Editing Tietosuojavaltuutetun toimisto - 4359/163/2018

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 52: Line 52:
 
}}
 
}}
  
The Data Protection Authority of Finland instructed a debt collection agency to delete personal data pursuant to the request of the data subject. According to applicable obligations arising from the Finnish Accounting Act, the personal data concerned should not to be retained.
+
The Data Protection Authority of Finland instructed a debt collection agency to to cthe applicant's request for the deletion of his or her personal data which are not to be retained pursuant to accounting obligations arising from the Finnish Accounting Act.
  
 
==English Summary==
 
==English Summary==
  
 
===Facts===
 
===Facts===
The complainant had requested access to his/her personal data from the respondent and received i.a. emails and other information which had been stored in the respondent's archives and also criticised, that the respondent's privacy notice did not did not mention the retention period and also led him/her to believe that the respondent could have disclosed personal data to external credit institutions. On request, the respondent stated, that personal data relating to the complainant are kept in the respondent's records for six years.
+
The complainant had requested access to his/her personal data from the respondent and received i.a. emails and other information which had been stored in the respondent's archives and also criticised, that the respondent's privacy notice did not did not mention the retention period and also led him/her to belive that the respondent could have disclosed personal data i to external credit institutions. On request, the respondent stated, that personal data relating to the complainant are kept in the respondent's records for six years.
  
 
Subsequently the complainant requested the erasure of personal data related to him/her; in the applicant's vie only so-called accounting data and related data can be retained under accounting law.
 
Subsequently the complainant requested the erasure of personal data related to him/her; in the applicant's vie only so-called accounting data and related data can be retained under accounting law.
Line 66: Line 66:
 
On the one hand, under Article 12 of the Act on the Registration of Debt Recovery Operators, unless a longer retention period is mandatory, data are to be retained for <u>five years from the date on which the debt collection activities were completed.</u>
 
On the one hand, under Article 12 of the Act on the Registration of Debt Recovery Operators, unless a longer retention period is mandatory, data are to be retained for <u>five years from the date on which the debt collection activities were completed.</u>
  
On the other hand, Section 10 (1) of the Accounting Act requires that certain data relating to accounting <u>are kept for at least ten years from the end of the financial year</u>. Further, under Chapter 2, Section 10 (2) of the Accounting Act, unless otherwise provided by law, records for the financial year, correspondence relating to transactions, and accounting records other than those referred to in paragraph 1 <u>shall be kept for at least six years from the end of the financial year</u>.
+
On the other hand, Section 10 (1) of the Accounting Act requires that ceratin accounting related da<u>ta are kept for at least ten years from the end of the financial year</u>. Further, under Chapter 2, Section 10 (2) of the Accounting Act, unless otherwise provided by law, records for the financial year, correspondence relating to transactions, and accounting records other than those referred to in paragraph 1 <u>shall be kept for at least six years from the end of the financial year</u>.
  
 
The Data Protection Authority had to decide which of these retention periods was applicable in the case at hand.
 
The Data Protection Authority had to decide which of these retention periods was applicable in the case at hand.
Line 72: Line 72:
 
The Data Protection Authority held that the respondent was entitled to retain the information in question for a period of five years after the debt collection measures have been completed.
 
The Data Protection Authority held that the respondent was entitled to retain the information in question for a period of five years after the debt collection measures have been completed.
  
The complainant's personal data, however, were not considered to be information within the meaning of Section 10 of the Accounting Act.  Only the personal data of the complainant contained in the supporting documents on the basis of which the debt respondent's accounting obligations have been recorded, can be retained for the six-year period provided for in Section 10 (2) of the Accounting Act. Data other than this data should not be retained beyond the above five-year retention period.
+
The complainant's personal data, however, were not to considered to be information within the meaning of Section 10 of the Accounting Act.  Only the personal data of the complainant contained in the supporting documents on the basis of which the debt respondent's accounting obligations have been recorded, can be retained for the six year period provided for in Section 10 (2) of the Accounting Act. Data other than this data should not be retained beyond the above five year retention period.
  
The Data Protection Authority emphasised, that emails between a data subject and a controller are not to be considered as accounting material within the meaning of Section 10 (2) of the Accounting Act and must be deleted after the five-year retention period under Article 12 of the Act on the Registration of Debt Recovery Operators.
+
The Data Protection Authority emphasised, that emails between a data subject and a controller are not to be considered as accounting material within the meaning of Section 10 (2) of the Accounting Act and must be deleted after the five year retention period under Article 12 of the Act on the Registration of Debt Recovery Operators.
  
 
==Comment==
 
==Comment==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: