Tietosuojavaltuutetun toimisto - 3343/163/20

From GDPRhub
Tietosuojavaltuutetun toimisto - 3343/163/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Decided: 24.02.2021
Published: 24.02.2021
Fine: None
Parties: n/a
National Case Number/Name: 3343/163/20
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: V

Z

English Summary[edit | edit source]

Facts[edit | edit source]

Z

Dispute[edit | edit source]

Holding[edit | edit source]

Z

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The data subject's right of access to information and information on the recording of conversations

Thing

The data subject's right of access to information and information on the recording of conversations
Applicants' claims and justifications

On 30 April 2020, two applicants lodged a case with the Office of the Data Protection Officer concerning the verification of a record of a transfer meeting of an apartment recorded by the controller.

On 26 March 2020, one of the applicants requested access to the recordings held by the controller. One of the applicants has been the recipient of a copy of an e-mail addressed to the controller. On March 27, 2020, the registrar replied to the applicants that the recordings were part of the evidence. One of the applicants has told the EDPS that he has recorded his call with the controller.
Statement received from the controller

On 11 January 2021, a clarification was requested from the data controller. The registrar has responded to the request for clarification on 19 January 2021.

In the report issued, the registrar has stated that he recorded the final review of the applicants' contract on a telephone voice recorder, because according to the report there was reason to suspect that the customer will make unfounded claims in connection with the contract. The registrar has said that the recorder has always been in the pocket of the registrar's CEO and that the CEO has been one of the parties to the recorded conversation. The report provided explains how the recording is stored and that the recording has been deleted from the phone.

The report provided has established that the record is still an important part of the evidence in the handling of an unfinished dispute, and the controller will not hand over the recording until the end of the processing. At the end of the investigation, it has been established that the recording will be destroyed once the dispute has been settled and that the controller would like similar information on the processing of the call recording recorded by another applicant.
Applicants' reply

On 22 January 2021, the EDPS Office reserved the opportunity to respond. In their reply, received on 2 February 2021, the applicants stated that they had never been informed of the recording, the uses of the recordings or the storage process. It is unclear to applicants how many recordings there are. Applicants have stated that they wish to inspect the recordings and question the controller 's reasoning for secretly recording appointments and discussions.
Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of directly applicable law in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).
Legal issue

The EDPS will assess and resolve the applicants' case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved

1. whether the controller has complied with the request for access made by the requesting applicant in accordance with Article 15 of the General Data Protection Regulation; and

2. whether the data recorded by the controller on customer records have complied with Articles 5 (1) (a), 12 (1) and 13 of the General Data Protection Regulation.

In addition, it has to be decided whether other powers of the EDPS under Article 58 of the General Data Protection Regulation should be exercised.
Decision and justification of the EDPS
Right of access to information
Decision

The data controller has not exercised the applicant's right of access under Article 15 of the General Data Protection Regulation.
Regulation

Pursuant to Article 58 (2) (c) of the General Data Protection Regulation, the EDPS instructs the controller to comply with the data subject's request for the data subject's right of access under Article 15 (1) of the General Data Protection Regulation and to provide the applicant with Article 12 (1) of the General Data Protection Regulation. and Article 15 (3).
Reasoning

The EDPS notes, firstly, that the issue of the data subject's right of access to data has been assessed in the decision of the Assistant Data Protection Supervisor of 20 February 2020 in case 3021/452/2017.

Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate measures to provide the data subject with all processing data in accordance with Article 15 in a concise, transparent, easily understandable and accessible form in clear and simple language. The information shall be provided in writing or by other means and, where appropriate, in electronic form. If the data subject so requests, the information may be provided orally, provided that the data subject's identity is otherwise established. According to Article 12 (2) of the General Data Protection Regulation, the controller must facilitate the exercise of the rights under Articles 15 to 22.

Article 15 (3) of the General Data Protection Regulation requires the controller to provide a copy of the personal data processed. Under Article 15 (4) of the General Data Protection Regulation, according to which the right to a copy must not adversely affect the rights and freedoms of others, such as trade secrets or intellectual property, and in particular software copyright, according to recital 63 of the Data Protection Regulation. Information in accordance with Article 15 (1). However, this recital should not lead to no information being provided to the data subject under recital 63 of the General Data Protection Regulation.

In addition to Article 15 (4) of the General Data Protection Regulation, the right of access to data may be restricted on the grounds set out in section 34 of the Data Protection Act. According to that paragraph, the right of access to information does not exist, for example,if the provision of the information could seriously endanger the health or care of the data subject or the rights of the data subject or anyone else (Section 34 (1) (2)). In this context, the EDPS draws particular attention to the fact that restrictions on the right of access under Article 8 (2) of the Charter of Fundamental Rights of the European Union (2012 / C 326/02) must be interpreted strictly.

The EDPS notes that it is undisputed that the record of a customer meeting contains personal data within the meaning of Article 4 (1) of the General Data Protection Regulation. In its decision of 30 July 2010 (2094/1/09), the Supreme Administrative Court has considered the sound recorded on the tape to be personal data. Similarly, on 11 March 2009, the Court of First Instance of the European Communities ruled in Case T-166/05 that a person could be identified by his voice (paragraph 39), in which case the voice was considered personal data. The entry into force and application of the General Data Protection Regulation has not changed the definition of personal data, so that the sound recorded on tape as personal data should be assessed differently. The recording of customer appointments is thus a processing of personal data within the meaning of the General Data Protection Regulation.

The controller has stated that he has recorded the discussion as evidence for the handling of an unfinished dispute, and the controller will not release the recording until the processing is completed. The EDPS considers that the provision of a copy of a recording does not adversely affect the rights and freedoms of others, such as business secrets. Based on the report provided, the personal data of the registrar's CEO are part of the record. In his decision pursuant to the repealed Personal Data Act (12.9.2013 dnro 2240/523/2013), the Data Protection Commissioner has considered that telephone conversation recordings in practice always include personal data concerning another person, and this cannot be considered an obstacle to the exercise of the right of inspection. The EDPS therefore considers that there is no section 34 of the Data Protection Act in the matter:restrict the right of access to the information, for example because the disclosure of the information could seriously jeopardize someone else's rights.

Article 15 (3) of the General Data Protection Regulation requires the controller to provide a copy of the personal data to the data subject. The repealed Personal Data Act would have required the controller to provide the information requested by the data subject, for example in spelled form. However, as the General Data Protection Regulation allows the controller to provide the data in electronic form, the controller may, at its discretion, also provide a copy of the data in another format, such as a recording.

It is common ground that the recording was not provided to the applicant, despite his request. As stated above, the EDPS considers that no grounds have been put forward for refusing the request in accordance with Article 15 (4) of the General Data Protection Regulation or Section 34 of the Data Protection Act. Accordingly, the EDPS considers that the controller has not exercised the applicant's right of access.
Informing about recording customer appointments
Decision

Information on the recording of customer meetings by the controller is not in line with Articles 5 (1) (a), 12 (1) and 13 of the General Data Protection Regulation.
Note

The EDPS will issue a remark to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation.
Reasoning

The EDPS notes that the question on informing about the storage has been assessed in the EDPS Decision of 9 September 2020 in case 4930/163/2020 and in the above-mentioned EDPS Decision of 2 February 2020 in Case 3021/452/2017.

According to Article 5 (1) (a) of the General Data Protection Regulation, the controller must process personal data lawfully, properly and transparently for the data subject.

Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate measures to provide the data subject with Article 13 in a concise, transparent, easily understandable and accessible form in clear and simple language. The information shall be provided in writing or by other means and, where appropriate, by electronic means

in terms of. If the data subject so requests, the information may be provided orally, provided that the data subject's identity is otherwise established.

According to Article 13 of the General Data Protection Regulation, when personal data are collected from the data subject, the controller must provide the data subject with the information referred to in Article 13. The European Data Protection Board's Guideline on Transparency (WP260 rev. 01) states that information under Article 13 must be provided "when personal data are received". Providing information quickly and in a timely manner is an important part of the obligation of transparency.

Transparency is not defined in the General Data Protection Regulation. However, recital 39 of the General Data Protection Regulation states that it should be transparent to natural persons how personal data concerning them are collected, used and accessed or otherwise processed, and the extent to which personal data are or are to be processed. In accordance with the principle of transparency, the information and communication relating to the processing of such personal data must be easily accessible and comprehensible and use clear and simple language. This principle applies in particular to the data subject's data on the identity of the controller and the purposes of the processing, as well as additional information,ensuring the adequacy and transparency of the processing of those natural persons, as well as their right to receive confirmation and notification of the processing of their personal data.

The General Data Protection Regulation does not regulate the forms and other details of the transmission of data. However, it is clear that the controller must take into account all the circumstances of the collection and processing of personal data when choosing the appropriate way and form of transmission. Appropriate measures must be assessed, in particular, through the experience of the user of the product or service.

The transparency requirements of the General Data Protection Regulation apply throughout the life cycle of the processing, regardless of the legal basis of the processing. The principle of transparency applies before or at the time the data is processed, ie when personal data are collected.

Applicants have stated that they have been informed by e-mail from the registrar that a home transfer meeting at the applicants' home has been recorded. Based on the explanation provided, the applicants were not informed at the meeting before the start of the recording that the discussion would be recorded.

According to Article 13 of the General Data Protection Regulation, the processing of personal data must be notified to the data subject when the personal data are received. According to Article 12 of the General Data Protection Regulation, information pursuant to Article 13 must be provided, inter alia, in a transparent manner. In order for the data subject to receive transparent information on the processing of personal data, the controller must provide information on the processing before or at the time of the start of the processing.

Guidelines on transparency under Regulation 2016/679 (issued on 29 November 2017, last revised and adopted on 11 April 2018, adopted by the European Data Protection Board on 25 May 2018).

As the controller did not inform the data subject at the time of the start of the recording of customer meetings, its procedure does not comply with the principle of transparency of the processing of personal data under Article 5 (1) (a) of the General Data Protection Regulation. Informing the controller of the recording of customer meetings does not comply with Articles 12 (1) and 13 of the General Data Protection Regulation, as the controller does not provide Article 13 information on the processing of personal data to the data subject in a transparent form.

On 10 February 2021, the controller confirmed by telephone to the Office of the Data Protection Officer that there is only one recording, so the recording of customer meetings does not appear to be a common processing operation of the controller on the basis of the investigation. In view of the above, the EDPS considers the remark as a sufficient sanction in this case.
Applicable law

Mentioned in the explanatory memorandum.
Appeal

According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court.

The decision is not yet final.
Guidance of the Data Protection Officer

In its report, the registrar has stated that he wants the applicants to provide similar information about the recorded call. It should be noted that according to Article 4 (7) of the General Data Protection Regulation, "controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are defined by Union or Member State law, the controller or the specific criteria for his appointment may be established in accordance with Union law or the law of a Member State.

According to Article 2 (2) (c) of the General Data Protection Regulation, this Regulation does not apply to the processing of personal data by a natural person exclusively in the course of his or her personal or household activities.

An individual may record calls in which he or she participates as either a caller or an answering machine. According to the Finnish Constitution, the recording of one's own communications is possible, nor has it been criminalized in the provisions of the Criminal Code (39/1889) concerning the protection of communications. However, the difference is how the recordings will be used in the future. More information on general questions concerning calls is available on the website of the Office of the Data Protection Commissioner: https://tietosuoja.fi/usein-kysyttya-puhelut.

This DPO's guidance may not be appealed.