Tietosuojavaltuutetun toimisto - 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019
|Tietosuojavaltuutetun toimisto - 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019|
|Authority:||Tietosuojavaltuutetun toimisto (Finland)|
|Relevant Law:||Article 4(11) GDPR|
Article 58(2)(c) GDPR
Article 58(2)(d) GDPR
Information Society Code (917/2014)
|National Case Number/Name:||3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019|
|European Case Law Identifier:||n/a|
|Original Source:||Finlex (in FI)|
The Finnish DPA imposed a 7,000 euro fine to a company that sent out direct marketing communications without obtaining prior consent from the data subjects and for also neglecting data subjects’ rights.
English Summary[edit | edit source]
Facts[edit | edit source]
The Finnish DPA received 11 complaints regarding Independent Consulting Oy’s direct marketing communication practices. The direct marketing communications were sent to the data subjects via SMS. The SMS contained instructions on how to opt-out from the direct marketing communications. However, the opt-out feature did not work and users kept receiving marketing messages. The controller claimed that the direct marketing communications were targeted at companies, and under section 202 of the Information Society Code, no prior consent was needed in such a case. Furthermore, some of the data subjects had submitted requests to the controller regarding exercising their rights under GDPR. The controller failed to answer the data subjects in a timely manner.
Dispute[edit | edit source]
According to the applicable national law, Section 200 of the Information Society Code (917/2014), user's consent must be obtained prior to the sending of any marketing communication. The DPA has to assess whether the phone numbers used for the direct marketing belonged to the individual or to the employer and whether the content of the communication referred to the individual working activities or not.
Holding[edit | edit source]
The DPA found that the phone numbers used were specific to the employee and not to the company. Moreover, the marketing message did not relate to the data subject’s work activities. Finnish DPA imposed a 7.000 euro fine to the company for sending out direct marketing communications without prior consent and also for neglecting data subjects’ rights. When imposing the fine, the DPA considered it as a mitigating factor that the data subjects had not suffered any financial harm. Furthermore, as per Article 58(2)(c) and (d) GDPR, the DPA ordered the controller to comply with the data subjects’ requests and to bring its practices in line with the Regulation. The decision is not yet final.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.