Tietosuojavaltuutetun toimisto - 3846/157/2019
|Tietosuojavaltuutetun toimisto - 3846/157/2019|
|Authority:||Tietosuojavaltuutetun toimisto (Finland)|
|Relevant Law:||Article 17 GDPR|
Article 21 GDPR
§200 s 1
|National Case Number/Name:||3846/157/2019|
|European Case Law Identifier:||n/a|
|Original Source:||Finlex (in FI)|
Data subject objected to direct marketing as per Article 21 GDPR and requested for their data to be deleted as per Article 17 GDPR. The Finnish DPA held that the controller had not fulfilled their duty in accordance with the articles.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject received direct marketing messages via SMS to their work phone. The data subject tried to object to the direct marketing as per controller's instructions on the SMS. Despite this, the data subject received more direct marketing messages thereafter. The data subject emailed the controller directly to object to direct marketing as per Article 21 section 2 GDPR and asked for their data to be deleted in accordance with Article 17.
The data subject had not consented to direct marketing.
The controller claimed that they did not need prior consent from the recipient as the direct marketing communications was not directed towards a natural person, but rather a legal person under section 202 of the national Information Society Code (917/2014). The controller was unable to confirm whether they had received the data subject’s objection and deletion request, or whether these requests were fulfilled by the controller.
Dispute[edit | edit source]
DPA considered the following legal questions: 1) Has the controller sent out direct marketing communications? 2) If yes, was the marketing communication directed at a legal or a natural person? 3) Whether the controller had fulfilled the following to requests made by the data subject: - Right to be forgotten as per Article 17 GDPR - Right to object to direct marketing as per Article 21 GDPR
Holding[edit | edit source]
DPA held that the controller had sent out direct marketing communications and that it was directed towards a natural person under section 200 subsection 1 of the national Information Society Code (917/2014), and thusly the controller would have needed the data subject's prior consent. The controller had not fulfilled their obligations under Article 17 and 21 GDPR. The controller must give the data subject an opportunity to unsubscribe easily and without payment.
In accordance with Article 58 section 2 C, the DPA ordered the controller to delete the data subject’s data in accordance with Article 17 GDPR. In accordance with Article 58 section 2 D, the DPA ordered the controller to change their measures when handling data subject’s rights, namely the right to be forgotten and the right to object to direct marketing.
The decision is not final.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.