Tietosuojavaltuutetun toimisto (Finland) - 3846/157/2019

From GDPRhub
Revision as of 07:04, 24 August 2020 by Ilkku (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - 3846/157/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 17 GDPR
Article 21 GDPR
§200 s 1
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.07.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 3846/157/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

Data subject objected to direct marketing as per Article 21 GDPR and requested for their data to be deleted as per Article 17 GDPR. The Finnish DPA held that the controller had not fulfilled their duty in accordance with the articles.

English Summary

Facts

The data subject received direct marketing messages via SMS to their work phone. The data subject tried to object to the direct marketing as per controller's instructions on the SMS. Despite this, the data subject received more direct marketing messages thereafter. The data subject emailed the controller directly to object to direct marketing as per Article 21 section 2 GDPR and asked for their data to be deleted in accordance with Article 17.

The data subject had not consented to direct marketing.

The controller claimed that they did not need prior consent from the recipient as the direct marketing communications was not directed towards a natural person, but rather a legal person under section 202 of the national Information Society Code (917/2014). The controller was unable to confirm whether they had received the data subject’s objection and deletion request, or whether these requests were fulfilled by the controller.


Dispute

DPA considered the following legal questions: 1) Has the controller sent out direct marketing communications? 2) If yes, was the marketing communication directed at a legal or a natural person? 3) Whether the controller had fulfilled the following to requests made by the data subject: - Right to be forgotten as per Article 17 GDPR - Right to object to direct marketing as per Article 21 GDPR


Holding

DPA held that the controller had sent out direct marketing communications and that it was directed towards a natural person under section 200 subsection 1 of the national Information Society Code (917/2014), and thusly the controller would have needed the data subject's prior consent. The controller had not fulfilled their obligations under Article 17 and 21 GDPR. The controller must give the data subject an opportunity to unsubscribe easily and without payment.

In accordance with Article 58 section 2 C, the DPA ordered the controller to delete the data subject’s data in accordance with Article 17 GDPR. In accordance with Article 58 section 2 D, the DPA ordered the controller to change their measures when handling data subject’s rights, namely the right to be forgotten and the right to object to direct marketing.

The decision is not final.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.