Tietosuojavaltuutetun toimisto (Finland) - 9885/157/19
From GDPRhub
| Tietosuojavaltuutetun toimisto - 9885/157/19 | |
|---|---|
 | |
| Authority: | Tietosuojavaltuutetun toimisto (Finland) |
| Jurisdiction: | Finland |
| Relevant Law: | Article 12(1) GDPR Article 12(2) GDPR Article 21 GDPR Article 58(2)(d) GDPR § 200(3) Act on Electronic Communications Services |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 20.12.2019 |
| Decided: | 10.07.2023 |
| Published: | 01.08.2023 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 9885/157/19 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Finnish |
| Original Source: | Finlex (in FI) |
| Initial Contributor: | fred |
The Finnish DPA ordered a telecommunications company to allow the data subjects to easily deny the use of their contact information for direct marketing purposes in connection with electronic direct marketing messages.
English Summary
Facts
A data subject had tried to deny direct marketing carried out by a telecommunications company (the controller), but there was no direct way to do this in the direct marketing message they had received. The data subject also had difficulties finding the contact information of the data protection officer on the controller's website.
According to the controller, direct marketing could have been denied in two ways: by contacting customer service or by creating an account in the online service. The contact information of the data protection officer, on the other hand, could have been found on the controller's website, layered behind three separate pages. In addition, the data subject could have called the controller's switchboard and asked to be connected to the data protection officer.
Holding
The DPA stated that the requirement to sign in to an online service as the only possibility to deny direct marketing does not meet the requirement of ease of refusal according to Section 200(3) of the Finnish Act on Electronic Communication Services. The DPA emphasised that the requirement of Article 12(2) GDPR should also have been taken into account in order to facilitate the exercise of the data subject's rights, such as the right to object according to Article 21 GDPR.
Pursuant to Article 58(2)(d) GDPR, the DPA ordered the controller to ensure that data subjects are given the opportunity to easily deny the use of their contact information for direct marketing purposes in connection with electronic direct marketing messages.
With regard to the contact information of the data protection officer, the DPA considered that when the information provided to the data subject on the website is layered, for example, on different pages, the combined effect of the different pages is of paramount importance in order to ensure that the layered operating model does not increase confusion but reduces it.
Thus, the DPA instructed the controller to ensure that data subjects can easily find the contact information of the data protection officer on the controller's website in accordance with Article 12(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
The decision of the Data Protection Commissioner in the case of direct marketing and information of data subjects Thing Objecting to electronic direct marketing, informing data subjects about the contact details of the data protection officer Registrar Telecom company Statement received from the initiator On December 20, 2019, a matter was initiated in the Data Protection Commissioner's office, where the initiator has said that he tried to ban direct marketing, but there was no direct way to do this in the direct marketing message he received. The initiator had received, among other things, an advertisement for the service, which has a link at the bottom with the text "Manage your communication settings [in the online service]". According to the initiator, two ways to prohibit direct marketing were found on the website of the registry keeper: calling a toll-free phone number or creating online service identifiers. The initiator has also said that he had difficulty finding the data protection officer's contact information on the controller's website, and in the opinion of the initiator, the data protection officer was not able to tell a free and easy way to ban direct marketing. Statement received from the registrar An explanation has been requested from the controller with an explanation request dated 22 January 2021 and an additional explanation request dated 10 March 2021. The registrar has issued a written statement on the matter on February 5, 2021 and an additional statement on March 25, 2021. According to the report given by the controller on February 5, 2021, consumer customers can manage their electronic communication settings via an electronic service channel. The customer can also manage their marketing bans from the user pages of different services. The customer can also deny electronic direct marketing by contacting us through other customer service channels (for example, by phone, through a chat service or in a store). On March 10, 2021, the controller has been asked for further clarification about the marketing e-mail received by the initiator, which has a text link at the bottom "Manage your communication settings [in online service]". According to the registrar's further investigation, the initiator had access to credentials that could have been used to log into the online service. According to the controller, the link at the bottom of the e-mail message leads to the service's login page, from which, after logging in, a point would have opened directly where the initiator could have managed his own communication settings. According to the registrar, the login page has instructions on how the customer could have proceeded if he did not remember his credentials, and in practice, logging into the service would have been successful with the help of a mobile certificate or bank credentials, with strong electronic identification. Without a separate electronic identification, it would have been possible to recover the password also using an e-mail address. According to the controller, the link text included in the messages has now been changed to "Manage your marketing permissions [in the online service]". The controller has also been asked to clarify how the data protection officer's contact information can be found by data subjects on the controller's website. According to the data controller's report, the data protection officer's contact information can be found via the following path: Privacy -> Please familiarize yourself with [the data controller's] data protection principles -> Data protection officer's contact information. According to the data controller, if necessary, the data protection officer can also be reached by phone by contacting, for example, the data controller's switchboard and asking to be connected to the data protection officer. On applicable legislation The processing of personal data is regulated in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation). The Data Protection Regulation is specified in the Data Protection Act (1050/2018). Chapter 24 of the Act on Electronic Communication Services (917/2014) provides for electronic direct marketing. According to Section 305 of the Act on Electronic Communication Services, the Data Protection Commissioner supervises compliance with the provisions of Sections 200 and 202–204 on direct marketing. The right to object to direct marketing According to § 200.3 of the Act on Electronic Communication Services, the service provider or the product seller must give the natural person who is a customer the opportunity without separate payment and easily prohibit the use of contact information in connection with the collection of information and every e-mail message, text message, voice message, voice message and picture message. The service provider or product seller must clearly inform about the possibility of a ban. Article 21 of the General Data Protection Regulation provides for the data subject's right to object. According to paragraph 2 of the article, if personal data is processed for direct marketing, the data subject has the right at any time to object to the processing of personal data concerning him for such marketing. According to paragraph 3 of the article, if the data subject objects to the processing of personal data for direct marketing, they may no longer be processed for this purpose. According to section 4 of the article, at the latest when the data subject is contacted for the first time, the right referred to in section 2 of the article must be expressly brought to the data subject's attention and presented clearly and separately from other information. According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22. Information about the contact details of the data protection officer According to Article 12(1) of the General Data Protection Regulation, the data controller must take appropriate measures to provide the data subject with the information in accordance with Articles 13 and 14 and all processing information in accordance with Articles 15-22 and 34 in a concise, transparent, easily understandable and accessible form in clear and simple language especially when the information is specifically intended for a child. The information must be submitted in writing or in another way and, as the case may be, in electronic form. If the data subject requests it, the information can be given verbally, provided that the identity of the data subject has been confirmed in another way. According to Article 13(1)(b) and Article 14(1)(b) of the General Data Protection Regulation, the data subject must be provided with the contact information of a potential data protection officer, as the case may be. The obligation to inform the data subject is linked to the requirement of transparency in the processing of personal data (Article 5(1)(a) of the General Data Protection Regulation), and compliance with the obligation to inform implements the principle of transparency. The transparency of personal data processing is also required by Article 25(1) of the General Data Protection Regulation (built-in data protection), according to which data protection principles, such as the principle of transparency, must be effectively implemented. A legal issue The Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The data protection officer must resolve: 1) has the data controller given the possibility to easily deny the use of contact information in connection with an electronic direct marketing message, and has the data controller's procedure been in accordance with § 200.3 of the Act on Electronic Communication Services in these respects 2) whether the data controller has informed registered users on their website about the contact information of the data protection officer in a transparent manner (Article 5(1)(a), Article 12(1) and Article 25(1) of the General Data Protection Regulation) The data protection officer's decision and reasons Decision The option to prohibit electronic direct marketing provided by the controller in direct marketing messages has required the data subject to log in to the online service, and the controller has not provided the possibility to easily prohibit the use of contact information in connection with electronic direct marketing messages. In these respects, the procedure of the registrar has not been in accordance with § 200.3 of the Act on Electronic Communication Services. The controller is given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities into compliance with data protection regulations. Pursuant to this regulation, the controller must ensure that data subjects are given the opportunity to easily deny the use of their contact information for direct marketing purposes in connection with electronic direct marketing messages. The data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders it to submit a report on the measures taken to the data protection commissioner's office by August 31, 2023, unless it applies for an amendment to this decision. The data protection commissioner provides guidance to the data controller regarding the information of the data subjects regarding the data protection officer's contact information. Reasoning Prohibition option provided in electronic direct marketing messages In the case being evaluated now, the controller has offered the registrant in his direct marketing messages the opportunity to log in via a link with his own credentials to a customer account, which the customer can use to manage his marketing consents. At the end of the controller's electronic direct marketing messages, there has been a text link "Manage your communication settings [in the online service]". According to the controller, the text of the link has been changed to "Manage your marketing authorizations [in online service]" in connection with the investigation work of the data protection authorized office. No other prohibition option has been included in the messages. According to the controller's explanation, the customer can also manage their marketing bans on the user pages of different services, and ban electronic direct marketing by contacting them through other customer service channels (for example, by phone, via a chat service or in a store). The chat service also works in the online service according to the instructions found on the website of the registrar and requires logging in. According to the chat service section of the data controller's customer service page, "You can find our chat customer service [online service] Mon-Fri 8:00-21 and Sat-Sun 9-17". According to § 200.3 of the Act on Electronic Communication Services (hereinafter also: SVPL), the service provider or the product seller must give the natural person who is a customer the opportunity without a separate payment and easily prohibit the use of contact information in connection with the collection of information and every e-mail message, text message, voice message, voice message and picture message . The service provider or product seller must clearly inform about the possibility of a ban The Data Protection Commissioner states that, in accordance with SVPL § 200.3, the data controller must give the data subject the opportunity to object to the use of their contact information easily and without a separate payment in connection with every electronic direct marketing message. The requirement to log in to customer pages as the only possibility to object included in an electronic direct marketing message does not meet the requirement set in the Act on electronic communication services for the ease of objecting. For example, in a situation where the data subject does not remember his login credentials, he must take measures to restore the credentials or find an alternative means of objection. The Data Protection Commissioner draws the data controller's attention to the fact that § 200.3 of the Act on Electronic Communications Services requires that the data subject is given the opportunity to easily object to direct marketing in connection with a direct marketing message, and it is not possible to fulfill this requirement in such a way that the data controller otherwise also offers other means to object, which can be found by the data subject, for example by the data controller from the website. With regard to the means of objection offered to the data subject, the controllers must also take into account the requirement of Article 12(2) of the General Data Protection Regulation to facilitate the use of the data subject's rights, such as the right to object according to Article 21 of the General Data Protection Regulation. With regard to the methods of objection offered to data subjects, the registrants must also ensure that all data subjects have equal access to the data subject's rights, and not prioritize certain groups, such as data subjects who have purchased a product or service or data subjects with login credentials. In the case being evaluated now, the possibility to prohibit the use of contact information included by the data controller in its electronic direct marketing messages is not easily available to the data subject as referred to in Section 200.3 of the Act on Electronic Communication Services. The data protection commissioner issues an order to the data controller to bring the procedure in line with data protection regulations. Informing registrants about the contact details of the data protection officer In the case under consideration, the contact information of the data protection officer of the data controller can be found on the website of the data controller under the following path: Data protection -> Please familiarize yourself with the data protection principles of [the data controller] -> Contact data of the data protection officer. The principle of transparency and the related built-in data protection requirement require that the information given to the data subject about the processing of personal data is easily accessible to the data subject. The transparency requirement aims to ensure that the data subject receives appropriate information about the processing of his personal data and, for example, understands his rights according to Chapter III of the General Data Protection Regulation. In accordance with Article 13(1)(b) of the General Data Protection Regulation, the information provided to the data subject must include the contact information of the data protection officer. The data protection officer is an important contact point that data subjects can contact in all matters related to the processing of their personal data and the exercise of their rights based on the General Data Protection Regulation. The data protection officer's contact information must be easily accessible to the data subject. When, for example, the information provided to registered users on the website is layered on different pages, the combined effect of the different pages is of paramount importance in order to ensure that the layered operating model does not increase confusion but reduces it. In the matter now being evaluated, the data subject looking for the data protection officer's contact information must click on the link "Please familiarize yourself with [the data controller's] data protection principles" on the data controller's privacy page, behind which there is the link "Data Protection Officer's contact information". The contact information of the data protection officer opens by pressing the last mentioned link. The "Please familiarize yourself with [the data controller's] privacy principles" link does not, for example, refer to the contact information necessary in matters concerning the processing of personal data, and it cannot be concluded that the contact information in question can be found behind it. It is not necessary for the contact information of the data protection officer to be presented on the first page of the data protection information. However, the contact information must be easily found by the data subject. The data protection commissioner provides guidance to the data controller regarding the information of the data subjects regarding the data protection officer's contact information. Supervision of the data protection officer The data protection officer directs the data controller to ensure that the data protection officer's contact information is easily found by the registrants on the data controller's website. In matters of data protection, the data protection officer acts as the first point of contact for data subjects, and in terms of exercising the data subject's rights, it is important that the data protection officer's contact information can be found easily.
