Tietosuojavaltuutetun toimisto (Finland) - TSV/224/2023

From GDPRhub
Tietosuojavaltuutetun toimisto - TSV/224/2023
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Article 25(2) GDPR
Article 58(2)(c) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started: 07.06.2023
Decided: 19.02.2024
Published: 29.02.2024
Fine: n/a
Parties: n/a
National Case Number/Name: TSV/224/2023
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA held that a controller cannot systematically request data subjects to submit a signed form and a copy of their ID for an access request, as facilitating the data subject's rights under the GDPR requires a case by case assessment.

English Summary

Facts

The Finnish DPA was notified that a provider of first aid training ("controller") had requested the data subject to submit by email a signed form and a copy of their ID in order to exercise the right of access. The data subject made an access request but did not provide the filled in form and a copy of their ID. Therefore, the controller did not provide access to the personal data.

The DPA had asked the controller to explain how it facilitated the exercise of data subject rights. In addition, the DPA also asked the controller to clarify how long it retained personal data.

In response to the request, the controller clarified that it could not confirm the identity of the data subject because the access request had been submitted by email, which only contained the name and email address of the data subject. Therefore, the controller could not fulfill the request, because the data subject had not agreed to submit the signed information request form or to identify themselves as requested by the controller.

Concerning the retention periods, the controller stated that the completed training was valid for three years and that the personal data would be erased two years after the end of the validity period.

Holding

On the basis of the information provided by the controller, the DPA considered that the controller's method of identifying the data subject was not based on a case-by-case assessment and that requesting a copy of the identity document was a standard means of identification.

The DPA emphasised that the controller's possibility to request additional information to confirm the identity of the data subject in accordance with Article 12(6) GDPR must not lead to unreasonable requirements and the collection of personal data that is not necessary to verify the connection between the data subject and the personal data requested.

The DPA found that the controller had not facilitated the exercise of data subject rights in accordance with Article 12(2) GDPR, as the data subject an unreasonable effort when submitting a signed form and a copy of their ID.

The DPA also noted that, based on the retention period determined by the controller, it should have erased the data subject's personal data even before the data subject's access request.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(c) GDPR, Article 5(1)(e) GDPR, Article 12(2) GDPR, Article 12(6) GDPR and Article 25(2) GDPR.

In accordance with Article 58(2)(c) GDPR, the DPA ordered the controller to comply with the data subject's access request. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to amend its identity verification policy to comply with the aforementioned provisions of the GDPR and to erase personal data older than the specified retention period without undue delay.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Deputy Data Protection Commissioner
Thing

Submitting a request for the registered right of inspection and confirming the registered person's identity, as well as the legality and storage period of the processing of the registered person's personal data
Registrar

First aid training organizer
The requirements of the registered person with reasons

The data subject has asked the data protection commissioner's office to assess whether the data controller is acting in accordance with the General Data Protection Regulation of the European Parliament and of the Council ((EU) 2016/679) when asking the data subject to send a signed information request form and a copy of the identity document by email in order to exercise the right of inspection to confirm the identity of the data subject.

The data subject has considered that the additional information required by the data controller to confirm the identity is not justified and appropriate in relation to the personal data of the data subject that the data controller processes. The registered person has considered that the procedure of the controller is not in accordance with the principles regarding the processing of personal data. According to the registered opinion, the controller has also not made it easier for the data subject to exercise his rights.

The registered person has also stated that, in his opinion, he has not received an appropriate explanation from the controller on the basis of the processing of his personal data. The registered person has doubts about the legality of the processing of his personal data. According to the information given by the controller to the registered person by e-mail, the basis for processing personal data is either a contract or a legitimate interest. The registered person has considered that neither of these processing grounds is applicable in his case.
Statement received from the registrar

The registrar has been requested to clarify the matter on June 7, 2023. The controller has submitted his report to the data protection commissioner's office on June 20, 2023.

The controller has confirmed that he has received the information request submitted by the data subject. According to the controller, it has not been able to confirm the identity of the data subject, because the data subject has submitted a request for information by e-mail, which only shows the first and last name and e-mail address of the data subject. The registrar has stated that he instructed the registrant to send a signed information request form and to identify himself by sending a copy of his identity card by e-mail. The registrant has stated that he has offered the registrant an alternative option to identify himself electronically in the Visma Sign service. The data controller has stated that it has not been able to fulfill the data subject's request for access to the data, because the data subject has not agreed to submit a signed information request form and to identify himself as required by the data controller.

The registrar has stated that requesting an identity document ensures that the requester is registered and that the request for information is addressed to the right person. The operation method of the registrar is evident from the register information request form submitted as an attachment to the registrar's statement, where it is stated that a copy of the identity document must be attached to the request.

The controller has further stated that the processing of the personal data of the registered person is based on the contract. According to the registrar's report, the data subject has entered into a customer relationship when registering for training organized by the registrar. In addition, the controller has provided copies of the personal data of the data subject it processes to the data protection commissioner's office. According to its report, the controller processes the following information about the registered person: first and last name, address, e-mail address, telephone number and information about the completion of the training.

The data protection commissioner's office has requested additional clarification from the data controller on 31 August 2023. The data controller has been asked whether and how the data controller has defined the retention period of personal data according to the data processing purposes. The controller has submitted his additional explanation to the data protection commissioner's office on 22 September 2023.

The controller has stated in his supplementary report that he has determined the retention periods for the processing of personal data according to processing purposes. According to the registry keeper, information on storage periods is provided in the registry-specific privacy statements. The controller has stated that he considers that the necessity requirement for the processing of personal data ends when two years have passed since the expiration of the training course, or three years have passed since the last product purchase, or when the statutory retention period expires. According to the controller, the personal data will be anonymized or deleted at the end of the aforementioned retention period. The registrar has further stated that the trainings are valid for three years.
The registered equivalent

In this case, no consideration has been requested from the registered person. Based on the applicable legislation and the established interpretation practice, the matter is so clear that a decision can be given without the registrant's compensation based on Section 34, Subsection 2, Clause 5 of the Administrative Act. The matter can be resolved on the basis of the applicable legislation and the request brought to the attention of the data protection officer's office, as well as the explanations received from the data controller.
Applicable legislation

The processing of personal data is regulated in the General Data Protection Regulation. The Data Protection Regulation is specified in the Data Protection Act (1050/2018).

According to Article 6 of the General Data Protection Regulation, the processing of personal data is lawful only when there is a basis for processing according to Article 6, paragraph 1. The principles regarding the processing of personal data are stipulated in Article 5 of the General Data Protection Regulation. Article 25 provides for built-in and default data protection. The right to access information is regulated in Article 15 and the procedure to be followed in exercising the right in Article 12.

Paragraph 2 of Article 58 of the General Data Protection Regulation provides for the remedial powers of the supervisory authority. According to paragraph 2, subparagraph c of the article, the supervisory authority has the authority to order the controller or personal data processor to comply with the data subject's requests regarding the use of the data subject's rights based on the regulation. According to paragraph 2, subparagraph d of the article, the supervisory authority has the authority to order the controller or personal data processor to bring the processing activities into compliance with the provisions of the General Data Protection Regulation, if necessary, in a certain way and within a certain deadline.
A legal question

The issue is, first of all, whether the controller's procedure for submitting a request for the data subject's inspection right and identifying the data subject is in accordance with Article 12 paragraphs 2 and 6 and Article 5 paragraph 1 subparagraph c of the General Data Protection Regulation.

This decision does not apply to the operations of the data controller in so far as it concerns an alternative method of identification of the data subject. It can be stated that if the data controller has different ways to confirm the identity of the registered person, the data controller must ensure that these methods are in accordance with the General Data Protection Regulation. In particular, it should be taken into account that alternative identification methods do not make it difficult to use the rights of the registered person.

The Deputy Data Protection Commissioner must also assess whether the data controller has had a basis for processing the personal data of the registered person in accordance with Article 6, Paragraph 1 of the General Data Protection Regulation.

The Deputy Data Protection Commissioner must also decide whether the procedure for storing the registered person's personal data has been in accordance with Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation.

The Deputy Data Protection Commissioner must decide whether an order according to Article 58(2)(d) of the General Data Protection Regulation must be issued to the data controller to bring the processing operations in line with the provisions of the General Data Protection Regulation and whether an order issued to the data controller pursuant to Article 58(2)(c) must comply with the data subject's request. In addition, the deputy data protection commissioner must assess whether other powers belonging to the data protection commissioner should be used in the case.
Decision and reasons of the Deputy Data Protection Commissioner

The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the registered person's right of inspection and confirming the registered person's identity to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation.

The deputy data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by April 15, 2024, unless the data controller applies for an amendment to this decision.

The Deputy Data Protection Commissioner also gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the data subject's request, which concerns the data subject's right to access information about him/her.

In addition, the Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subsection d of the General Data Protection Regulation to delete customer data older than the retention period defined by the data controller without undue delay, including data of the data subject. Pursuant to § 25 subsection 3 of the Data Protection Act, the Deputy Data Protection Commissioner orders the data controller to comply with the order regarding the deletion of customer data despite the appeal. However, the deputy data protection commissioner draws the controller's attention to the fact that the controller must exercise the data subject's right to access information about him/herself before deleting the data.
Reasoning
Confirmation of the registered identity

The General Data Protection Regulation has no provisions on how the identity of the data subject must be verified. The General Data Protection Regulation also does not regulate the way in which the data subject must make requests regarding his rights.

According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22. If the controller has reasonable grounds to suspect the identity of the natural person who made the request, the controller can, according to Article 12, paragraph 6, ask the requester to provide additional information that is necessary to confirm the identity. If the data subject provides additional information that can be used to identify him, the controller may not refuse to perform the requested action.

Personal data that has been used to register the person in question can also be used to confirm the identity of the registered person when the registered person exercises his rights. The possibility for the controller to request additional information for identity assessment cannot lead to unreasonable demands and the collection of personal data that are not essential or necessary to verify the connection between the person and the requested personal data. The European Data Protection Board has stated in its guideline on the right of inspection provided for in the General Data Protection Regulation (European Data Protection Board, Guidelines 01/2022 on data subject rights – Right of access. Version 2.0, Adopted on 28 March 2023.), that requesting additional information must not lead to irrelevant or to collect unnecessary personal data. (Ibid, p. 26.)

The European Data Protection Board has further stated that, although identity is verified in some contexts with the help of an identity card, requiring the person who made the request to provide a copy of their identity card cannot generally be considered as a regular procedure for confirming the identity of the registered person. (Ibid, p. 27.)

According to Article 5(1)(c) of the General Data Protection Regulation, personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"). The principle of data minimization must also be followed when the data controller requires the data subject to provide additional information to confirm his identity.

In this case, the practice of the registrar has been that in order to exercise the right to inspect the data, the registered person must submit a register information request form, which must be filled with name, date of birth, telephone number, e-mail address and local address. Such a form must also be signed. In order to identify the registrant, the registrant must attach a copy of his identity card to this form. The register information request form has instructions on the above-mentioned practice. Requesting a copy of the identity document has thus been the usual procedure of the registrar to implement the registered person's inspection right.

Taking into account Article 5(1)(c), the data controller shall not request more information from the data subject than is necessary for his identification. In order for the controller not to collect information that is unnecessary for processing, it must carry out a necessity assessment, which can take into account, for example, the type of personal data being processed. In this case, the data controller mainly carries out first aid training activities. Due to its industry, the controller does not, as a rule, process information belonging to special personal data groups concerning customers. When assessing the necessity of the data to be collected, the controller should avoid excessive collection of personal data.

The information on the identity card must be counted as additional information in accordance with Article 12, paragraph 6, which the controller should only request if it has reasonable grounds to suspect the identity of the data subject who made the request. According to the Deputy Data Protection Commissioner's assessment, the controller's method of identifying the data subject has not been based on a case-by-case consideration, but requiring a copy of the identity document has been a regular means of identification. A copy of the identity card has been required from all registered users who have wanted to exercise their right to access data according to the General Data Protection Regulation.

The Deputy Data Protection Commissioner also draws attention to the fact that the data controller has not brought out the reasons why it has not been able to identify the data subject based on the information provided by the data subject in its report.

The Deputy Data Protection Commissioner considers that the data controller has processed a wider set of personal data to identify the data subject than is necessary to identify the data subject, especially taking into account the fact that the data controller has not provided reasons why it has not been able to identify the data subject based on the information provided by the data subject, and thus has acted contrary to the General Data Protection Regulation the data minimization principle provided for in Article 5(1)(c). The Deputy Data Protection Commissioner considers that the data controller has processed personal data in violation of Article 5(1)(c) and Article 12(6) of the General Data Protection Regulation.

The registrar has also required the form to be submitted signed. The deputy data protection commissioner considers that the controller's way of operating has resulted in an unreasonable burden for the data subject, when the data subject had to submit a copy of his or her identity card along with the signed register information request form.

The deputy data protection commissioner considers that the method in question has not been a means in accordance with Article 12, paragraph 2, by which the controller could be considered to have tried to facilitate the use of the data subject's rights. The operation method of the register holder can therefore be considered to have made it unreasonably difficult to exercise the rights of the registered person.

Based on the above, the Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the data subject's inspection right and identifying the data subject to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation.

Finally, the deputy data protection commissioner notes that the data controller has delivered to the data protection commissioner's office copies of the data subject's personal data it processes. The deputy data protection commissioner therefore considers that the controller has been able to identify the data subject. According to the information provided to the Data Protection Commissioner's office, the data controller has not provided this information to the data subject. For this reason, the deputy data protection commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to deliver the data to the data subject as well.
Lawfulness of the processing of registered personal data

The data subject has stated that, in his opinion, the agreement or legitimate interest determined as the basis for processing based on the information provided by the controller is not applicable in his case. The registered person has therefore doubted the legality of the processing of his personal data. Based on the registrar's report, the data subject has only been given general information about the grounds for personal data processing, because according to his statement, the registrar has not been able to confirm the identity of the data subject and thus check whether the data subject's personal data can be found in the data controller's registers. The data controller's privacy statement states that the basis for processing personal data is either a contract or a legitimate interest.

The processing of personal data is legal only when there is a basis for processing according to Article 6, paragraph 1 of the General Data Protection Regulation. According to the report given to the office by the data protection officer of the data controller, the basis for processing the personal data of the registered person is the contract that was created based on the customership when the registered person registered for the training. According to Article 6, paragraph 1, subparagraph b of the General Data Protection Regulation, the processing of personal data is lawful when the processing is necessary for the implementation of an agreement to which the data subject is a party.

The deputy data protection commissioner considers that the data controller has had grounds to process the data subject's personal data, because the data subject has registered and participated in the training organized by the data controller. The Deputy Data Protection Commissioner therefore considers that the data controller had a basis for processing the personal data of the registered person in accordance with Article 6, Paragraph 1 of the General Data Protection Regulation.
Storage period of personal data concerning the registrant

Paragraph 39 of the introductory paragraph of the General Data Protection Regulation states that personal data should be sufficient and relevant and limited to what is necessary for the purposes of their processing. This requires in particular that the storage period of personal data is as short as possible. The controller must set deadlines for the deletion of personal data or for periodic review of the necessity of their storage, in order to ensure that personal data is not stored longer than necessary.

Article 5(1)(e) of the General Data Protection Regulation provides for the principle of limiting storage. According to the article, personal data must be stored in a form from which the data subject can be identified only as long as it is necessary to fulfill the purposes of the data processing. The storage period for personal data must always be as short as possible, and the data subject must be informed of the storage period when personal data is collected, i.e. the controller must define the storage period for personal data even before taking steps to process personal data.

Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. Article 25, paragraph 2 of the General Data Protection Regulation, together with Article 5, paragraph 1, subparagraph e, concerning the limitation of storage, imposes a clear obligation on the controller to make sure that personal data is stored only for the time necessary for the purpose of its processing.

According to his report, the controller has defined the retention periods for the processing of personal data by purpose of use. The controller considers that the necessity requirement for the processing of personal data ends when two years have passed since the validity of the training completed or three years have passed since the last product purchase.

According to the data controller's report, the processing of the data subject's personal data has been based on an agreement that was created when the data subject signed up for training organized in April 2017. Based on the report received, the data subject has not used other services provided by the data controller, i.e. the customership can be considered to be based only on the training organized in April 2017. The registrar has stated in his report that the attended trainings are valid for three years.

The Deputy Data Protection Commissioner considers that, based on the retention period specified by the above-mentioned data controller, the data controller should have deleted the data subject's personal data five years after the organized training, i.e. in April 2022. However, according to the data protection commissioner's report to the office of the Data Protection Commissioner on 20 June 2023, the validity of the data subject's training would have been valid until the end of 2020, i.e. longer like three years. Based on this information, the personal data of the registered person should have been deleted at the end of 2022. The Deputy Data Protection Commissioner considers that the data controller has therefore not complied with the retention period he defined himself for the processing of personal data. Based on the information received by the Office of the Data Protection Commissioner, the data subject submitted a request to the data controller in February 2023. The Deputy Data Protection Commissioner considers that the processing of the data subject's request for the right of inspection could not therefore have been the basis for the prolonged storage of the data, but the data should have been deleted earlier.

The Deputy Data Protection Commissioner therefore considers that the data controller has processed the data subject's personal data in violation of Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation. The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subsection d of the General Data Protection Regulation to delete customer data older than the retention period defined by the data controller without undue delay, including data of the data subject. However, the deputy data protection commissioner draws the controller's attention to the fact that the controller must exercise the data subject's right to access information about him/herself before deleting the data.