Tietosuojavaltuutetun toimisto (Finland) - 8422/161/21

From GDPRhub
Tietosuojavaltuutetun toimisto - 8422/161/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(1) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Article 15(3) GDPR
Article 58(2)(i) GDPR
Article 83(6) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 06.07.2023
Fine: 23,000
Parties: Suomen Avainsanat Oy
National Case Number/Name: 8422/161/21
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Tietosuojavaltuutettu (Finland) (in FI)
Initial Contributor: AR

The Finnish DPA fined an online directory for businesses €23,000, given that it failed to comply with the data subjects’ right of access by not giving them proper call transcripts and did not facilitate the exercise of the data subjects' rights.

English Summary

Facts

Between 8 March 2019 and 2 September 2022, the Office of the Finnish Data Protection Ombudsman (DPA) received numerous complaints concerning the Finnish Business Register, a business search service provided by Suomen Avainsanat Oy (the controller).

The data subject, in particular, claimed that following a request for a call recording, the controller only a summary of the call, that did not fully reflect the previous conversation. Following a repeated request for a call recording, the controller did not provide anything.

The DPA requested clarification from the controller, who explained that it kept the recordings for 2-4 months and that at the time of the submission of the clarification, it no longer kept the recording of the calls with the data subjects.

The DPA then contacted the data subjects concerned, who agreed to close the case if the DPA conducted its own initiative investigation since numerous cases brought against one controller could be considered an indication of an established behaviour of the controller.

An investigation therefore started the scope of which was to assess the controller's general data protection practices.

Holding

The DPA concluded the following.

The DPA ruled that the controller's action breached the data subjects’ right of access and right of copy in accordance with Article 12(1) GDPR and Article 15(3) GDPR. The controller provided the data subject with a summary of the telephone call, which was merely a general description of the call. Moreover, it did not indicate which personal data concerning the data subjects were processed. To comply with the right of access of the data subjects, it should have provided a copy of the data it had been processing. Thus, the summary provided could not be considered a copy, and the controller's established practice of exercising the right of access was not in compliance with the GDPR.

In the context of the extended ex officio investigation, the DPA also found a violation of Article 12(6) GDPR and Article 12(2) GDPR on facilitating the exercise of the rights of the data subject and verifying the identity of the data subject. Indeed, the DPA stated that the controller should have allowed data subjects’ access requests to be made electronically, in particular where personal data are processed electronically, and it may request additional information from the data subjects to identify them when it has reasonable grounds to doubt their identity. However, in the present case, the controller required the data subject to submit a written, signed request and to provide a copy of an identity document, even though the controller did not already process information on the signature of the data subjects and did not have a legitimate reason of requesting an identification document for the identification.

The DPA fined the controller €23,000 under Article 58(2)(i) GDPR and Article 83(6) GDPR, as the controller did not provide information on its turnover of 2022, and the sanction was estimated based on the confirmed turnover of 2021.

Comment

The present decision by the Finnish DPA is in adherence with the CJEU judgement Case C-487/21, Österreichische Datenschutzbehörde.

As stated by the CJEU, the term ‘copy’ relates to the personal data the document contains and must comprise all the personal data undergoing processing. (see CJEU in C-487/21 Österreichische Datenschutzbehörde, para 32) Consistently, the DPA ruled that because the summary provided by the controller is a general description of the conversation without indicating which personal data of the data subject is being processed, it does not contain information about the data subject to the extent to be considered as personal data concerning that data subject and fulfil Article 15(3) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Providing Call Recordings and Failure to Comply with Prior Order

Keywords: Inspection right
Call recordings

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 8422/161/21

Decision of the Data Protection Commissioner

Thing

The right to receive a copy in the case of a call recording

Registrar

Suomen Avainsanat Oy auxiliary business name as holder of Suomen Yritysrekisteri Oy (Y ID: 2580946-3)

Background of the matter

1. In the period 8.3.2019–2.9.2022, numerous cases concerning the Finnish Business Register have been initiated in the office of the Data Protection Commissioner. Suomen Yritysrekisteri is a company search service provided by Suomen Avainsanat Oy (later 'the registrar').

2. In the cases, it has been the case that the data subjects have requested a call recording from the controller. The registrar has responded to the requests of some registrants by providing summaries of calls. According to the registrants' opinion, the summary has not corresponded to the conversation on the phone, which is why the registrants have repeated the request to receive the call recording. The controller has still not provided the data subjects with the call recording, which is why the data subjects have been in contact with the data protection commissioner's office.

3. The Office of the Data Protection Commissioner has requested an explanation from the data controller due to the contacts received between March 8, 2019 and September 2, 2022. Based on the report obtained in the matter, the data controller will keep the recordings for 2–4 months, and at the time of issuing the report, the data controller no longer had any recordings of phone calls with registered users.

4. Since the recordings were no longer available according to the reports provided by the data controller, the data protection commissioner's office has been in contact with the data subjects in question. The registrants have accepted the termination of the case concerning them as a result of the data protection commissioner's own-initiated investigation. The registrants are not to be considered parties in accordance with Section 11 of the Administrative Act (434/2003). However, the Data Protection Commissioner's office will notify these data subjects of this decision.

5. The Office of the Data Protection Commissioner has not requested an explanation from the data controller in every single case brought to it between 8 March 2019 and 2 September 2022, because due to the retention period of the call recordings announced by the data controller in connection with the previous investigation, the call recordings would no longer be available.

6. In this decision, the Data Protection Commissioner does not assess the case of individual data subjects, as the data subjects have accepted the decision of the case concerning them because the recordings were no longer available. The data protection commissioner's decision applies to the data controller.

7. The Office of the Data Protection Commissioner has started its own investigation and started to find out the controller's modus operandi, as numerous contacts can be considered to reflect the controller's established modus operandi. In this decision, the data protection commissioner evaluates the general operating method of the data controller on the basis of seven contacts and the explanations provided by the data controller during the period between 2020 and 2022. In addition, the controller's established operating method is evaluated on the basis of the controller's response to the consultation request.

The content of the contacts in brief

8. In the seven cases referred to in this decision, the registrants have said that they received a sales call from the registrar regarding the visibility of the Finnish Business Register service. The recipients of the sales call have been private entrepreneurs. All data subjects have received an invoice as a result of the sales call, which is why the data subjects have requested a recording of the sales call from the data controller.

9. The majority of those registered have said that they received a summary of the sales call as a result of the call recording request. The summary has been delivered to the data subjects, for example, in December 2018, May 2021 and June 2022. According to the data subjects in question, the summary has been a one-sided description of the conversation in the phone call prepared by the data controller, and in their view, the summary has not fully corresponded to what was agreed in the phone call. Below is an example of the composition:

"The manager of the sales team has checked the recording of the sales call and commented on the call as follows: The salesperson tells you where to call. The salesperson checks that the call goes to the right company and the customer answers "yes, yes". The seller says that the call is being recorded. The customer says "yes". The seller checks the company's information and the customer confirms that it is correct by saying "yes" and "yes". The seller asks "are there electronic addresses, e-mails or websites?" The customer says "not yet, yes the intention would be to set up at some point". The seller asks about the industry and the customer answers "electrical automation installations and planning" The seller tells about the service. The customer occasionally says "yes". The seller says "now if your complete company information is transferred here to the Finnish company register, there will be a one-time annual update fee, which is €289+VAT and it can be paid in two installments". The seller ensures the customer's acceptance of the order by asking "can this information be used to go forward 12 months at a time?". The customer answers "yeah yes". The seller asks for the customer's name as confirmation of the order, the customer gives his name. Together, we agree that the invoice and IDs will be delivered to the customer by letter mail."

10. In some cases, after receiving the summary of the sales call, the registrants have been in contact with the controller, and unsuccessfully repeated the request to receive the call recording.

11. In one case, the data subject has not received the summary of the call at all, despite his request.

Statements given by the registrar

12. In connection with the matters referred to in paragraph 3 above, the office of the Data Protection Commissioner has requested an explanation from the data controller. The statements given by the registrar in the period 2020–2022 have not been uniform in all respects. In the reports provided, the controller has stated, among other things, the following:

13. The registrar says that it deletes call recordings within 2–4 months of the call. At the time of issuing the reports, the data controller has not had in his possession a recording of any phone call with the data subject.

14. The Office of the Data Protection Commissioner has, in each clarification request, inquired of the data controller whether the data controller has exercised the registered person's right according to Article 15 of the General Data Protection Regulation. The registrar has replied that he has delivered the summary of the sales call to the registrants.

15. In one case, the Data Protection Commissioner's office has asked the data controller to specify what is mentioned in point 14 and to clarify whether the data controller considers the corresponding copy of the summary submitted to the Data Protection Commissioner's office in accordance with Article 15, paragraph 3 of the General Data Protection Regulation.

16. The registrar has not provided a response to the request for additional information.

17. In some cases, the data controller has said that due to the request regarding the call recording, he called the data subjects in order to try to listen to the call on the phone. Such a situation has existed, for example, in one case where the data controller tried to register in order to listen to the recording over the phone between 22 July and 20 August 2021. In addition, a summary of the call recording has been delivered to the data subject in question.

18. The data controller has also stated in some of its reports that it would have delivered an appropriate transcription or given the opportunity to listen to the recording at a separately agreed time at the data controller's office. This would have required that the data subject had made the requested, signed data release request.

Consultation of the controller

19. As a result of the reports received in individual cases, the data protection commissioner's office has initiated an independent investigation into the controller's modus operandi. With the consultation request dated February 1, 2023, the controller has been reserved the opportunity referred to in § 34 of the Administration Act to be heard and to present an opinion on the preliminary assessment of the representative of the Data Protection Commissioner's office and the confusion of facts presented in the consultation request in relation to the imposition of a possible administrative penalty fee.

20. On April 3, 2023, the registrar submitted a response to the request for consultation and additional information. In the answer, the controller says, among other things, the following.

21. According to the current practices of the data controller, the data controller keeps call recordings for an average of 2-4 months. According to the data controller, the recordings are kept for the duration of the active processing of the matter, which is at least two weeks after the call and a maximum of the aforementioned four months. The recordings are automatically deleted after four months.

22. The data controller has submitted that call recordings are requested, listened to and processed almost exclusively in cases where the customer i) denies that he has been called by the data controller, ii) denies the creation of a contract, or iii) expresses a different opinion about, for example, the price of a product .

23. According to the data controller, its customers can contact the data controller's customer service by phone or email. If the contact comes from something other than the e-mail registered in the data controller's customer information, the customer service representative will call the customer to verify the customer's identity. The registrar says that he is in contact with his customers primarily by phone.

24. According to the data controller, if there is a conflict between the customer and the data controller, the customer service provider offers the customer the opportunity to listen to the call or sends the customer a summary of the call. If the customer accepts or requests a summary, the summary is discussed with the customer either verbally or in writing.

25. The data controller has also stated that the compilation or verbatim transcription is only done in those situations where the data controller's customer service cannot reach the customer by phone, despite attempts, so that it would be possible to listen to the recording via phone call. The data controller has also said that if the customer cannot be reached by phone after an average of three attempts, the customer service will stop pursuing the customer, which, according to the data controller, means closing the case and destroying the recording.

26. The registrar has specified in his answer what the call summary includes. The aim is to exclude from the compilation information that processes direct personal data. The registrar has said that sending a summary is never the primary option.

27. The registrar adds that making a summary takes only a fraction compared to making an accurate transcription, which is one of the reasons why customer service often suggests sending a summary. Word-for-word transcribing is only done if it has been specifically requested.

28. The registrar notes that the summary of the model presented in the consultation request is the summary of the old model. The summary according to the current practice of the registrar is more precise in content. The summary mentions the seller's name, the customer's name and the company's location information.

29. The registrar has emphasized that listening to the recording has not been the registrar's only way to resolve the conflict situation, nor the only way to secure access to the data.

30. The registrar says that he will send the customer a verbatim transcription when the customer requests it. According to the registrar, verbatim transcriptions are requested about 10 copies per year, summaries are requested more, according to the registrar.

31. According to the registry keeper's point of view, transcription refers to an exact, word-for-word written text, where each sound is written open. The summary, on the other hand, is an abbreviation that shows, on a general level, primarily what was agreed on in the call and what was concluded with the customer. According to the controller's point of view, it is extremely rarely the case that the customer wants to check his data.

32. The controller has stated in his answer that he considers that listening to the call recording by telephone or verbatim transcription upon request is a method of operation in accordance with the previous guidance of the Data Protection Commissioner. According to the registrar, it has, among other reasons, modified the summary to be more comprehensive and accurate after the time mentioned in the consultation request.

33. The registrant points out that it should have more detailed information about the matters that are the subject of the consultation request, so that it could assess whether the summary has been sent or whether the data subject has picked up a verbatim transcription from the post office.

34. According to the current practice of the registrar, it does not require a signature or a copy of the identity document to exercise the right of inspection. The request is required to be submitted in writing and signed only in those cases where the controller has not been able to verify the identity of the person requesting the information.

35. According to the controller, it has received less than 10 signed requests between March 8, 2019 and September 2, 2022.

36. The controller has not been able to tell how many requests in accordance with Article 15 of the General Data Protection Regulation it has received between March 8, 2019 and September 2, 2022. The registrar has had 9,386 customers in that period.

37. In the opinion of the registrar, there are few complaints considering the total number of customers of its customers.

38. The registrar has said that it is unable to respond to the matters presented in the hearing request without precise information about the cases. On April 19, 2023, the data controller was told by phone that the cases presented in the consultation request are cases for which the data protection commissioner's office has requested an explanation from the data controller. In order to provide each report, the controller has been provided with more detailed information on the matter in each case.

Applicable legislation

39. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of this data and repealing Directive 95/46/EC (General Data Protection Regulation) applies in this matter.

40. According to Article 12, paragraph 1 of the General Data Protection Regulation, the data controller must take appropriate measures to provide the data subject with all processing information in accordance with Article 15 in a concise, transparent, easily understandable and accessible form in clear and simple language. The information must be submitted in writing or in another way and, as the case may be, in electronic form. If the data subject requests it, the information can be given verbally, provided that the identity of the data subject has been confirmed in another way.

41. According to Article 12, paragraph 2 of the General Data Protection Regulation, the controller must facilitate the exercise of the data subject's rights according to Articles 15-22.

42. According to Article 12, Paragraph 6 of the General Data Protection Regulation, if the data controller has reasonable grounds to suspect the identity of a natural person who has made a request in accordance with Articles 15-21, the data controller may request the provision of additional information that is necessary to confirm the identity of the registered person, without prejudice to the application of Article 11.

43. According to Article 15, paragraph 3 of the General Data Protection Regulation, the controller must provide a copy of the personal data being processed.

Previous decisions concerning the controller

44. On March 5, 2021, the Deputy Data Protection Commissioner issued a decision to the controller concerning the right of an individual data subject to receive a recording of a sales call. Based on the report obtained in that case, the registrar had tried to reach the registrant in order to offer the possibility of listening to the call. The matter has been that the data controller had not delivered the call recording at all to the data subject in accordance with Article 12(1) and Article 15(3) of the General Data Protection Regulation.

45. The Deputy Data Protection Commissioner has stated in the decision that the possibility of listening to the phone call is not a way to exercise the right to access information in accordance with Article 15, Paragraph 3 of the General Data Protection Regulation. In the decision, it has been stated that the data controller must implement the right to access the data in writing or, as the case may be, electronically (General Data Protection Regulation, Articles 12 and 15).

46. In the decision, the Deputy Data Protection Commissioner has ordered, based on Article 58(2)(d) of the General Data Protection Regulation, the data controller to bring the processing operations into compliance with Article 12(1) and Article 15(3) of the General Data Protection Regulation.

47. The Deputy Data Protection Commissioner has also ordered the data controller to submit a report on the measures taken by April 30, 2021. The data controller has not submitted a report by February 1, 2023, after which the data protection commissioner's office has sent the data controller a consultation request.

48. On 21 October 2021, the Data Protection Commissioner gave the data controller a decision concerning whether the data controller can deliver the call recording only in text form or whether the recording to be delivered is an audio file. The decision did not impose an obligation on the controller to deliver the recording explicitly as an audio file. In the decision, it was stated that the right to access the recording can be realized in such a way that the data controller writes out the content of the call recording.

49. In this decision, the method of operation of the data controller, according to which the data controller sends a summary to the data subjects, is to be evaluated, and in particular, whether the data controller's summary must be considered a copy in accordance with Article 15, paragraph 3 of the General Data Protection Regulation.

Legal issues

50. The Data Protection Commissioner will decide the matter as described above based on the General Data Protection Regulation and the Data Protection Act. The following legal questions have to be resolved in the matter:

i. Is the controller's method of operation to implement the right according to Article 15 of the General Data Protection Regulation with regard to call recordings in accordance with Article 12, paragraph 1 and Article 15, paragraph 3 of the General Data Protection Regulation; and

ii. Has the controller's method of operation, according to which it has required the making of a written, signed request, and the delivery of a copy of the identity document, been in accordance with Article 12, paragraph 2 and paragraph 6 of the General Data Protection Regulation?

51. If the processing of personal data carried out by the data controller has not been in accordance with the provisions of the General Data Protection Regulation, the matter has to be decided which sanction according to Article 58, paragraph 2 of the General Data Protection Regulation should be imposed on the data controller.

The data protection officer's decision and reasons

Decision

52. In its decision, the Data Protection Commissioner considers the following:

i. The compilation of telephone recordings delivered to the data subjects by the registrar cannot be considered a copy as referred to in Article 15, paragraph 3. Thus, the controller's method of operation in order to implement the right to access the information according to Article 15 of the General Data Protection Regulation has not been in accordance with Article 12, paragraph 1 and Article 15, paragraph 3 of the General Data Protection Regulation.

ii. The controller's method of operation, according to which it has required the registrant to submit a signed request and a copy of the identity document in order to exercise the right to access the data, has not been in accordance with Article 12, paragraphs 2 and 6 of the General Data Protection Regulation.

Note

53. The Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Section 2, Subsection b of the General Data Protection Regulation regarding violations found in Section 52 i and ii above.

Administrative penalty fee

54. The case in question now concerns the general operation of the controller, which violates the data subjects' right to access their own personal data. This right enables the exercise of other registered rights, such as the right according to Article 16 of the General Data Protection Regulation to have incorrect data corrected.

55. The Data Protection Commissioner considers, especially taking into account the decisions previously given to the data controller, that a notice according to Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation is not a sufficient sanction for neglecting to implement the data subject's right of inspection. This is not a minor offense.

56. The data protection commissioner will refer the matter to the sanctioning board on the basis of the above points 54 and 55.

57. Pursuant to Section 24 of the Data Protection Act, the administrative sanction fee stipulated in Article 83 of the General Data Protection Regulation is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The Sanctions Board must therefore assess whether an administrative fine in accordance with Article 58(2)(i) of the General Data Protection Regulation must be imposed on the data controller in addition to the notice given by the Data Protection Commissioner for the violation according to Section 52 Subsection i of this decision.

58. In addition, the sanctions panel will deal with the matter of non-compliance with the order issued by the deputy data protection commissioner on 5 March 2021.

Reasoning

The right to access the information and the right to receive a copy

59. In the decision given to the data controller on 21 October 2021, the Data Protection Commissioner has considered that the private entrepreneur has the right to access the data regarding the call recording in accordance with Article 15 of the General Data Protection Regulation.

60. In matters brought to the office of the Data Protection Commissioner, and in matters where an explanation was requested from the registrar, the persons registered have been private entrepreneurs.

61. In the present case, the question to be resolved is whether the controller's way of implementing the right to access the information (later 'right of inspection') was in accordance with Article 12(1) and Article 15(3) of the General Data Protection Regulation when the controller provided the data subject with a summary of the call.

62. In its decision, the Data Protection Commissioner does not assess the current method of operation of the data controller to the extent that, according to the data controller, the data controller's method of operation has changed after September 2022. However, the Data Protection Commissioner states that specifying the summary with the name of the seller and the customer as well as company location information does not change the assessment presented in this decision as to whether the summary provided by the data controller can be considered a copy within the meaning of Article 15, paragraph 3 of the General Data Protection Regulation.

63. The data controller must deliver the data he processes to the data subject as a copy. The General Data Protection Regulation does not define the term 'copy'. However, the term 'imprint' must be interpreted broadly and can cover a variety of ways, as long as the information is complete and contains all the information requested. It should also be noted that the data subject's right to receive a copy of the data is not to be considered a separate right, but rather the right to receive a copy is the way in which the right of inspection is implemented.

64. The Court of Justice of the European Union has also considered that the right according to Article 15 paragraph 3 is not a separate right from Article 15 paragraph 1. In its decision, the Court of Justice of the European Union has found that it follows from an examination of the wording of the first sentence of Article 15, Section 3 of the General Data Protection Regulation that the regulation gives the data subject the right to receive a copy of his personal data, understood in its broadest sense, that corresponds to the original.

65. The controller has said that he is primarily in contact with his customers, i.e. registered users, by telephone. The registrar says that it verifies the identity of the registered person in this way. The data controller's customer service representative will ask the data subject by phone for permission to listen to the recording or, alternatively, to send a summary.

66. If the controller cannot reach the registrant by phone, the controller will contact the registrant by e-mail in order to provide him with a summary or a verbatim transcription. On the other hand, the data controller has also said that if it does not reach the registration by phone with an average of three call attempts, the customer service will stop pursuing the customer, which, according to the data controller, means closing the matter and deleting the recording.

67. As a result of what was stated in points 65 and 66, the data protection commissioner draws attention to the fact that the explanation given by the controller about its operating methods is partly contradictory. The registrant says on the one hand that he is in contact with the registered person by phone and on the other hand says that he will send a summary or transcription to the registered person.

68. According to the controller, the summary is a summary of the phone call and the aim is to exclude direct personal data from it. The registrar has clarified in his statement that the summary is not a word-for-word transcription.

69. In the opinion of the Data Protection Commissioner, the summary provided by the data controller is a general description of the conversation during the call. The summaries submitted to the office of the Data Protection Commissioner do not indicate which personal data concerning the data subject is processed by the data controller. The summary does not show, for example, the name of the registered person, in the summary the registered person is referred to as a customer. The summary also does not show the information about the registered person to the extent that the information about the company must be considered as personal data about the said registered person.

70. In this context, it should be noted in particular that the purpose of the right of inspection is to offer the data subject the opportunity to make sure what data concerning the data subject is being processed by the data controller, and whether the data is correct. The right to access the data is especially necessary so that the data subject can, if necessary, use the rights granted to him in Articles 16, 17 and 18 of the General Data Protection Regulation to correct data, delete data ("right to be forgotten") and limit processing, as well as the provisions in Article 21 of the General Data Protection Regulation the right to object to the processing of personal data and the legal remedies provided for in Articles 79 and 82 of that regulation, if he or she suffers damage.

71. Taking into account that the data controller himself has stated that he has tried to exclude personal data from the summary, and since the summary provided by the data controller does not show the specific personal data that the data controller processes about the data subject, the summary provided by the data controller cannot be considered a copy in accordance with Article 15, Section 3 of the General Data Protection Regulation, i.e. as a replica similar to the original. Consequently, the controller's established method of exercising the right of inspection has not been in accordance with the General Data Protection Regulation.

72. Although the data controller has said that he will deliver a word-for-word transcript when the data subject requests it, or that he will deliver a transcription if it is not possible to register by telephone, in seven cases of the matters brought to the attention of the data protection officer, the transcript was not delivered to the data subject. The Data Protection Commissioner is also not aware of a situation where the data controller has delivered a transcription that is considered a copy to the data subject.

73. It should be noted that the data subject does not need to be able to refer to the provisions of the General Data Protection Regulation in his request in order for the request to be considered a request concerning the data subject's right according to the General Data Protection Regulation. The controller cannot also require that the data subject separately request a word-for-word transcription. It is the responsibility of the data controller to ensure that it provides the data subject with the information required by the General Data Protection Regulation.

74. According to the controller's view, it is extremely rarely the case that the customer would like to check his information. The Data Protection Commissioner also emphasizes that the data subject has no obligation to justify his request. Thus, the reason why the data subject submits a request regarding his rights is irrelevant.

75. In the report given by the Data Protection Commissioner's Office to the clarification request regarding the exercise of the registered person's right, the controller has said that he has provided the registered person with a summary of the call. In its statements, the controller has not stated that this is due to the fact that it did not consider the data subjects' requests as requests in accordance with the General Data Protection Regulation.

76. As a whole, the data controller has not implemented the data subject's inspection right in accordance with Article 12 1 and Article 15 paragraph 3 of the General Data Protection Regulation during the time period covered by the decision. Even if in some cases between March 8, 2019 and September 2, 2022, the controller had provided a transcription, in the cases brought to the attention of the Data Protection Commissioner's Office, the transcription has not been provided, even though the data subjects have submitted a request for the call recording.

77. The Data Protection Commissioner also draws attention to the fact that the data controller has stated in his statement to the consultation request that he considers that listening to the call recording by telephone or verbatim transcription upon request is a method of operation in accordance with the Data Protection Commissioner's previous guidance. In this regard, the Data Protection Commissioner points out that, in accordance with the decision of the Deputy Data Protection Commissioner on February 5, 2021, offering the possibility to listen to the call has not been a way to implement the inspection right of the General Data Protection Regulation. In the decision, in accordance with the established line of the Office of the Data Protection Commissioner, it has been stated that the possibility of listening can be offered, but the data controller must also offer a way to exercise the right in accordance with the General Data Protection Regulation.

78. Based on the above, the data protection commissioner considers that the data controller's activities and the report received have not shown sufficient familiarity with the obligations according to the general data protection regulation or the decisions previously issued by the data protection commissioner's office.

79. The registrant has pointed out that it should have more detailed information about the matters that are the subject of the hearing request, so that it could assess whether the summary has been sent or whether the data subject has picked up a verbatim transcript from the post office. It should be noted that the data controller has been asked to clarify the matters referred to in this decision. In this context, the data controller has been brought to the notice of, among other things, information about the data subjects in question and their identities.

80. The registrar has also stated that, without more detailed information, it is unable to ascertain whether the summary has been sent to the data subjects in question. However, this is not important from the point of view of the resolution of the case, because the summary provided by the data controller is not a copy as defined by the General Data Protection Regulation.

Facilitating the use of the registered right and ensuring the identity of the registered person

81. The General Data Protection Regulation does not regulate the manner in which the data subject must make requests regarding his rights. The General Data Protection Regulation therefore also does not require that the request regarding the right should be submitted in writing or signed.

82. According to Article 12, paragraph 2 of the General Data Protection Regulation, the controller must facilitate the exercise of the data subject's rights. According to paragraph 59 of the preamble of the General Data Protection Regulation, the controller should offer the means by which requests can be submitted electronically, especially when personal data is processed electronically.

83. According to Article 12, paragraph 6 of the General Data Protection Regulation, the data controller may request additional information from the data subject in order to identify the data subject, if the data controller has reasonable grounds to suspect the identity of the person who made the request. According to paragraph 57 of the preamble of the General Data Protection Regulation, if the data controller is unable to identify a natural person based on the personal data it processes, the data controller should not be obliged to obtain additional information to identify the data subject, if this is only necessary in order to comply with one of the provisions of this regulation.

84. In the matters initiated on 9 March 2019 and 15 April 2019, the registrar has required that the data subject submit a written, signed request for the right of inspection and submit a copy of the identity document.

85. The registrar has said that it only requires the request in writing and signed in those cases where the registrar has not been able to verify the identity of the person who requested the information. According to the current practice of the registrar, it does not require a signature or a copy of the identity document to exercise the right.

86. Based on the report obtained in the case and taking into account the data controller's business activities, the data controller does not already process information about the data subject's signature. For this reason, based on the explanation obtained in the case, the signature of the person who made the request should not be considered as additional information in accordance with Article 12, paragraph 6 of the General Data Protection Regulation, which the controller can request to identify the person.

87. In its statements, the data controller has not provided a justified reason why it has not been able to identify the data subjects in connection with a digital transaction without an identity card.

88. In addition, the Data Protection Commissioner considers that the data controller has not facilitated the use of the registered right in accordance with Article 12, paragraph 2 of the General Data Protection Regulation, as the request for the right has to be submitted in writing and signed. This method of operation has led in practice to the fact that the data subject would have to print the document, sign it and scan or alternatively mail the request. On the contrary, such a method of operation makes it difficult to use registered rights.

89. The registrar has said that he has received 10 signed requests. The Office of the Data Protection Commissioner has not been informed of any cases in which the data subject has submitted a signed request in matters considered in this decision. Likewise, the data controller has not actually processed the data for the data subjects in question just to identify the data subject. The registrar has also said that he has changed this mode of operation. Since then, data subjects have been able to submit requests regarding the data subject's rights using a user ID. The Data Protection Commissioner therefore considers the notice sufficient in this regard.

Supervision of the data protection officer

90. In its report, the data controller has said that if it does not reach the registration by phone with an average of three attempts, the customer service will stop pursuing the customer, which means, according to the data controller, closing the matter and deleting the recording.

91. The operation method of the data controller described above in section 90 may lead to the data controller deleting personal data before the data controller has implemented the data subject's right. After contacting the data subject, the controller must first make sure that the data subject's request has been answered appropriately. Only after this can the data controller delete the data.

92. Since the complaints submitted to the data protection commissioner's office have not revealed any facts according to which the recording has been deleted specifically for the initiators because the data controller has not been able to reach the registrant by phone, the data protection commissioner considers this guidance sufficient.

93. Based on the explanation received from the registrar, the registrar has deleted the call recordings after sending the summary. In this decision, the Data Protection Commissioner has explicitly assessed whether the summary provided by the data controller is a copy as referred to in Article 15, Section 3 of the General Data Protection Regulation. In this case, the question of whether the data controller has deleted the data before exercising the right of inspection has not been resolved.

94. In the decision in question now, the Data Protection Commissioner has considered that the summary provided by the data controller cannot be considered a copy as referred to in Article 15, Section 3 of the General Data Protection Regulation. The controller has therefore not implemented the data subject's inspection right in accordance with the General Data Protection Regulation before deleting the call recording.

95. The Data Protection Commissioner draws the controller's attention to the decision issued in case 7587/163/20. According to this decision, the data controller must delete the data concerning the data subject only after the rights of the data subject have been exercised.

You cannot apply for a change to this guidance of the data protection officer by appealing.

The case has been resolved by data protection commissioner Anu Talus and presented by chief inspector Mari-Ilona Korhonen.

Decision of the Sanctions Board on the administrative penalty payment

Registrar

Suomen Avainsanat Oy auxiliary business name as holder of Suomen Yritysrekisteri Oy (Y ID: 2580946-3)

Decision

96. As can be seen from the decision of the Data Protection Commissioner, the data controller's well-established operating method has led to the fact that the data controller does not exercise the data subject's right to access information in matters concerning the call recording (later 'right of inspection') in accordance with Article 12(1) and Article 15(3) of the General Data Protection Regulation, as the summary provided by the data controller is not shall not be considered a copy in accordance with Article 15, paragraph 3 of the General Data Protection Regulation.

97. On March 5, 2021, the controller was given a decision stating that the possibility to listen to the recording does not meet the requirements of Article 12, Paragraph 1 and Article 15, Paragraph 3 of the General Data Protection Regulation. In the decision issued on March 5, 2021, the controller has also been given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to submit an explanation of the measures taken by the controller as a result of that order.

98. In the report given at the data protection commissioner's office on April 3, 2023, the controller has further stated that its established method of operation is alternatively to listen to the recording on the phone.

99. It is evident from the decision of the Data Protection Commissioner that the data controller has not brought the processing operations into compliance with the General Data Protection Regulation, as the data controller continues to offer the possibility of listening to the recording, but in addition to the possibility of listening, it does not offer a way to exercise the right of inspection in accordance with Article 15, paragraph 3 of the General Data Protection Regulation.

100. The controller has also not provided the data protection commissioner's office with information about what measures it has taken due to the order issued by the deputy data protection commissioner on March 5, 2021. The registrar has not submitted the report by the deadline of 30 April 2021, and still not before sending the consultation request on 1 February 2023. The penalty panel considers that the controller has not complied with the order given by the deputy data protection commissioner.

101. When assessing the conditions for the imposition of an administrative penalty, the sanctioning board draws attention, in addition to points 96–100 above, to the fact that the processing of personal data is a key part of the core business of the data controller, as the Finnish Business Register is a public business directory that includes, among other things, the personal data of private entrepreneurs. It is also a paid register for registered users.

102. Likewise, the sanctions panel considers that this is not a minor violation of the provisions of the data protection regulation referred to in introductory paragraph 148 of the general data protection regulation. The Sanctions Board agrees with the data protection commissioner's assessment in paragraph 55 of this decision that it is not a minor violation.

103. The controller shall be subject to an administrative fine pursuant to Article 83(5)(b) (breach of Article 15) and Article 83(6) (non-compliance with an order issued pursuant to Article 58(2)) of the General Data Protection Regulation.

104. The data protection commissioner's office has asked the data controller to provide information on its 2022 turnover by March 30, 2023. The deadline for submitting the turnover has been granted first until May 31, 2023, and after that the deadline has been further extended until June 9, 2023. The registrar has not provided information on turnover by June 9, 2023.

105. The controller has still not submitted the confirmed financial statements for 2022 by the meeting held by the Sanctions College of the Office of the Data Protection Commissioner on June 13, 2023.

106. For this reason, on June 12, 2023, the Office of the Data Protection Commissioner requested the certified financial statements of the registrar for 2022 from the Patent and Registration Board. The Patent and Registration Board has said that the registrar has not submitted the confirmed financial statements for 2022 by June 12, 2023.

107. On June 13, 2023, the Office of the Data Protection Commissioner requested the Patent and Registration Board to submit the certified financial statements of the data controller for 2021.

108. Since the data controller has not provided information on the turnover of 2022, the sanctioning board estimates the amount of the penalty fee based on the confirmed turnover of 2021. The turnover of the registrar in 2021 has been 655,752 euros. In the current case, the administrative penalty imposed on the controller may not exceed EUR 20,000,000.

109. The sanctioning board formed by the data protection commissioner and deputy data protection commissioners orders the data controller to pay the state an administrative penalty fee of twenty-three thousand (23,000) euros pursuant to article 58, paragraph 2, subparagraph i and article 83 of the general data protection regulation. The Sanctions Board considers the administrative penalty fee of 23,000 euros to be effective, proportionate and a warning.

Reasons for imposing an administrative penalty

Applicable legislation

110. According to Article 83, paragraph 1 of the General Data Protection Regulation, the imposition of an administrative penalty fee for a violation of the General Data Protection Regulation must be effective, proportionate and warning in each individual case.

111. According to Article 83(2) of the General Data Protection Regulation, an administrative penalty fee is imposed in accordance with the circumstances of each individual case in addition to or instead of the measures referred to in Article 58(2)(a) through (h) and (j). In the case in question now, the data protection commissioner has ordered the data controller to bring its processing activities into compliance with the general data protection regulation, and has issued a notice to the data controller. The administrative penalty fee is thus imposed in addition to Article 58, paragraph 2, subparagraph b.

112. When deciding on the imposition of an administrative penalty fee and the amount of the administrative penalty fee, in each individual case, according to Article 83(2) of the General Data Protection Regulation, the following points must be properly taken into account:

a) the nature, severity and duration of the breach, taking into account the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected by the breach and the extent of the damage caused to them; b) the intentionality or negligence of the breach; c) actions taken by the controller or personal data processor to mitigate the damage caused to the data subjects; d) the degree of responsibility of the controller or processor of personal data, taking into account the technical and organizational measures taken by them pursuant to Articles 25 and 32; e) possible previous similar violations by the controller or personal data processor; f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate its possible adverse effects; g) groups of personal data affected by the breach; h) the manner in which the breach came to the attention of the supervisory authority, in particular whether the controller or personal data processor notified the breach and to what extent; i) if measures referred to in Article 58 paragraph 2 have previously been imposed on the relevant data controller or personal data processor for the same matter, compliance with these measures; j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and k) any other aggravating or mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation.

113. In accordance with the decision of the Data Protection Commissioner, the data controller has violated the provisions of Article 12(1) and Article 15(3) of the General Data Protection Regulation. Violations of the provisions of Article 83(5)(b) of the General Data Protection Regulation (Articles 12-22) are subject to an administrative fine of up to EUR 20,000,000 or, in the case of a company, four percent of the annual global total turnover of the previous financial year in accordance with Article 83(5) whichever of these amounts is greater.

114. According to Article 83, Paragraph 6 of the General Data Protection Regulation, failure to comply with the order of the supervisory authority referred to in Article 58, Paragraph 2 of the General Data Protection Regulation is subject to an administrative penalty fee of a maximum of EUR 20,000,000, or, in the case of a company, four percent of its of the previous financial year's total annual worldwide turnover, whichever is greater.

115. When assessing the imposition and amount of an administrative penalty fee, the aforementioned sections of Article 83 of the General Data Protection Regulation should be taken into account. When evaluating the matter, the instruction of the data protection group according to Article 29 on the application and imposition of administrative fines must also be taken into account.

Assessment of the severity of the breach

116. In the assessment of the seriousness of the breach, Article 83, paragraph 2, subparagraphs a, b and g of the General Data Protection Regulation have been taken into account.

Nature of the breach

117. In the case at hand, the violation, as is apparent from the data protection commissioner's decision, was aimed at the non-implementation of the registered person's right of inspection in accordance with Article 15 of the General Data Protection Regulation. In particular, it has been the right to receive a copy of the call recording according to Article 15, paragraph 3.

118. The matter at hand now manifests as a whole a violation of the General Data Protection Regulation that is more extensive than individual cases. The data protection commissioner's office has received numerous contacts, which reflect the general way the data controller operates.

119. Regarding the nature of the violation, the case at hand now also involves non-compliance with the order issued by the supervisory authority. The controller has been given a decision on March 5, 2021, in which it has been stated that the provision of listening is not in accordance with Article 12, paragraph 1 and Article 15, paragraph 3 of the General Data Protection Regulation. The controller has been ordered to bring processing operations into compliance with the regulation. The data controller has not changed the processing operations in accordance with the order, nor has it provided the data protection commissioner's office with information on which measures it has taken as a result of the order, in accordance with the order given by the deputy data protection commissioner.

120. If the controller could fail to comply with the order issued by the supervisory authority without an appropriate sanction, the effective and uniform implementation of the General Data Protection Regulation would be jeopardized, which would cause a significant risk to the rights and freedoms of data subjects. The purpose of the order issued by the Deputy Data Protection Commissioner was to ensure that the data controller changes its operating methods in accordance with the General Data Protection Regulation so that the data subject has the right to receive the information based on the right of inspection in writing and, as the case may be, electronically.

The sanctions panel considers the nature of the violation as a whole to justify the imposition of an administrative penalty.

Severity of the violation

121. When assessing the seriousness of a violation, the nature, scope or purpose of the data processing in question must be taken into account, as well as the number of data subjects affected by the violation and the extent of the damage caused to them.

122. With regard to the nature and purpose of the processing of personal data, the sanctions panel draws attention to the fact that the core business of the controller is based on the processing of personal data. It is a business service for which registered users also pay.

123. Regarding the scope of the processing of personal data, the sanctions panel states that it is a national activity. In principle, the processing has no effect on data subjects located in other EU member states. This fact must not be considered as a factor supporting the seriousness of the offense or reducing the seriousness of the offense.

124. With regard to the number of those registered, the sanctions panel draws attention to the fact that it is not just an isolated case. The Data Protection Commissioner has independently investigated the data controller's general and well-established operating method, as the Data Protection Commissioner's office has received numerous contacts regarding the fact that the data controller has not provided the data subject with a recording of the call.

125. The controller has not been able to give an exact number of how many requests for the right of inspection pursuant to Article 15 of the General Data Protection Regulation it has received between March 8, 2019 and September 2, 2022. However, the registrar has said that it had 9,386 customers during the period in question.

126. In its report, the data controller has considered the number of cases initiated in the data protection commissioner's office to be small compared to the data controller's total number of customers. Although the seven cases initiated and taken into account in the Data Protection Commissioner's decision cannot yet be considered to indicate that a large number of data subjects were the target of the violation, the sanctions panel draws attention to the fact that the case as a whole represents a violation of the General Data Protection Regulation that is broader than individual cases. As explained above, it is about the general operation of the data controller.

127. Weight cannot therefore be given only to how many data subjects have concretely tried to use their rights during the period in question. The inactivity of the registered cannot be read in favor of the controller. As explained above, it is not about a single violation, but about the inadequacy of the appropriate practices required by the data controller to exercise the data subject's rights. The sanctions panel cannot rule out the possibility that the controller's violation could also affect a larger number of data subjects than just the seven data subjects referred to in this decision, who have filed a complaint with the data protection commissioner's office.

128. Regarding the magnitude of the damage caused to the registrants, the sanctions panel considers that proof of the damage caused to the registrants cannot be considered a prerequisite for imposing a penalty fee. Although no concrete damage has been revealed during the investigation carried out by the Data Protection Commissioner, it is not excluded that damage could have occurred. In this regard, the sanctioning board draws attention to the fact that the registered parties have mostly submitted a request for the right of inspection due to the fact that they have received an invoice from the data controller based on the contract it considers to have been created.

129. Although it is not within the competence of the sanctioning board or the data protection authorized office to assess whether an agreement has been formed, the fact that the data subject has not received a recording of the call with the data controller has the effect that the data subjects have not been able to ascertain what information the data controller has given on the phone and based on this form an assessment of the creation of the contract. The possible damage caused to the data subjects must be considered as a factor in favor of the seriousness of the violation.

Duration of the infringement

130. With regard to the duration of the violation, the sanctions panel draws attention to the fact that the controller's modus operandi has been to deliver a summary of the call recording or to provide the opportunity to listen in the period between March 8, 2019 and September 2, 2022. It is thus a relatively long-lasting violation in terms of time.

131. Regarding the duration, the Sanctions Board draws attention to the fact that the data controller has already received the first decision from the Data Protection Commissioner's office on March 5, 2021. In that decision, it has been stated that the possibility of listening does not meet the requirements of the General Data Protection Regulation. In that decision, it is also stated that the call recording must be submitted in writing. Despite the decision, the controller has still stated in the report given on April 3, 2023 that he offers the possibility to listen to the recording.

132. Based on the above, the sanctions panel considers that the duration of the violation supports the imposition of a penalty fee.

Intentional or negligent breach

133. In the data protection group's instruction on the application and imposition of administrative fines, it has been stated that intentionality usually requires a conscious and intentional violation, while inadvertence means that the violation was not intentional, even if the controller violates the due diligence obligations required by law. According to the above-mentioned guideline, a deliberate violation that manifests disregard for the law is generally considered more serious than an unintentional violation.

134. On March 5, 2022, the controller was given a decision in which it was stated that the possibility to listen to the recording does not meet the requirements of Article 12, Paragraph 1 and Article 15, Paragraph 3 of the General Data Protection Regulation. Despite this, the controller has still stated in the report issued on April 3, 2023, that it offers the possibility of listening to the recording. In its report, the controller has stated that the possibility to listen to the recording is not the only way to exercise the right, because in addition to the possibility to listen, the controller has offered a compilation, and in some cases provided a transcription. As stated in paragraph 76 of the Data Protection Commissioner's decision, no transcription was submitted in any case brought to the Data Protection Commissioner's office.

135. To the extent that the data controller has relied in its report on the fact that, in addition to the possibility of listening, the data controller has offered a summary, the sanctioning board draws attention to the fact that the data controller should have been aware of how the right of inspection regarding the call recording should be provided no later than after the decision of 21 October 2022. In the decision issued by the Data Protection Commissioner on October 21, 2022, the data controller is instructed that the copy delivered under the right of inspection must correspond to the content of the call recording, so that the data subject can make sure that the personal data being processed is in accordance with the law. The decision has also stated that the possibility of submitting the data in a format other than the original (as an audio file) does not mean that the data controller could edit the personal data it has submitted in such a way that the data delivered to the data subject does not correspond to the data that the data controller processes.

136. Based on the above, the sanctions panel considers that the controller has thus come to understand that the summary does not meet the requirement of Article 15, paragraph 3 of the General Data Protection Regulation.

137. Consequently, the sanctions panel considers that the controller's actions were intentional. The controller has made a conscious choice not to comply with the provisions of the General Data Protection Regulation when deciding to exercise the right of inspection by offering the opportunity to listen or by delivering a summary.

138. A violation by the data controller can also be considered intentional, which has concerned the fact that the data controller has not provided the data protection commissioner's office with information about what measures it has taken as a result of the deputy data protection commissioner's decision. If it was unclear to the data controller what is meant by the measures according to the decision or the decision of the deputy data protection commissioner, the data controller could have contacted the data protection commissioner's office or the reporter who resolved the matter.

139. Based on the above, the sanctions panel considers that the intent of the violation supports the imposition of a penalty fee.

Personal data groups affected by the breach

140. In the case, no facts have come to light on the basis of which the controller would process personal data belonging to special personal data groups according to Article 9 of the General Data Protection Regulation.

Assessment of aggravating and mitigating factors

141. When deciding on the imposition and amount of the administrative fine, in the current case, subsections c - f and h - i and k of Article 83, paragraph 2 of the General Data Protection Regulation have been taken into account.

Actions by the data controller to mitigate the damage caused to the data subject

142. In the data protection group's instruction on the application and imposition of administrative penalty fees, it has been stated that the data controller should do everything in his power to mitigate the consequences of the violation for those concerned. According to the instructions, the supervisory authority can take into account the responsible activity or lack of responsible activity of such a registrar when calculating the penalty fee.

143. As stated above, the controller has been instructed in implementing the inspection right according to Article 15 of the General Data Protection Regulation. The registrar has not changed its way of operating as a result of the decisions. The registrar has thus not made the necessary changes to mitigate the violation. The sanctions panel takes this into account in its assessment as an aggravating circumstance.

The degree of responsibility, taking into account the technical and organizational measures implemented by the data controller pursuant to Article 25

144. Article 25 of the General Data Protection Regulation requires that the data controller takes into account "the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in probability and severity, caused by the processing. In connection with the determination of processing methods and the processing itself, the controller must effectively implement appropriate technical and organizational measures for the implementation of data protection principles, such as data minimization, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing meets the requirements of this regulation and the rights of data subjects are protected .”

145. The sanctions panel considers that the data controller has not sufficiently taken appropriate measures to fulfill the obligations according to the General Data Protection Regulation and ensured that appropriate organizational measures are implemented in its operations to implement the data subject's rights. Such measures include, for example, a measure to ensure that data subjects can monitor data processing.

146. Even after the decisions of the data protection authorized office, the data controller has not changed its operating method in accordance with the general data protection regulation. The sanctions panel takes this into account in its assessment as an aggravating circumstance.

Previous similar violations and measures previously imposed on the same matter

147. The data protection group's instruction on the application and imposition of administrative fines states that the supervisory authority should evaluate the historical data of the processing of personal data by the unit that committed the violation. The supervisory authorities should take into account that the assessment in this regard can be very broad, as any type of violation of the provisions of the General Data Protection Regulation, even if it is different in nature from the violation currently being investigated by the supervisory authority, may be relevant for the assessment, as it may indicate insufficient information at a general level or for non-compliance with data protection regulations.

148. The registrar has been given two decisions concerning the registrar, which have dealt with the issue of the right of inspection in relation to the call recording. Previous decisions have been taken into account in the assessment of the degree of responsibility.

The degree of cooperation with the supervisory authority and the manner in which the breach came to the supervisory authority's attention

149. The data protection group's instruction on the application and imposition of administrative fines states that the degree of cooperation of the data controller can be "appropriately taken into account" when deciding on the imposition of an administrative fine and its amount. According to the instructions, a relevant fact can be taken into account if the controller has reacted to the requests of the supervisory authority during the investigation of the case in question in such a way that it has significantly limited the risk to the rights of individuals.

150. According to Article 31 of the General Data Protection Regulation, the controller and personal data processor and, if necessary, the representative of the controller or personal data processor must, upon request, cooperate with the supervisory authority to perform its tasks. However, according to the guidelines given by the Data Protection Group on the application and imposition of administrative fines, it would not be appropriate to emphasize the cooperation already required by legislation.

151. The activity of the data controller that violates the provisions of the General Data Protection Regulation has come to the attention of the Data Protection Commissioner's office through numerous contacts.

152. As stated in point 16 of the decision, the data controller has not responded to the data protection commissioner's request for additional information regarding whether the data controller has considered the compilation to be a copy in accordance with the General Data Protection Regulation. The registrar has still not provided a clear answer to this in the report given on 3 April 2023. The explanation given by the registrar to the consultation request has also been contradictory. The disciplinary board considers that the data controller has not made too much of an effort to cooperate with the data protection authorized office in this regard.

153. As a whole, the sanctioning board takes this into account in its assessment as an aggravating factor.

The decision regarding the imposition of an administrative sanction fee has been made by the members of the Sanctions College of the Data Protection Commissioner.

Data Protection Commissioner Anu Talus

Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa

Deputy Data Protection Commissioner Annina Hautala

More information about this decision will be provided by the rapporteur

Chief inspector Mari-Ilona Korhonen, tel. 029 56 66725

Applicable legal provisions

Regulation of the European Parliament and of the Council ((EU) 2016/679) Article 12(1), (2) and (6), Article 15(3), Article 58(2)(b) and (i), Article 83(1), (2), (5) and (6).

Data Protection Act (1050/2018) Section 24

Administrative Act (434/2003) Section 11, Section 34

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

The decision is not legally binding.