervisory authorities, since the financial benefit obtained from the violation cannot be compensated by measures that do not involve a payment penalty. According to it, the controller has not received any kind of financial benefit from the individual deviations that occurred in its processes. Everyone who filed a complaint (11) has had their request fully implemented, i.e. their personal data checked and/or deleted. The controller states that, alongside the request to delete personal data, all registered users also have the option to notify the controller of a ban on direct marketing. The data controller's data protection statement describes: "Everyone in the registers covered by this data protection statement has the right to object to the processing of their personal data for direct marketing. The ban can be implemented by contacting the data controller's customer service."

In the case of electronic marketing messages, a ban on direct marketing can also be given by clicking on the "unsubscribe" link in the email message, and the customer service channel accepts bans by e.g. phone, email and letter.

Regarding the ban on direct marketing, the controller has not required sending a signed form. Regarding the evaluation of the financial benefit, on the contrary, it could be stated that the observed individual deviations have caused harm to the data controller and additional costs in the form of additional work required to correct technical processes and additional work caused by responses prepared for contacting authorities and the costs paid for them. It is in the interest of the data controller that individual deviations of the kind described would not have occurred, as it has no interest whatsoever in trying to prevent data subjects from checking their data or deleting it. Those who are registered always have the option to make direct marketing bans, and for them, a form and its confirmation with a signature has not been a prerequisite. It has been possible to analyze those who have made a deletion request that most of the time they are so-called "old passive customers", i.e. people who do not have any valid order for the data controller's product or service at the time of making the deletion request. Each marketing measure always incurs costs for the data controller, and based on the analytics, it can be concluded that it would not even be worthwhile to target direct marketing to those who request deletion. They are not the most likely repeat subscribers. The temporary slowdown in the execution of deletion requests did not cause any financial benefit to the data controller. In practice, the so-called "old passive customers" are most often not even selected for direct marketing target groups, in which case it is likely that direct marketing would not have been targeted to those who made a complaint during the technical failure.

In the Posti case, the sanction panel stated: "Instead, the question is about the financial benefit that may have been obtained by the violation, i.e. whether Posti has received a financial benefit from the fact that the information provided by it has not been transparent. As has already come up in the case, for example, in 2019, 161,518 change of address notifications had been made for which the product terms and conditions had not become acceptable. If the conditions had become acceptable, it is possible that some of those who made the notification would have forbidden the disclosure of their information. In that case, Posti would not have received the amount of money it had received for handing over the information of such persons."

According to it, the situation of the data controller differs substantially from the situation of Posti described above, where it could be interpreted that Posti had a theoretical financial advantage from the alleged violation of the legislation. In the case of the data controller, the presenter has not even claimed that in the data controller's case it is a question of any kind of financial gain, and the data controller has naturally not attempted to do so through technical errors or sufficient identification of the data subject.

Applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019. The previously valid Personal Data Act (523/1999) was repealed by the Data Protection Act.

According to Article 5(1)(c) of the General Data Protection Regulation, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").

According to Article 12, Paragraphs 1, 2, 3, 4 and 6 of the General Data Protection Regulation, the data controller must take appropriate measures to provide the data subject with the information in accordance with Articles 13 and 14 and all processing information in accordance with Articles 15-22 and 34 in a concise, transparent, easy-to-understand format and in an accessible form in clear and simple language, especially when the information is specifically intended for a child. The information must be submitted in writing or in another way and, as the case may be, in electronic form. If the data subject requests it, the information can be given verbally, provided that the identity of the data subject has been confirmed in another way.

The controller must facilitate the exercise of the data subject's rights according to Articles 15–22. In the cases referred to in Article 11, paragraph 2 of the General Data Protection Regulation, the data controller may not refuse to act at the data subject's request to exercise the rights according to Articles 15 to 22 hereof, unless the data controller proves that it is unable to identify the data subject.

The controller must provide the data subject with information on the measures taken as a result of the request made pursuant to Articles 15 to 22 without undue delay and in any case within one month of receiving the request. If necessary, the deadline can be extended by a maximum of two months, taking into account the complexity and number of requests. The controller must inform the data subject of such a possible extension within one month of receiving the request and the reasons for the delay. If the data subject submits the request electronically, the information must be submitted electronically as far as possible, unless the data subject requests otherwise. If the data controller does not take measures based on the data subject's request, the data controller must inform the data subject immediately and no later than one month after receiving the request of the reasons for this and inform about the possibility of filing a complaint with the supervisory authority and using other legal remedies.

If the data controller has reasonable grounds to suspect the identity of a natural person who has made a request in accordance with Articles 15–21, the data controller may request the submission of additional information that is necessary to confirm the identity of the registered person, without prejudice to the application of Article 11.

According to Article 15 of the General Data Protection Regulation, the data subject has the right to receive confirmation from the controller that personal data concerning him or her is processed or that it is not processed, and if processed, the right to access the personal data and the information in accordance with Article 15 paragraph 1 a-h.

According to Article 17 of the General Data Protection Regulation, the data subject has the right to have the data controller delete the personal data concerning the data subject without undue delay, and the data controller has the obligation to delete the personal data without undue delay, provided that one of the criteria in Article 17, paragraph 1, subparagraphs a-f is met.

According to Article 25, Paragraph 1 of the General Data Protection Regulation, taking into account the state-of-the-art technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and severity of risks to the rights and freedoms of natural persons caused by the processing, the controller must effectively implement data protection principles, such as appropriate technical and organizational measures for data minimization, implementation, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of this regulation and the rights of data subjects are protected.

According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.

Pursuant to Article 58(2)(i) of the General Data Protection Regulation, the supervisory authority may impose an administrative fine in addition to or instead of the measures referred to in Article 58(2), taking into account the circumstances of each individual case.

According to Article 83, paragraph 1 of the General Data Protection Regulation, the imposition of administrative fines for violations of the General Data Protection Regulation must be effective, proportionate and warning in each individual case.

According to Article 83(2) of the General Data Protection Regulation, the administrative penalty fee is determined in accordance with the circumstances of each individual case in addition to or instead of the measures referred to in Article 58(2)(a) through (h) and (j). When deciding on the imposition of an administrative penalty fee and the amount of the administrative penalty fee, in each individual case, according to Article 83(2) of the General Data Protection Regulation, the following points must be properly taken into account:

a) the nature, severity and duration of the breach, taking into account the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected by the breach and the extent of the damage caused to them; b) the intentionality or negligence of the breach; c) actions taken by the controller or personal data processor to mitigate the damage caused to the data subjects; d) the degree of responsibility of the controller or processor of personal data, taking into account the technical and organizational measures taken by them pursuant to Articles 25 and 32; e) possible previous similar violations of the controller or personal data processor; f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate its possible adverse effects; g) groups of personal data affected by the breach; h) the manner in which the breach came to the attention of the supervisory authority, in particular whether the controller or personal data processor notified the breach and to what extent; i) if measures referred to in Article 58 paragraph 2 have previously been imposed on the relevant data controller or personal data processor for the same matter, compliance with these measures; j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and k) any other aggravating or mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation.

Violations of the provisions of Article 83(4)(a-c) of the General Data Protection Regulation shall be subject to an administrative fine of up to EUR 10,000,000 or, in the case of a company, two percent of the annual global turnover of the preceding financial year, whichever is greater, in accordance with Article 83(2) is greater.

Violations of the provisions of Article 83(5)(a-e) of the General Data Protection Regulation shall be subject to an administrative fine of up to EUR 20,000,000 or, in the case of a company, four percent of the total annual global turnover of the previous financial year, whichever is greater, in accordance with Article 83(2) is greater.

Legal issues

The Data Protection Commissioner evaluates and resolves the initiators' cases on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679. The following must be assessed:

1. is the data controller's established procedure for submitting a request for the right of access and deletion of the registered person's data on a form to be signed in accordance with Article 12(2) and (6), Article 5(1)(c) and Article 25(2) of the Data Protection Regulation;

2. has the controller implemented the complainants' right to access their own data in matters 3, 4 and 5 in accordance with Article 12, Paragraphs 1 and 3 and Article 15, Paragraphs 1 and 3 of the General Data Protection Regulation;

3. has the data controller implemented the complainants' right to have their data deleted in matters 1, 6 and 5 in accordance with Article 12, Paragraphs 1 and 3 and Article 17 of the General Data Protection Regulation;

4. whether the data controller has exercised the right of the registered person in case 2 according to Article 15 to have access to his own data in accordance with Article 12 paragraphs 2, 3 and 4; mixed

5. whether the operation of the data controller has been in accordance with the built-in and default data protection provided for in Article 25, paragraph 1 of the General Data Protection Regulation with regard to the implementation of registered rights and the procedure related to them.

The data protection commissioner must also decide whether the data controller must be given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation. In addition, the data protection commissioner assesses whether other remedial powers belonging to the data protection commissioner should be used in the case.

The data protection officer's decision and reasons

Decision

1) The Data Protection Commissioner considers that the data controller's established method of making a request for the right of access and erasure of the data subject's own data on a form to be signed is not in accordance with Article 12(2) and (6), Article 5(1)(c) and Article 25(2) of the General Data Protection Regulation.

Regulation

Pursuant to Article 58 paragraph 2 subsection d of the General Data Protection Regulation, the Data Protection Commissioner obliges the data controller to correct its operating procedures in accordance with the General Data Protection Regulation and to waive the requirement for a form to be signed, with reasons that are more clearly stated in the reasons for the decision. The data protection commissioner obliges the data protection officer to notify the data protection officer's office of the changes made due to the obligation by August 1, 2022, unless the data protection officer applies for an amendment to this decision.

2) In all cases, the Data Protection Commissioner considers that the data controller has not implemented the initiators' right to access data in accordance with Article 12, paragraphs 1 and 3 and Article 15, paragraphs 1 and 3 of the General Data Protection Regulation.

3) In all cases, the Data Protection Commissioner considers that the data controller has not implemented the initiators' right to have the data deleted in accordance with Article 12, Paragraphs 1 and 3 and Article 17 of the General Data Protection Regulation.

4) The Data Protection Commissioner considers that the data controller has not implemented the right of the initiator in the case in accordance with Article 15 to get access to his own data in accordance with Article 12, paragraphs 2, 3 and 4.

5) The Data Protection Commissioner considers that the operation of the data controller has not been in accordance with the built-in and default data protection stipulated in Article 25, Paragraph 1 of the General Data Protection Regulation with regard to the implementation of registered rights and the procedure related to them.

Note

The Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Paragraph 2, Subsection b of the General Data Protection Regulation regarding neglecting to exercise the rights of the data subjects.

The initiators' rights in points 2, 3 and 4 have finally been implemented, albeit with a delay, due to the contacts of the data protection authorized office. The registrar has also announced that it has worked on procedures for the implementation of registered rights. Consequently, the Data Protection Commissioner does not see the need to issue a separate order in the matter.

Reasoning

Identification of the registrant

The General Data Protection Regulation has no provisions on how the identity of the data subject must be verified. Article 12, paragraph 2 of the regulation states, however, that the controller may not refuse to act at the request of the data subject to exercise rights, unless it processes personal data for a purpose that does not require the identification of the data subject, and can demonstrate that it is unable to identify the data subject. According to Article 11, paragraph 2 of the regulation, the data subject can in such situations provide additional information that can be used to identify him. In addition, paragraph 6 of Article 12 stipulates that if the controller has reasonable grounds to suspect the identity of the data subject, it may request additional information to confirm the identity of the data subject. If the data subject provides additional information that can be used to identify him, the controller may not refuse to perform the requested action. According to the guidelines prepared by the data protection working group (WP29) approved by the European Data Protection Board (WP242 rev.01), data controllers must in any case implement an authentication procedure in order to be able to reliably identify the data subject who requests their personal data or, more generally, exercise their rights according to the General Data Protection Regulation.

The controller has often already verified the registered person's identity before entering into a contract or obtaining processing consent from him. In that case, the personal data that has been used to register the person in question can also be used as evidence to identify the registered person's identity. For example, if data processing is connected to a user account, entering the relevant username and password might be sufficient to identify the data subject. In these cases, prior identification of the data subject may require a request to prove his/her legal personality, but such verification may not be essential for assessing the connection between the data and the person in question, since such a connection is not related to official identity or legal personality. The possibility for the controller to request additional information for identity assessment cannot lead to unreasonable demands and the collection of personal data that are not essential or necessary to confirm the connection between the person and the requested personal data.

As stated above, often such procedures suitable for identification are already in use. For example, with the help of usernames and passwords, people can often access information about their e-mail accounts, online social service accounts and accounts used for various other services, which some use without revealing their full name and identity. According to recital 57 of the preamble of the General Data Protection Regulation, identification should include the digital identification of the data subject, for example by means of an authentication mechanism, such as by using the same identifiers that the data subject uses when logging into online services provided by the data controller.

In order to exercise the registrant's right to erasure according to Article 17, the controller requires a separate erasure request form to be printed, filled in and signed and delivered either by post or email to the address tietosou-asiat(at)otavamedia.fi. In addition to the signature, the form is required to fill out the reason for data deletion by ticking the appropriate box, the registrant's full name and address information. In order to exercise his right to access his own data according to Article 15, the data subject can either, after separate registration, log into his customer account at Otavamedia.fi/kirjaudu (the data subject's contact information, order information and marketing permissions are visible according to the data controller's website) or print, fill in and sign a separate information request form, which must be delivered to the data controller either by post or by e-mail to the address tietosuo-asiat(at)otavamedia.fi. In addition to the signature, the full name and address information of the registered person must be filled in. In the registration required when logging in to the customer account, the registrant must also fill in his full name and address information in addition to his email. Based on the report received from the controller, the practice described above can be considered an established operating method. It is also described in the data controller's privacy statement.

The data controller's privacy statement states the following regarding the right of access: "You get access to your own data after registration at Otavamedia.fi/kirjaudu. Otherwise, you can exercise your right by contacting the data controller's customer service and, based on your appropriate and identified request, we will provide you with a report on the personal data that has been collected about you in the personal register." Below the text is a link to the separate review request form described above, to be signed, where the required data content (name, street address, postal code, place of business, country) corresponds to the form required by the data controller for deletion requests. With regard to deletion requests, the only way to present the request to the controller is to offer the respective signature deletion request form.

In its report, the data controller has stated that, in its view, the information necessary to implement the inspection request in compliance with the data controller's duties of care and protection are the data subject's first and last name, postal address, and signature. The data controller admits that the degree of necessity of the signature is not the same, however, and the data controller is ready to broaden its interpretation if the supervisory authorities receive justifications that the data controller is considered to be operating in compliance with the obligations of the data protection regulation, i.e. carefully and sufficiently protecting privacy without signature confirmation.

The controller also states in his response that starting from February 2021, he has analyzed and tested an alternative procedure in which the signature has not been required as a mandatory requirement for all registrants. If, for example, the data subject has contacted the data controller's customer service and said that he does not have a printer or scanning device, the inspection request has been received by email or telephone, if the person's identity has otherwise been sufficiently identified. According to the registrar's understanding, a request for inspection of personal data in particular is a procedure that imposes a high obligation on the registrar to verify the identity of the data subject, as the registrar actively discloses information in its register to the requester.

According to Article 5(1)(c) of the General Data Protection Regulation, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which it is processed. Article 25, paragraph 2 of the General Data Protection Regulation, which is closely linked to the principle, lists the aspects of the obligation to minimize data by default. It states that the obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. According to Article 5, Paragraph 1, Subsection c of the General Data Protection Regulation, the controller should not request more information from the data subject than is necessary for his identification.

The controller is a Finnish media company that publishes 22 public magazines and publishes more than 15 online services in Finland. The data controller represents all online audiences in Otava - the online services of Otavamedia and Otava Market Places together reach more than 3.6 million Finns every month. The magazines reach 1.6 million readers per month. Due to its industry, the controller does not, as a general rule, process information pertaining to customers belonging to special personal data groups according to Article 9, which could justifiably result in a stronger procedure regarding the identification of the data subject. In its operations, the controller also does not process and does not need to process the signature data of the registered person. The data controller therefore collects the data in question specifically for the purpose of identifying the data subject. Based on the report received, the Data Protection Commissioner considers that the data controller thus collects more information for identification purposes than it originally had.

The signature information on the form used in connection with the identification must therefore be interpreted in the case at hand as additional information in accordance with Article 12, paragraph 6, which the controller should only request if it has reasonable grounds to suspect the identity of the registered person. According to the registrar, it is specifically an alternative way of identification with regard to the right of access according to Article 15. However, the method has been mentioned as a parallel means of identification in the data controller's privacy statement. It should also be noted that upon logging into the customer account, the data subject only has access to marketing permits and contact and order information (cf. the information listed in Article 15 of the General Data Protection Regulation), according to the information on the controller's website.

The controller has stated in the response to the clarification request that, according to the controller, the submission of a signature is not an unreasonable request in connection with the exercise of the right, when the right is exercised elsewhere than by logging into an electronic customer account. The controller's appeal to Article 5(1)(f) and (2) and Articles 12, 24, 25 and 32 of the General Data Protection Regulation regarding measures to verify the identity of the user of the rights and to protect the privacy of data subjects, e.g. from abusive companies cannot lead to unreasonable demands and the collection of personal data that are not essential or necessary to confirm the connection between the person and the requested personal data. According to the registrar, it is not possible to completely eliminate the risks of misuse related to identity with any method, but with the requested information and their confirmation with a signature, the risk level is accordingly very low, which is in the interest of both the registered and the registrars.

It must be stated that although the appropriate channel for exercising the data subject's rights has been left up to the data controller to decide, it does not follow from this that the data controller could, by default, completely ignore such requests from data subjects that are submitted to it through another channel. This also does not mean that the data controller can create new conditions that are contrary to the data minimization principle in order to exercise the data subject's rights. According to the controller, the data protection regulation contains very many provisions that are open to interpretation, and no specific official instructions have been given for many provisions - such as the requirement of the registered person's signature as part of the verification of the registered person's identity and thus the protection of the registered person's privacy. The Data Protection Commissioner emphasizes that the General Data Protection Regulation itself does not contain provisions regarding the requirement of the registered person's signature as part of the verification of the registered person's identity. (According to Section 28 of the repealed Personal Data Act (523/1999), anyone who wishes to check their personal information as referred to in Section 26 must submit a request to the controller in a handwritten or similarly certified document or in person at the controller's office. There is no corresponding regulation however, can be found in the general data protection regulation or the data protection act supplementing it (1050/2018)). However, the Data Protection Working Group (WP29), which preceded the European Data Protection Board, has issued official guidelines related to the identification of the data subject in the guidelines regarding the right to transfer data from one system to another (WP242 rev.01) even before the application of the General Data Protection Regulation began in May 2018.

In addition to preventing risks of abuse, the data controller's obligation to facilitate the exercise of the data subject's rights according to Article 12, Sections 2 and 6 of the Data Protection Regulation must be taken into account when identifying the data subject. Taking into account the fact that the personal data processed by the data controller do not fall into the special personal data groups according to Article 9, for which stricter technical and organizational protection measures may be required in principle, and the fact that the data controller already has e.g. electronic registration possibility and the possibility to contact the controller by e-mail, it is not justified to require the use of a form to be signed in accordance with the rules. In addition to possible risks of abuse, the nature of the personal data in question and the nature of the request and the context in which the request is made should also be taken into account when evaluating the method of identifying the registered person. Although it is justified to take into account the different situations of the data subjects and offer different options for exercising the data subject's rights (e.g. by post or on-site visit), in accordance with the preamble of the General Data Protection Regulation, the controller should include in the identification the digital identification of the data subject, for example by means of an authentication mechanism, such as using the same identifiers , which the data subject uses when logging into the online services provided by the data controller.

Although, according to what he said, the data controller has obligations to keep data on different grounds when it comes to the deletion of personal data, and therefore does not have a simple way to implement a fully automated digital deletion request process that is continuously used by the data subject, the data protection commissioner states that the request itself should nevertheless be possible to submit without submitting a separate signed form to identify the data subject for. In addition, the collection of registered signature data that is unnecessary and contrary to the principle of information minimization may, despite its goal, even increase the potential risks of abuse while at the same time making it more difficult to exercise registered rights instead of facilitating their use.

Thus, the Data Protection Commissioner states that requiring the printing, filling and signing of a separate form to identify the data subject is not in accordance with Articles 12, paragraphs 2 and 6, Article 5, paragraph 1, subparagraph c, and Article 25, paragraph 2 of the General Data Protection Regulation, but unnecessarily complicates the exercise of registered rights. In order to identify the data subject, the controller has processed a larger set of personal data than would be necessary and has therefore acted contrary to the data minimization principle laid down in Article 5(1)(c) and Article 25(2) of the General Data Protection Regulation.

Implementation of registered rights

Article 5 of the General Data Protection Regulation provides for data protection principles. The rights and freedoms of the registered are the basic rights and freedoms of natural persons, and in particular their right to the protection of personal data, which is named as the goal of the General Data Protection Regulation in Article 1, Paragraph 2. The rights are detailed in the Charter of Fundamental Rights of the European Union. It is essential for the data controller to understand the importance of the principles and rights as the basis of the protection provided by the General Data Protection Regulation and in particular the built-in and default data protection obligation according to Article 25.

Once the processing has started, the data controller must constantly maintain the built-in and default data protection, i.e. implement the principles effectively at all times to protect rights. This is done, among other things, by keeping up to date with the latest technology and reassessing the risk level. The nature, scope and context of the processing operations, as well as the risks, may change during the processing. Therefore, the controller must reevaluate its processing operations by regularly checking and evaluating the effectiveness of the measures and safeguards it has chosen. The obligation to maintain, check and update processing operations also applies to systems already in use. This means that the systems in use planned before the entry into force of the General Data Protection Regulation must be evaluated and maintained in such a way as to ensure the implementation of measures and safeguards that effectively implement the principles and rights of data subjects in accordance with the European Data Protection Board's guidelines for built-in and default data protection. This obligation also applies to all processing by personal data processors. Controllers must check and evaluate the actions of processors regularly to ensure that they are constantly in line with the principles and that they, for their part, help controllers fulfill their obligations.

In all six cases concerning the rights of data subjects, the data controller has finally decided to implement the rights of the initiators. However, this has only happened with the data protection authorized office's clarification requests, where the matters were brought to the data controller's attention. The first clarification requests regarding the unfulfilled rights of data subjects are scheduled for May 2019. Other clarification requests regarding the non-implementation of the data subject's rights were submitted in October 2019 and March 2021. Based on the clarification received in the case, it must be considered that the requests of all initiators regarding their right to access their own data or to have their data deleted have been neglected to be implemented within the time required by Article 12 of the General Data Protection Regulation.

Although in matters 1 and 6 the possibility of human error cannot be ruled out regarding the actions of customer service personnel and non-response to requests regarding the rights of the data subject, matters 2 and 3, 4 and 5 linked to a technical error situation at least indicate negligent behavior on the part of the data controller. In addition, the data protection commissioner states that in case 6 there is a discrepancy between what the data controller and the data subject told - according to the data subject, the response to the legal request came by e-mail only about a year after the request was made, while according to the data protection controller, it sent the answer on its own initiative significantly earlier by mail, before receiving the clarification request from the data protection commissioner's office. As an attachment to the answer to the clarification request, the controller has only submitted a copy of from the e-mail response sent to the data subject later.

In Case 2, the processing of the registered information request received as verified has been left unfinished and has not been returned to before the clarification request submitted by the Data Protection Commissioner in the case. In its report, the controller has admitted that it should have asked the initiator for more detailed information, if possible, in order to speed up the investigation of the matter and informed him of the extension of the response time to the two months allowed by the General Data Protection Regulation. Also, as required by the proof obligation, the controller has not been able to demonstrate in the report it has submitted that it has properly responded to the initiator's request, because according to the controller, there has been no copy of the letter delivered to the registered person by post. Based on the response he gave in the case, the initiator is not satisfied with the information content of the answer given by the controller.

Matters 4 and 5 fall within the period of the technical exceptional situation reported by the data controller from 11/13/2018 to 5/28/2019. However, the controller says that in case 3 he received the initiator's written contact on March 1, 2019, which differs from the screenshot provided by the initiator to the data protection authorized officer's office, according to which the data subject sent a request to the address tietosouva-asiat(at)otavamedia.fi already on October 26, 2018, i.e. before the exceptional technical situation noted by the controller (November 13 .2018-28 May 2019) start. In any case, the data controller has responded to the data subject's request only after the data protection authorized office's request for clarification in May 2019, and in this case as well presented a technical error situation as the reason for the delay in the response.

In the answers given to the clarification requests in matters 3, 4 and 5, the data controller has stated that he tested the operation of the e-mail box intended for data protection matters before the application of the General Data Protection Regulation began in May 2018. In addition, the data controller has said that he introduced regular testing of the e-mail box after receiving information about the existing error situation and the so-called IMAP definition. from falling off due to the requests for clarification submitted by the Data Protection Commissioner in May 2019. According to the controller's answers, it is clear that testing the function of the e-mail box and the integration is possible for the controller and most obviously a practice that was already in use before. However, when changing the service provider and moving their email service to a cloud service, the functionality of the functionality has not been tested for more than half a year, as the emails delivered to the address data protection-asiat(at)otavamedia.fi remain out of the reach of the customer service system and thus the customer service agents. Neglecting to carefully test functionalities in connection with the change of service provider has led to the denial of the exercise of registered rights through the main e-mail channel designated for this purpose. Careful testing requires making a test plan and creating test cases. If no error has been detected, it is likely that the IMAP functionality has not been configured to be checked. The establishment of a contact channel aimed at registered users is not enough on its own to fulfill the obligations imposed on the data controller, but it must also take care of the practical functionality of the contact channel in question. It can be considered that with careful operation, the error situation would have been detected earlier and the outage in question would not have stretched to seven months in length. There are also no indications in the case that the technical exceptional situation would have been detected by the data controller himself in the near future. Therefore, it is likely that the technical exceptional situation would have continued for seven months longer, if the matter had not been brought to the data controller's attention in May 2019 through the data protection authorized office's clarification request.

The other complaints described above also show that the data controller's procedure regarding the rights of data subjects is in some places incomplete. Even though the request submitted by the registered person by post or e-mail in those matters has arrived, its processing has somehow been left unfinished and the registered person's right has not been exercised within the time required by Article 12. All in all, the six complaints in question show that the data controller has not taken care of the effective implementation of the registered rights by regularly evaluating its procedures regarding the implementation of the registered rights and ensuring their functionality.

The Data Protection Commissioner considers that the data controller has neglected to exercise the rights of the registered persons according to Articles 15 and 17 as required by Articles 12, 15 and 17 of the General Data Protection Regulation in all the above-mentioned matters initiated by the initiators. In addition, the data protection commissioner considers that due to the undetected technical error situation affecting the data protection affairs(at)otavamedia.fi email address lasting more than half a year, the data controller's operations have neglected the built-in data protection in accordance with Article 25, paragraph 1 of the General Data Protection Regulation with regard to the procedure related to the exercise of registered rights.

The decision was made by the data protection commissioner Anu Talus and was presented by the chief inspector of the data protection commissioner's office. According to Section 24 of the Data Protection Act (1050/2018), the administrative fine stipulated in Article 83 of the General Data Protection Regulation (administrative penalty fee) is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The data protection commissioner considers that the sanctions panel of the data protection commissioner's office should assess whether an administrative penalty fee should be imposed on the data controller in the case.

Decision of the Sanctions Board

The Data Protection Commissioner has previously given Otavamedia Oy a notice referred to in Article 58(2)(b) and (d) regarding the violation of Article 5(1)(c), Article 12(1), 12(1), 12(3), 4 and 6), 15, 17 and 25 of the General Data Protection Regulation to comply with the provisions of the General Data Protection Regulation.

The Sanction Board of the Office of the Data Protection Commissioner considers that, taking into account effectiveness, warning and proportionality, violations of Article 25, Paragraph 1, Article 12, Paragraphs 1, 2, 3 and 4, and Articles 15 and 17 of the General Data Protection Regulation must, in addition to a warning and an order, be ordered in accordance with Article 58 Paragraph 2 Subpoint i of the Regulation based on the administrative fine referred to in Article 83. The sanctions panel orders Otavamedia Oy to pay the state an administrative penalty fee of 85,000 (eighty-five thousand) euros.

The order given in the decision of the Data Protection Commissioner to waive the requirement of a handwritten signature in connection with the use of registered rights is instead subject to the order of the Data Protection Commissioner. In these respects, the sanctions panel considers that it was a practice in accordance with the repealed Personal Data Act (523/1999), which has since been replaced by the one stipulated in Article 12, Sections 2 and 6 of the regulation. Although requiring a signed form in that case is considered to have violated the General Data Protection Regulation, requiring a signature has been an established practice at the time of the Personal Data Act (523/1999), which preceded the General Data Protection Regulation, even before the application of the General Data Protection Regulation began on 25 May 2018.

Reasons for imposing an administrative penalty

According to Article 83, Paragraph 1 of the General Data Protection Regulation, the imposition of an administrative fine imposed for a violation of the General Data Protection Regulation must be effective, proportionate and warning in each individual case.

According to Article 83(2) of the General Data Protection Regulation, the administrative penalty fee is determined in accordance with the circumstances of each individual case in addition to or instead of the measures referred to in Article 58(2)(a) through (h) and (j).

According to Article 83, paragraph 3 of the General Data Protection Regulation, if the controller or personal data processor intentionally or negligently violates several provisions of this regulation in the same or related processing operations, the total amount of the administrative fine may not exceed the fine imposed for the most serious violation. The seriousness of the violations must be assessed on the basis of the criteria mentioned in Article 83, paragraph 2 of the regulation, and the procedure or omission that can be considered the most reprehensible, considering the details of the case, must be selected. The panel considers that Article 83, paragraph 3 of the Data Protection Regulation will be applicable in this case, as the obligations regarding the data subject's rights and their effective implementation are related to the same set of processing activities.

In this case, the sanctions panel considers that, although the data controller has, in accordance with the General Data Protection Regulation, tried to facilitate the exercise of the registered rights by establishing a separate e-mail address for such contacts, the data controller has not taken care of the continuous functionality of the arrangement when the service provider changes, as the effective implementation of Article 25, paragraph 1, especially with regard to the rights of the data subject, would have required.

In terms of efficiency, proportionality and warning, it must be stated that the operating method in question related to the processing of personal data and the exercise of the rights of the data subjects has been central for all the data subjects whose data the data controller processes in connection with the business he is conducting. It is not only about individual complaints and related disagreements, but about the failure of the data controller's planned course of action in implementing the data subject's rights, and the violations in this regard have not been minor in nature. When deciding on the imposition of an administrative penalty fee and the amount of the administrative penalty fee, in each individual case, according to Article 83(2) of the General Data Protection Regulation, the following points must be properly taken into account:

a) the nature, severity and duration of the breach, taking into account the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected by the breach and the extent of the damage caused to them; b) the intentionality or negligence of the breach; c) actions taken by the controller or personal data processor to mitigate the damage caused to the data subjects; d) the degree of responsibility of the controller or processor of personal data, taking into account the technical and organizational measures taken by them pursuant to Articles 25 and 32; e) possible previous similar violations by the controller or personal data processor; f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate its possible adverse effects; g) groups of personal data affected by the breach; h) the manner in which the breach came to the attention of the supervisory authority, in particular whether the controller or personal data processor notified the breach and to what extent; i) if measures referred to in Article 58 paragraph 2 have previously been imposed on the relevant data controller or personal data processor for the same matter, compliance with these measures; (j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and k) any other aggravating or mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation.

When evaluating the matter, the instruction of the data protection group according to Article 29 on the application and imposition of administrative fines has also been taken into account.

The nature, severity and duration of the breach and the number of data subjects and the damage caused to them

As evident from the data protection commissioner's decision above, the violations of the data controller have, in addition to Article 25 paragraph 1 concerning built-in and default data protection, been aimed at the non-implementation of the data subject's rights according to Articles 15 and 17 of the General Data Protection Regulation as required by Article 12.

Strengthening registered rights has been one of the main goals of the General Data Protection Regulation. Taking into account that in this case it is the main electronic contact channel of data subjects in data protection matters, the controller should have taken care of carefully testing the e-mail function when changing the e-mail service provider. With careful functionality testing, the technical error situation would most likely have been avoided and at least detected earlier than it is now. The most reprehensible procedure therefore concerns the neglect of the arrangement for exercising rights, i.e. the failure to test the function of the e-mail, which has led to the non-functioning of the e-mail address addressed to the data subjects. However, the failure to exercise registered rights in all respects has not resulted from a non-functioning e-mail address, but problems have also arisen in other parts of the procedure for exercising registered rights.

The case as a whole manifests a violation of the General Data Protection Regulation that is broader than individual cases. It has been a matter of a lack of appropriate practices, as the main electronic contact channel for registered users has been out of action for about seven months. From the report presented in the case, it appears that the data controller has neglected to implement the registered rights due to the error situation that prevailed between 13.11.2018 and 28.5.2019 for at least two initiators. With regard to the third initiator, his and the controller's explanations of the course of the situation differ, and according to the information provided by the data subject, his legal request was already submitted to the controller before the technical error situation began on 26 October 2018. According to the controller's report, a total of approximately 150 inquiries from registered users have been submitted to the data protection affairs(at)otavamedia.fi address during the technical error situation in question. According to its report, in the same period of time, the controller has neglected and failed to exercise one or more rights according to the General Data Protection Regulation for approximately 50 data subjects in the time required by Article 12. It should also be noted that the error situation in question was discovered only after the clarification request submitted by the data protection authorized office. The timing of the end of the error situation therefore depended on the data protection commissioner's activities and could possibly have continued significantly longer than seven months. In addition, the controller has stated in his answers to clarification requests that he tested the functionality of the e-mail box before the application of the General Data Protection Regulation began. When the error situation came to the data controller's attention through the contact of the data protection authorized office, the data controller has said that he has adopted regular testing of the e-mail box as a frequent operating procedure. The violation of the provisions of the General Data Protection Regulation caused by the data controller has not been momentary or occurred due to purely human error, as the violations have occurred repeatedly over several months. In its reports, the registrar has highlighted the measures it has taken to correct its deficient way of operating in order to fulfill the rights of the data subject. However, the rights of the data subject have been implemented and the procedures have only been changed following the clarification requests of the data protection authorized office.

In order to be able to determine in the case whether the violations in accordance with the data protection commissioner's decision regarding the aforementioned complaints were a single case or whether the case reflects a more systematic violation or a lack of appropriate practices, it is also necessary to take into account how large a number of data subjects have been affected by the violation of the data controller.

When evaluating the matter, in addition to the six complaints made to the Data Protection Commissioner, the number of data subjects stored in the data controller's database must be taken into account. The controller is a large Finnish media company that represents all online audiences in Otava: the controller's online services reach more than 2.3 million Finns every month, and the magazines reach about 1.5 million readers a month. Due to the problematic situation, it can be considered that the realization of the rights of registered users has practically been jeopardized for a very significant number of registered users. As presented by the data controller, weight cannot be given only to how many data subjects have concretely tried to use their rights during the period in question. The inactivity of the registered cannot be read in favor of the controller. It can also simply be the case, for example, that the data subject does not know how to act. It is therefore not a case of a single violation, but of the lack of appropriate practices required by the data controller to exercise the data subject's rights. As described above, the controller processes large amounts of personal data, and its violations are likely to affect a larger number of data subjects than just the six initiators who have filed a complaint with the Data Protection Commissioner's office regarding the data subject's rights.

The controller has violated the initiators' rights according to the General Data Protection Regulation, as a result of which the initiators have suffered damage. All in all, the sanctions panel considers that the violations of the data controller were of a serious and long-lasting nature and affected a large number of data subjects who suffered damage. The above-mentioned facts support the imposition of an administrative penalty. It should be noted, however, that in connection with the preparation of the Data Protection Commissioner's decision, it has not emerged that the initiators have suffered financial or other material damage.

Intentionality or negligence of the violation

Conclusions regarding intent and negligence are made by determining the objective facts related to the action based on the facts of the case. The intent or negligence of the violation is assessed on the basis of the extent to which the controller's actions correspond to what could be expected from a careful procedure. Other factors, such as human error or the fact that the operating principles in force have not been familiarized with and they have not been followed, the published information has not been checked for personal data, technical updates have not been made in a timely manner, or the operating principles have not been approved (instead of simply being submitted not applied), can again indicate negligence.

In issues 3, 4 and 5, the data controller has invoked a technical inadvertent error situation, where when changing the e-mail service provider to a cloud service, the IMAP configuration was turned off and the sent e-mails remained out of reach of the data controller's customer servers. In its response to the consultation request, the data controller says that according to its report, the error situation lasted from 13 November 2018 to 28 May 2019. However, in case 3, the data subject has submitted his answer by e-mail on 26 October 2018, i.e. before the start of the error situation. Therefore, the email should have arrived normally. However, the registrant's legal request has not been answered until the error situation has ended.

In case 1, the request submitted by the registered person by mail was directed to the wrong place by mistake, according to the controller, and was therefore not answered in time. In case 2, the legal request submitted by e-mail by the registered person has been verified, but its processing has been left unfinished and the matter has only been returned to with the data protection commissioner's clarification request. According to the data controller, in case 6, the data controller's deletion request was responded to in time, but according to the data controller, the data controller was mistakenly left without informing the data subject within the time required by the General Data Protection Regulation.

Although the possibility of human error cannot be excluded in part of the non-implementation of the data subject's rights, it can at least be considered that the technical error situation could have been avoided by careful functionality testing, i.e. caused by negligent actions of the data controller. According to the registrar's answers, it is clear that testing the function of the e-mail box is possible for the registrar and most obviously a practice that has already been used in the past.

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP 253, issued on 3 October 2017, p. 12. In the Data Protection Group's guidelines on the application and imposition of administrative fines, it has been stated that intentionality generally requires a conscious and intentional violation, while unintentional means that the violation was not intentional, even if the controller violates the due diligence obligations required by law. According to the above-mentioned guideline, a deliberate violation that manifests disregard for the law is generally considered more serious than an unintentional violation.

Actions taken by the data controller to mitigate the damage caused to data subjects, the degree of cooperation with the supervisory authority and the way in which the violation came to the attention of the supervisory authority

The data protection group's instruction on the application and imposition of administrative fines states that the degree of cooperation can be "appropriately taken into account" when deciding on the imposition of an administrative fine and its amount. According to the instructions, a relevant fact can be taken into account if the controller has reacted to the requests of the supervisory authority during the investigation of the case in question in such a way that it has significantly limited the risk to the rights of individuals.

According to Article 31 of the General Data Protection Regulation, the controller and personal data processor and, if necessary, the representative of the controller or personal data processor must, upon request, cooperate with the supervisory authority to perform its tasks. However, according to the data protection group's instruction on the application and imposition of administrative fines, it would not be appropriate to emphasize the cooperation already required by legislation. If the actions of the data controller did not have negative consequences on the rights of individuals or the effects were less than they might otherwise have been, this can also be taken into account when choosing a proportional corrective measure in each case.

The controller has responded to the data protection commissioner's office's clarification requests and consultation requests within the deadline. The controller has taken action following the data protection authorized office's clarification requests, responded to data inspection and deletion requests according to articles 15 and 17 of the registered and improved its procedures. At the same time, the length of the technical error situation has been limited to seven months. However, this has not been purely due to the actions of the data controller, but the data controller has only become aware of the matter through the registered complaints brought to its attention by the data protection authorized office.

The penalty panel states that according to Article 83, Section 2, Subsection f of the General Data Protection Regulation, when assessing the imposition of an administrative fine and its amount, the degree of cooperation can also be taken into account. In connection with this, when weighing a reasonable sanction, the supervisory authority has taken into account the fact that the data controller has responded to the authority's clarification requests within the deadline. Despite what has been said, however, it is not appropriate to emphasize the cooperation already required by legislation. Pursuant to Article 58(1) of the General Data Protection Regulation and Section 18 of the Data Protection Act, the controller has had the obligation to deliver the requested information to the supervisory authority, and it is not appropriate to emphasize the fulfillment of such a statutory obligation as mentioned above.

The matter has initially been investigated based on the contact of eleven different initiators. In addition, taking into account the seriousness of the violations on a general level and the fact that the data controller has only announced that he is open to cooperation when the matter is being investigated by the data protection authorized office, the sanctions panel cannot, however, give significant weight to the matters in question.

Degree of responsibility, taking into account the technical and organizational measures implemented by the data controller pursuant to Articles 25 and 32

In the data protection group's instruction on the application and imposition of administrative penalty fees, it has been stated that the data controller should do everything possible to mitigate the consequences of the violation for the concerned parties. According to the instructions, the supervisory authority can take into account the responsible activity or lack of responsible activity of such a data controller when calculating the penalty fee. Article 25 of the General Data Protection Regulation requires that the data controller takes into account "the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in probability and severity, caused by the processing".

With regard to the procedures for the exercise of registered rights, the controller has brought out facts in its answers that support the fact that it has implemented such technical measures in response to requests for clarifications, with which it has tried to better meet the requirements of built-in and default data protection (Article 25). Technical and organizational measures taken by the data controller pursuant to Article 25 of the Data Protection Regulation and shortcomings regarding the implementation of the measures have been assessed in the decision of the Data Protection Commissioner, along with violations of Articles 12, 15 and 17 of the Data Protection Regulation. Implemented measures or shortcomings regarding the implementation of measures are not separately taken into account as aggravating or mitigating factors with regard to Article 83, paragraph 2, subparagraph d of the Data Protection Regulation.

Previous similar violations

The data protection group's instruction on the application and imposition of administrative fines states that the supervisory authority should evaluate the historical data of the unit that committed the violation. Supervisory authorities should take into account that the assessment in this respect can be very broad, as any type of breach, even if it differs in nature from the breach currently being investigated by the supervisory authority, may be relevant for the assessment, as it may give general indications of insufficient information or non-compliance with data protection regulations.

The Office of the Data Protection Commissioner has not been brought to the notice of the controller's previous similar violations that could be considered an aggravating circumstance. However, it should be noted that the case at hand now concerns several violations of the provisions of the General Data Protection Regulation, which have occurred over a long period of time, and which have affected the data protection rights of the registered person all this time.

Personal data groups affected by the breach

The subject of the breach has been personal data in accordance with Article 4, paragraph 1 of the General Data Protection Regulation, from which a natural person can be identified. No personal data belonging to special personal data groups according to Article 9 or 10 have been processed. There are no aggravating grounds in these respects.

Adherence to codes of conduct or certification mechanisms

The data controller has not informed the data protection authorized office that it has committed to comply with the approved code of conduct according to Article 40 of the Data Protection Regulation or the approved certification mechanisms according to Article 42. There are no aggravating or mitigating grounds in these respects.

Possible other aggravating or mitigating factors affecting the assessment, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation

The data protection group's instruction on the application and imposition of administrative fines states that such possible other factors can be, for example, the benefit or financial advantage obtained from the violation. The controller has stated that he is of the opinion that no financial benefit of any kind has been obtained from the possible violation. In its report, the controller has stated that, in addition to the request to delete personal data, all registered users also have the option to notify the controller of a ban on direct marketing regarding electronic marketing messages by clicking on the "unsubscribe" link in the e-mail message or through customer service, e.g. by phone, e-mail or letter. There are no aggravating grounds in these respects.

Summary and measurement of the administrative penalty fee

The administrative penalty payment must be effective, proportionate and warning in individual cases.

In terms of effectiveness, proportionality and warning, it must be stated that in the matters currently under consideration, the provisions of Article 58(2)(b) and (d) of the General Data Protection Regulation of the Data Protection Commissioner are not a sufficient consequence, taking into account the above-mentioned aspects of Article 83(2)(a-j). The Sanctions Board of the Data Protection Commissioner's Office considers that the violations and neglects found by the Data Protection Commissioner, taking into account their nature and seriousness, are such that an effective, proportionate and warning sanction is, in addition to the order and notice issued by the Data Protection Commissioner, an administrative fine.

It has not been a question of a single or individual events, but of a violation of the General Data Protection Regulation, which has led to the repeated neglect of the rights of registered users over a longer period of time. Thus, in the case in question, especially the nature of the violations, their duration and the number of data subjects affected by the violation, reflect the severity of the violation, that an administrative penalty fee must be imposed in the case.

The nature, seriousness and duration of the infringement and the number of registered users have been taken into account as aggravating factors. As a mitigating factor in the amount of the fine, it has been taken into account that in connection with the preparation of the data protection authorized officer's decision regarding the complaints, it has not turned out that the initiators have suffered financial or other material damage.

The Sanctions Board considers an administrative penalty fee of 85,000 (eighty-five thousand) euros to be effective, proportionate and warning.

The decision regarding the imposition of an administrative penalty fee has been made by the members of the penalty panel of the Data Protection Commissioner's office.

Applicable legal provisions

EU General Data Protection Regulation (2016/679) Article 12(1), 2, 3, 4 and 6, Article 5(1)(c), Article 15, Article 17, Article 25, Article 58(2)(b) and (d), Article 83 paragraphs 1, 2, 3, 4 and 5 a and b

Section 8 and Section 24 of the Data Protection Act (1050/2018)

Section 25 and Section 34 of the Administrative Act (434/2004)

Appeal

According to Section 25 of the Data Protection Act (1050/2018), the decisions of the data protection commissioner and the sanctions panel can be appealed by appealing to the administrative court in accordance with the provisions of the law on litigation in administrative matters (808/2019). The appeal is made to the Helsinki Administrative Court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decisions are legally binding.

Appendix to the decision of the Sanctions Board of the Office of the Data Protection Commissioner dated 9 May 2022, ID number 6097/161/21

Dissenting opinion of the presenter

The amount of the administrative fine should have been set higher (€125,000, 0.15% of the company's turnover).

In each individual case, the prescribed administrative sanction fee must be effective, proportionate and warning, taking into account the possible aggravating and mitigating factors mentioned in Article 83, paragraph 2 of the General Data Protection Regulation, related to the violation itself and the perpetrator and his activities. Violations of the provisions of Article 83(5)(a-e) of the General Data Protection Regulation shall be subject to an administrative fine in accordance with Article 83(2) of a maximum of EUR 20 million or, in the case of a company, four percent of the annual global total turnover of the previous financial year, whichever of these amounts is bigger.

The violations against Articles 12, 15, 17 and 25 themselves, as well as their nature, severity and duration, are described in the referenced decision. The company's turnover and ability to pay must be taken into account when evaluating the effectiveness, proportionality and deterrence of the fine imposed for the violation. Contrary to the decision of the Sanctions Board, in my opinion, the imposed administrative penalty of 85,000 euros is not sufficiently effective, proportionate and warning in relation to the turnover of the company in question, covering only approx. 0.1% of it. Referring to the previous penalty payment practice of the Office of the Data Protection Commissioner regarding micro and SME companies, the penalty payment should be higher in relation to the company's turnover (€85,882,379.48) in order to meet the criteria of efficiency, proportionality and deterrence required for the amount of the penalty payment, and to be properly in line with the previous penalty payment practice of the Office of the Data Protection Commissioner regarding penalty payment for smaller organizations with.