Tietosuojavaltuutetun toimisto (Finland) - TSV/88/2022

From GDPRhub
Tietosuojavaltuutetun toimisto - TSV/88/2022
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started: 09.11.2023
Decided: 06.06.2024
Published: 13.06.2024
Fine: n/a
Parties: n/a
National Case Number/Name: TSV/88/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA held that a controller cannot systematically require data subjects to deliver a signed form to the controller's premises in order to exercise the right of access, as facilitating the data subject's rights under the GDPR requires a case-by-case assessment.

English Summary

Facts

The Finnish DPA was notified that a media company (the controller) had requested the data subject to deliver a signed form to the controller's premises in order to exercise the right of access. The data subject made an access request by email but did not provide any other information to confirm their identity. Therefore, the controller did not provide access to the personal data.

The DPA had asked the controller to explain why it had refused to comply with the data subject's request and how it had facilitated the exercise of data subject rights.

In response to the request, the controller clarified that it could not comply with the data subject's request because the data subject had not provided additional information to confirm their identity. The controller stated that the data subject must identify themselves by means of a form containing the data subject's name, personal identification number, address, telephone number and email address.

The controller also noted that the form must be signed and delivered in person to the controller's premises, where the data subject must identify themselves with a government-issued ID.

Holding

On the basis of the information provided by the controller, the DPA considered that the controller's method of identifying the data subject was not based on a case-by-case assessment. Therefore, contrary to the principle of data minimisation, the controller had processed a wider range of personal data than necessary to identify the data subject, in particular since the controller had not provided reasons why it was not possible to identify the data subject.

The DPA emphasised that it was disproportionate to require data subjects to personally deliver a signed form to the controller's premises and to identify themselves with an ID, especially for data subjects who do not live close to the controller's premises.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(c) GDPR, Article 12(2) GDPR and Article 12(6) GDPR. As a result, and in accordance with Article 58(2)(d) GDPR, the DPA ordered the controller to amend its access request and identity verification policies to comply with the aforementioned provisions of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

Submitting a request for the registered person's inspection right and confirming the registered person's identity
Registrar

Media company
The registrant's claim with justification

The data subject has asked the data protection commissioner's office to assess whether the data controller is acting in accordance with the General Data Protection Regulation of the European Parliament and the Council ((EU) 2016/679) when requiring the data subject to come to the data controller's office in order to exercise the data subject's inspection right and confirm the data subject's identity.

The registered person has submitted a request to the controller to get to know the information about him. The data controller has not implemented the data subject's request because, according to the data controller, the e-mail is not sufficient confirmation of the identity of the person who made the request. The registrant has asked the registrant to fill in and sign a form in order to exercise the right of inspection. The controller has also asked the registrant to pick up the information about him from the controller's office, in which case the registrant has been required to identify himself.

The registered person has considered that the request submitted by e-mail is sufficient, and no separate identity verification is needed. The registered has not provided the controller with additional information to confirm his identity.
Statement received from the registrar

The registrar has been asked for an explanation on the matter on 9 November 2023 and an additional explanation on 22 January 2024. The registrar has submitted his statement on 22 January 2024 and his supplementary statement on 23 January 2024.

The registrar has been asked what additional information the registrar requires the registrant to provide in order to confirm his identity when the registrar suspects the identity of the person who made the request regarding the registrant's rights. The controller has also been asked to specify how the controller processes the data subject's inspection requests.

The controller has confirmed that he has received the registered request. However, according to his statement, the controller has not been able to implement the data subject's request, because the data subject has not agreed to provide additional information to confirm his identity.

The controller has stated in his report that the controller has a uniform practice for all requests for inspection rights. The controller has stated that an information request form will be sent by e-mail to the person who requested the right of inspection. The form asks for the requester's name, social security number, address, phone number and email address. In addition, the form must be signed. According to the controller, the form must be delivered personally to the controller's office. In this case, the person making the request must identify himself with either a driver's license, passport, identity card or photo ID card. The registrar considers that the one-month deadline for processing the request starts from the moment the data subject delivers the signed information request form personally to the registrar's office.
The registered equivalent

In the matter, no explanation has been requested from the registered person on the basis of Section 34, Subsection 2, Clause 5 of the Administrative Act (434/2003). In accordance with section 34, subsection 2, point 5 of the Administrative Act, hearing the parties involved is obviously unnecessary, because obtaining reports would not change the way the case is resolved. The matter can be resolved on the basis of the applicable legislation, established practice, and the request of the registered person brought to the attention of the data protection authorized office, as well as the response and explanation of the controller.
Applicable legislation

The processing of personal data is regulated in the General Data Protection Regulation. The Data Protection Regulation is specified in the Data Protection Act (1050/2018).

The principles regarding the processing of personal data are stipulated in Article 5 of the General Data Protection Regulation. Article 25 provides for built-in and default data protection. The right to access information is regulated in Article 15 and the procedure to be followed in exercising the right in Article 12.

Paragraph 2 of Article 58 of the General Data Protection Regulation provides for the remedial powers of the supervisory authority. According to paragraph 2, subparagraph d of the article, the supervisory authority has the authority to order the controller or personal data processor to bring the processing operations into compliance with the provisions of the General Data Protection Regulation, if necessary in a certain way and within a certain period of time.
A legal issue

The issue is, first of all, whether the controller's procedure for submitting a request for the data subject's inspection right and identifying the data subject is in accordance with Article 12 paragraphs 2 and 6 and Article 5 paragraph 1 subparagraph c of the General Data Protection Regulation.

In addition, the issue is whether the data controller has complied with the obligation set in Article 12, Paragraph 2 of the General Data Protection Regulation to facilitate the exercise of the rights of the registered person according to Articles 15-22 of the General Data Protection Regulation.

The Deputy Data Protection Commissioner must decide whether an order according to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation must be issued to the data controller to bring the processing operations into compliance with the provisions of the General Data Protection Regulation. In addition, the deputy data protection commissioner must assess whether other powers belonging to the data protection commissioner should be used in the matter.
Decision and reasons of the Deputy Data Protection Commissioner

The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the registered person's right of inspection and confirming the registered person's identity to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation. In addition, pursuant to this regulation, the controller must re-process the request submitted by the data subject in accordance with the General Data Protection Regulation. (At the end of the decision, the Deputy Data Protection Commissioner gives guidance to the data subject on submitting additional information to confirm identity.)

The deputy data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by August 28, 2024, unless the data controller applies for an amendment to this decision.
Reasoning

The General Data Protection Regulation has no provisions on how the identity of the data subject must be verified. The General Data Protection Regulation also does not regulate the way in which the data subject must make requests regarding his rights.

According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22. If the controller has reasonable grounds to suspect the identity of the natural person who made the request, the controller can, according to Article 12, paragraph 6, ask the requester to provide additional information that is necessary to confirm the identity. If the data subject provides additional information that can be used to identify him, the controller may not refuse to perform the requested action.

According to recital 57 of the preamble of the General Data Protection Regulation, identification should include digital identification of the data subject, for example by means of an authentication mechanism, such as by using the same identifiers that the data subject uses when logging into the online services provided by the data controller.

Personal data that has been used to register the person in question can also be used to confirm the identity of the registered person when the registered person exercises his rights. The possibility for the controller to request additional information for identity assessment cannot lead to unreasonable demands and the collection of personal data that are not essential or necessary to verify the connection between the person and the requested personal data. The European Data Protection Board has stated in its guidelines on the right of inspection stipulated in the General Data Protection Regulation that requesting additional information must not lead to the collection of irrelevant or unnecessary personal data. (European Data Protection Board, Guidelines 01/2022 on data subject rights – Right of access. Version 2.0, Adopted on 28 March 2023)

According to Article 5(1)(c) of the General Data Protection Regulation, personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"). The principle of data minimization must also be followed when the data controller requires the data subject to provide additional information to confirm his identity.

In this case, the practice of the registrar has been that in order to exercise the right to inspect the data, the data subject must submit an information request form, which must be filled in with name, social security number, address, telephone number and email address. Such a form must also be signed. In order to identify the registrant, the registrant must submit the form in person to the registrar's office, in which case the registrant is also required to identify himself with either a driver's license, passport, identity card or photo ID card. The information request form contained instructions on the above-mentioned identification practice. Submitting the signed form to the office of the data controller and confirming the identity at the office has thus been the usual procedure of the data controller to implement the registered person's right to inspection.

Taking into account Article 5(1)(c), the data controller shall not request more information from the data subject than is necessary for his identification. In order for the controller not to collect information that is unnecessary for processing, it must carry out a necessity assessment, which can take into account, for example, the type of personal data being processed. In this case, the data controller operates in the media sector. Due to its industry, the controller does not, as a rule, process information belonging to special personal data groups concerning customers. When assessing the necessity of the data to be collected, the controller should avoid excessive collection of personal data.

It appears from the websites of the newspapers managed by the data controller that when a person becomes a customer of the services managed by the data controller, the person is not asked for information about their social security number. The social security number and other information on the identity document must therefore be counted as additional information in accordance with Article 12, paragraph 6, which the controller should only request if it has reasonable grounds to suspect the identity of the data subject who made the request. According to the Deputy Data Protection Commissioner's assessment, the controller's method of identifying the data subject has not been based on a case-by-case consideration, but asking for a social security number and confirming the identity of the data subject with a photo ID has been a regular means of identification. The above-mentioned information has been required from all registered users who have wanted to exercise their right to access information according to the General Data Protection Regulation.

The Deputy Data Protection Commissioner considers that the data controller has processed a wider set of personal data in order to identify the data subject than is necessary to identify the data subject, especially taking into account the fact that the data controller has not provided reasons why it has not been able to identify the data subject, and thus has acted contrary to Article 5, Paragraph 1 of the General Data Protection Regulation the data minimization principle stipulated in subsection c. The deputy data protection commissioner considers that the data controller has processed personal data in violation of Article 5, paragraph 1, subparagraph c, and Article 12, subparagraph 6 of the General Data Protection Regulation.

The controller has also required that the signed form be delivered personally to the controller's office. The person using the right of inspection is also required to have a photo ID. The deputy data protection commissioner considers that the requirement to arrive at the controller's office in order to obtain information covered by the right of inspection has been a standard procedure. It is also known that the registrar has not used an alternative method of operation. The deputy data protection commissioner considers that the practice of the data controller can be considered unreasonably difficult for the data subject, taking into account that according to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22 of the General Data Protection Regulation. Harassment has been particularly evident for those registered who do not live near the controller's office. In addition, attention must be paid to the fact that in order to exercise his rights, the data subject must visit the office of the data controller during its opening hours.

The Deputy Data Protection Commissioner therefore considers that the controller's way of operating has resulted in unreasonable hardship for the data subject, when the data subject had to deliver the signed Data Request form in person to the data controller's office and identify himself with a photo ID. The deputy data protection commissioner considers that the method in question has not been a means in accordance with Article 12, paragraph 2, by which the controller could be considered to have tried to facilitate the use of the data subject's rights. The operation method of the register holder can therefore be considered to have made it unreasonably difficult to exercise the rights of the registered person.

Based on the above description, the Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the data subject's inspection right and identifying the data subject to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation. In addition, pursuant to this regulation, the controller must process the request submitted by the data subject again in accordance with the General Data Protection Regulation.
Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the administrative court in accordance with the provisions of the law on legal proceedings in administrative matters (808/2019). The appeal is made to the administrative court mentioned in the notice of appeal.
Service

The decision is notified in accordance with Section 60 of the Administrative Act (434/2003) by mail against receipt.
Learn more about this decision

The presenter of the issue is Lotta Nyman

The decision is not yet legally binding.
The assistant data protection officer's guidance to the data subject

The controller must be able to confirm the identity of the data subject using his data protection rights. If the controller has a justified reason to doubt the identity of the requester, it can ask him to provide additional information to confirm the identity. If the data controller cannot identify the data subject, the data subject cannot, for example, exercise his right to access the data. When the data controller refuses the data subject's request on the grounds that it cannot identify the data subject, the data controller must demonstrate that it is unable to confirm the identity of the data subject.

In this case, the data subject has not provided the controller with additional information to confirm his identity. The deputy data protection commissioner instructs that if the data controller proves that it is unable to confirm the identity of the data subject based solely on the e-mail, the data subject must provide additional information in order to exercise his right. The registrant can also voluntarily submit additional information for identification. If the data subject provides additional information that can be used to identify him, the controller may not refuse to perform the requested action.