Tietosuojavaltuutetun toimisto (Finland) - 6633/182/2018, 6707/154/2018 and 7685/152/2020

From GDPRhub
Revision as of 15:55, 11 December 2023 by Ar (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - 6633/182/2018, 6707/154/2018 and 7685/152/2020
[[File:|center|250px]]
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 15(1) GDPR
Article 15(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.12.2022
Published: 11.01.2023
Fine: 750000 EUR
Parties: Alektum Oy
National Case Number/Name: 6633/182/2018, 6707/154/2018 and 7685/152/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Eetu Salpaharju

DPA imposed a fine of 750,000 euros for Alektum Oy for declining data subjects to review their information.

English Summary

Facts

Alektum Oy has declined to answer data subjects request to review their data. The company also hampered and slowed down the investigation

The case is based on three different reports made to DPA. In two cases data subject didn't receive any replies from the company and in one case data subject got a general reply but not the information requested.

In the case of one data subject, Alektum Oy explained the non-response by saying that it no longer processed personal data of the data subject. DPA stated that even then, the company should have responded to the data subject and inform that they no longer process the data subjects personal data.

In case 6707/154/2018 data subject requested to use his right to be forgotten as defined in article 17. Alektum Oy denied to remove data from their system. DPA hold that controller had right to decline the request because the data subject still had outstanding account for the controllers client and the information was still needed for the purpose it was originally collected. The controller should have inform the data subject when his data would be removed.

Holding

DPA hold that Alektum Oy has violated GDPR Article 15 Subsection 1 and 2 as well as Article 12 Subsection 3 in all three cases.

DPA imposed fine of 750,000 euros for the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The sanctioning panel of the Office of the Data Protection Commissioner has imposed a penalty payment of EUR 750,000 on the debt collection company Alektum Oy. The debt collection company had not responded to the requests regarding the data subject's rights. The company also complicated and slowed down the investigation by avoiding the supervisory authority. The Office of the Data Protection Commissioner started investigating the matter after receiving three complaints from private individuals. In two complaints, it was reported that Alektum Oy had not responded to requests to access their own information. One of the complainants had received a response from Alektum Oy, but he was still not provided with the requested copy of the personal data. "The right to access your personal data is a key data protection right. If a person does not have access to his own data, he does not have the opportunity, for example, to correct incorrect data or monitor the legality of the processing of personal data," states Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa. The investigation by the Office of the Data Protection Commissioner revealed that Alektum Oy had regularly failed to respond to requests regarding the data protection rights of the data subject. The organization that processes personal data is obliged to respond to requests regarding the rights of the data subject within one month. If there are many requests or they are complex, the organization acting as a data controller can state that it needs an additional time of up to two months. In the case of one complainant, Alektum Oy explained the non-response by saying that it no longer processed the data subject's personal data. Even then, the company should have responded to the request and said that the company no longer processes the data subject's personal data. The Sanctions Board considers that the company was not sufficiently familiar with the requirements of the data protection legislation and that the operation has shown disregard for the legislation. The company did not comply with the obligation to cooperate with the supervisory authority. During the investigation, the data protection commissioner's office tried to consult Alektum Oy in many different ways. The Sanctions Board considers that the company has been unwilling to provide an explanation of its operations and cooperate with the data protection authorized office. According to the Data Protection Regulation, the organization acting as data controller must cooperate with the supervisory authority and provide the information requested by the data protection authority. In its evaluation, the Sanctions Board took into account the fact that the case also involved the legal protection of individuals. Collection costs can ultimately be enforced by coercive means by the authority, and the debtor has the right to know about the threat of a legal claim related to collection. The decisions of the deputy data protection commissioner and the sanctions panel are not yet legally binding. They can be appealed to the administrative court. Decisions of the Deputy Data Protection Commissioner and Sanctions Board (pdf) More information: Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. 029 566 6787 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the national data protection act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros.