Tietosuojavaltuutetun toimisto (Finland) - 3818/161/2020

From GDPRhub
Revision as of 21:40, 15 June 2020 by Ilkku (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - 3818/161/2020
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 12(1) GDPR
Article 13(1)(d) GDPR
Article 13(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 100000 EUR
Parties: n/a
National Case Number/Name: 3818/161/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun Toimisto (in FI)
Initial Contributor: n/a

Finnish DPA holds that Posti was not transparent in accordance with Article 5 GDPR as data subjects were not informed about their right to object to direct marketing. Posti was fined €100,000 for transparency violations.

English Summary

Facts

Finnish DPA received multiple complaints regarding Posti’s (the national postal company) change-of-address notifications data processing activities. Several data subjects received direct marketing communications from different companies after submitting a change-of-address notification to the controller. Data subjects were not informed of their right to object to the marketing when submitting a change-of-address notification.

Dispute

There were two legal questions: 1) Whether the processing of personal data in connection with change-of-address notification was transparent and in accordance with Article 5(1)(a) and Article 12(1) GDPR. 2) Whether the controller has provided the data subject with adequate information under Article 13(1)(d) and 2(b) GDPR in connection with the change-of-address notifications.

Holding

As per Article 13 GDPR, the controller must provide information to the data subject at the time of data processing. This Article applies to online forms that the data subject fills in when submitting a change-of-address notification. As per subsection 1 (d), the data subject must be informed of all recipients that may receive the data and consequently, the data subject must also be informed of their right to object for this type of processing.

The Finnish DPA held that the controller had not been transparent in accordance with Article 5(1)(a) and 12(1) GDPR, and that the information regarding the data recipients and the data subjects’ right to object was not provided to all data subjects in a timely manner at the point of data collection.


Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_3818/161/2020&oldid=10552"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki