Tietosuojavaltuutetun toimisto (Finland) - 8235/154/18: Difference between revisions

From GDPRhub
mNo edit summary
(4 intermediate revisions by 2 users not shown)
Line 60: Line 60:
}}
}}


Finnish DPA ordered a data controller to comply with the customer's request to have their personal data deleted in so far as their processing is not required by Finland's national legislation concerning patient records and the rights of patients.
The Finnish DPA (Tietosuojavaltuutetun Toimisto) ordered a data controller to comply with the customer's request to have their personal data deleted in so far as their processing is not required by Finland's national legislation concerning patient records and the rights of patients.


==English Summary==
==English Summary==
Line 66: Line 66:
===Facts===
===Facts===


*
In November, 2018, a customer (data subject) purchased glasses from an optician (data controller), and later noticed that the optician had stored his personal data in their system. Data subject requested the controller to delete his data, on the basis that he had not given his consent for storing the data.
To proceed with his request for deletion, data subject was asked to fill in an online form where data subject had to provide even more personal data. Data subject refused and instead, wrote a public blog post which was accepted by the DPAs as a valid data subject request.


===Dispute===
===Dispute===
Line 72: Line 73:


===Holding===
===Holding===
Finnish Data Protection Ombudsman considered that the data controller had a legal basis for processing the data subject' personal data which were necessary for their identification. However, the controller had not adequately informed the data subject about the processing of requests for deletion, nor about reasons behind rejection of the data subject's request.
Finnish Data Protection Ombudsman considered that the data controller had a legal basis for processing the data subject' personal data under national law which requires retention of certain personal data of their customers for a period determined by the Patient Data Record Act.
Controller also had legal basis to process patient data which were necessary for their identification when data subject wishes to use their rights. However, the controller had not adequately informed the data subject about the processing of requests for deletion, nor about reasons behind rejection of the data subject's request.


==Comment==
==Comment==
Line 84: Line 86:


<pre>
<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fi" lang="fi"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><title> Data Protection Officer 16.2.2021 - FINLEX ® </title><meta name="description" content="Finlex ® is a public and free Internet service for legal material owned by the Ministry of Justice." /><meta name="DC.Title" content="FINLEX ® - Tietosuojavaltuutettu 16.2.2021" /><meta name="DC.Language" content="fi" /><meta name="DC.Identifier" content="/fi/viranomaiset/tsv/2021/20210723" /><meta name="DC.Publisher" content="Oikeusministeriö" /><meta name="DC.Subject" content="Asiakkaan pyyntö henkilötietojen poistosta ja henkilötietojen käsittelyperuste" /><link rel="Shortcut Icon" href="/favicon.ico" type="image/x-icon" /><link rel="apple-touch-icon" href="/assets/img/touch-icon.png" type="image/png" /><link rel="image_src" href="/assets/img/logo-144x118.png" /><link rel="stylesheet" href="/assets/css/fonts.css" type="text/css" media="all" /><link rel="stylesheet" href="/assets/css/screen.css" type="text/css" media="screen, projection" /><link rel="stylesheet" href="/assets/css/finlex.css" type="text/css" media="screen, projection" /><link rel="stylesheet" href="/assets/css/print.css" type="text/css" media="print" /><!--[if lt IE 8]> <link href="/assets/css/ie.css" media="screen" rel="stylesheet" type="text/css" /><![endif]--><script type="text/javascript" src="/assets/js/mootools-core-1.4.1.js"></script><script type="text/javascript" src="/assets/js/finlex.js"></script><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Search everything" href="/fi/opensearch/kaikki/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Up-to-date legislation search" href="/fi/opensearch/ajantasa/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Case Law Search" href="/fi/opensearch/oikeus/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Authorities Search" href="/fi/opensearch/viranomaiset/" /></head><body id="lang-fi"><div id="header"><div id="header-content" class="container"><h1> <a href="/fi/" title="Finlex"><span>Finlex ®</span></a></h1><div id="lang" title="Select language"><ul><li class="choose-lang-fi"> <a href="/fi/">In Finnish</a></li><li class="choose-lang-sv"> <a href="/sv/">In Swedish</a></li><li class="choose-lang-en"> <a href="/en/">In English</a></li></ul></div><div class="siirry"> <a class="skip" href="#skip">Skip to content</a></div><div id="locationBar0" title="You are here:"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Commissioner</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 16.2.2021">16.2.2021</span></div><div id="navi-container"><ul id="navi"><li> <a href="/fi/">front page</a></li><li> <a href="/fi/laki/" accesskey="l">Legislation</a></li><li> <a href="/fi/oikeus/" accesskey="o">Case law</a></li><li class="selected"> <a href="/fi/viranomaiset/" accesskey="v">Authorities</a></li><li> <a href="/fi/sopimukset/" accesskey="s">Government contracts</a></li><li> <a href="/fi/esitykset/" accesskey="e">Government proposals</a></li><li> <a href="http://julkaisut.finlex.fi" accesskey="j">Proceedings</a></li></ul></div></div><div id="section-header"><div id="search"><h3 class="title search"> Search the material </h3><form action="/fi/viranomaiset/tsv/haku/" method="get"><div class="search"><input type="hidden" name="search[type]" value="pika" /><input title="Keyword..." type="text" name="search[pika]" class="search-phrase" value="" accesskey="h" /></div><input type="submit" name="submit" class="submit" value="Search ›" /><p class="search-example"> Search the text for eg personal * and give up *. As a Keyword Break *. Also try <a href="/fi/viranomaiset/tsv/haku/">Advanced Search</a> . See <a href="/fi/ohjeet">instructions</a> .</p></form></div><div class="info"><div class="container"><div id="breadcrumbs"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Commissioner</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 16.2.2021">16.2.2021</span> </div></div></div></div></div><div id="main"><div id="main-content"><div id="document-header"><h2 id="skip" title="FINLEX ® - Data Protection Officer 16.2.2021"> 2/16/2021</h2></div><div id="document"><div id="oikeus-tsv"><h3 class="asiasanat"> Customer&#39;s request for deletion of personal data and the basis for processing personal data</h3><table class="metadata"><tr><th style="vertical-align:text-top"> Keywords:</th><td> Personal information<br/> Right to delete data<br/> Basis of treatment<br/></td></tr><tr><th> Legal basis:</th><td> Decision under the EU General Data Protection Regulation</td></tr><tr><th> Diary number:</th><td> 8235/154/18</td></tr></table><h4 id="OT1"> Thing</h4><p> The applicant has asked the optician to delete their information, but has not received a response to their request.</p><h4 id="OT2"> Applicant &#39;s claims and reasons</h4><p> The applicant has been in contact with the Office of the Data Protection Commissioner on 19 November 2018 regarding the processing of personal data in the activities of the optician&#39;s shop (later also the “registrar”).</p><p> The applicant has done business with the controller&#39;s business and noticed that information about him or her has been stored in the controller&#39;s system. The applicant has contacted the registrar on 8 November 2018 and stated that he has not given his consent to the storage of his data.</p><p> The applicant has asked the controller to delete all his data. The applicant has inquired from the registrar why the online form collects information that the applicant says customers do not want to provide to the company. According to the applicant, the registrar&#39;s online form requires the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.</p><p> The applicant has stated that it should be possible to control the rights without filling in all the fields marked as mandatory on that form.</p><p> The applicant has not received a response to his / her inquiry from the controller and asks the EDPS to assess whether the controller has acted correctly.</p><h4 id="OT3"> Statement received from the controller</h4><p> The Office of the Data Protection Commissioner has sent a request for clarification to the Finnish country company of the optician group on 1 July 2019, to which the company declared to be the head office of the optician group submitted the report on 13 August 2019. The Office of the Data Protection Commissioner has requested an additional report from the Finnish country company on 23 April 2020, to which the head office of the optics group has submitted the report on 25 May 2020.</p><p> A report on the online form has been requested from the optics group&#39;s head office on October 1, 2020. A report has been requested from the local optician&#39;s shop on the exercise of the applicant&#39;s right on 1.10.2020. The head office of the Optician Group has submitted a response to the requests for clarification on 9 October 2020.</p><h5 id="OT4"> Cross - border nature of the case</h5><p> The local office of the optician&#39;s shop is part of an international optician&#39;s group, which has made it necessary to determine whether the Data Protection Officer or the data protection authority of another country is the competent supervisory authority.</p><p> Based on the report received from the head office of the optician group, the local optician&#39;s company, the Finnish country company and the company defined as the head office of the optician group are responsible for making decisions on the processing of personal data in the applicant&#39;s case. The Registrar shall have its principal place of business in Guernsey.</p><p> Based on the explanation received, the local store is the registrar when the customer orders the product from the local store. The company, which has been announced as the head office of the Optician Group, participates in the processing of personal data as a joint registrar and provides IT, marketing and other support services to local stores. The Group Data Protection Officer is a shared resource of the optician group that supports local entrepreneurs in enforcing the data subject’s rights. The online form is a mechanism by which the data subject&#39;s rights can be exercised on behalf of the local movement.</p><p> The optician group is not headquartered in the EU, so the procedure for cooperation between data protection authorities under Article 56 of the General Data Protection Regulation does not apply.</p><h5 id="OT5"> Basis for processing personal data</h5><p> According to the explanation received from the controller, the processing of the applicant&#39;s personal data has been based on an agreement under Article 6 (b) and a legitimate interest of the controller under Article 6 (f) to continue processing the data in order to provide a service to the customer.</p><h5 id="OT6"> Informing data subjects</h5><p> According to the data subject&#39;s explanation, data subjects are provided with the information required by Articles 12 to 14 of the General Data Protection Regulation on a sign placed at the shop counter and on cards stating what data is collected, by whom and for what purpose. According to the controller, the customer goes through several privacy clauses at the time of booking and the controller states that he refers to his privacy policy, which provides customers with additional information in accordance with Articles 12-14 of the General Data Protection Regulation.</p><h5 id="OT7"> The data subject&#39;s right to have his data deleted</h5><p> According to the statement provided by the registrar, the applicant has ordered the reading glasses through the local store of the registrar. According to the registrar, the applicant has returned to the circulation and questioned the amount of data collected to execute the order. According to the registrar, the applicant has requested the deletion of his data but has refused to use the online form provided. The applicant has sent the business entrepreneur the message described above in connection with the applicant&#39;s claims, in which he requests, among other things, the deletion of his data.</p><p> According to a report received from the registrar, the business entrepreneur has informed the applicant that health care legislation requires the registrar to keep health records for a certain period of time. Retention of health information enables clients, health care providers, and authorities to evaluate the care they receive if they encounter problems in the future. According to the registrar, the business operator has informed the applicant that, at the request of the applicant, it can only anonymise the applicant&#39;s data within the retention period.</p><p> Based on the report provided by the registrar, the applicant has written a blog post about the incident, to which the Finnish country manager of the optics group has published a response. In his reply, the Finnish Country Director states that the registrar sells spectacles based on a thorough examination carried out by the optician&#39;s own or an external optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is equivalent to doing business with a healthcare professional.</p><p> The Finnish country manager of the optician&#39;s movement says that opticians have an obligation to collect information that is considered patient data and keep it for the period required by law. According to the writing, it is not possible to sell individual glasses to customers without processing their personal information.</p><p> In response, the Finnish country manager of the optician&#39;s store states that they process personal data as required by the general data protection regulation only for the purposes for which they were collected and about which customers have been informed in the store and on the registrar&#39;s website. If customers wish to exercise their rights under the General Data Protection Regulation, such as the right to have data deleted, the controller has a process set up for this purpose on its website. The reason why the controller collects data again in this process is that the controller has a duty to verify the identity of the data subject. Without this, there could be a risk of incorrect data deletion.</p><p> According to the reply, the applicant will be informed of the deletion of the data and the data collected on the online form will also be deleted.</p><h5 id="OT8"> Processing of personal data in connection with the online form</h5><p> Based on the report received, not all customers have a default email address, so the registrar needs other information in addition to the email address to ensure customer service. The registrar uses customer data for this purpose. According to the registrar, it uses the online form to request identifying information which it can compare with the information in its possession. Usually, the information used for comparison is name, phone number, and email address. If at least three items of the information provided on the form match the customer data held by the controller, the controller considers this to be a sufficient reason to proceed with the customer&#39;s request.</p><p> If any of the information does not match the customer information, the registrar may call the customer to verify their identity. This may be the case, for example, when a customer sends a request online and the email address matches the customer information but the phone number does not. If the controller is still unable to verify the identity, it may require the customer to present an identity card at the store.</p><p> According to the registrar, in most cases the identity of the data subject can be easily established without formal identification. The controller shall consider that the information it collects for this purpose is relevant, adequate, necessary and proportionate. The goal of the registrar has been to create an authentication process that is not intrusive to customers. The controller wants to point out that it does not collect information about customers that it does not already have in its register.</p><p> According to the explanation received, the data subject may make his request orally or in writing. The majority (approx. 99%) of the data subject&#39;s requests have been made via the online form. Since May 2018, the controller has reported a total of 12,547 requests across Europe.</p><p> According to the report provided by the registrar, the online form has changed after 2018. In the currently used form, the free-form field for specifying the request has been replaced by check boxes and the registrant will be asked to specify his relationship with the controller. In addition, looking at the updated form, it can be seen that instead of a personal identity number, the registrant is asked to fill in the date of birth.</p><p> The required information is marked with an asterisk. When at least three of the data completed in the request match the customer data, the controller shall consider this to be a sufficient reason to proceed with the customer&#39;s request. Surname, address, e-mail address and date of birth are used for this purpose.</p><p> Information on which store the data subject has done business and what services the data subject has purchased will help the registrar to link the request to the local optician and the service used to execute the request.</p><p> The registrar considers that all the mandatory information on the form is necessary and that the form is simple and easy to use. The data subject&#39;s rights are exercised by the controller&#39;s data protection team and the data is used only to enforce the rights. The information is not available to other teams in the Group.</p><h4 id="OT9"> Applicant &#39;s reply</h4><p> The applicant is given the opportunity to respond in the matter. The applicant submitted the defense on 19.11.2020. In his defense, the applicant states that the report sent to the Office by the Data Protection Officer contains a number of errors.</p><p> The applicant states that he has not received any email or other contact from the controller throughout the process, with the exception of the reply received from the controller&#39;s employee in October 2020.</p><p> On 2 September 2020, the applicant has been in contact with the CEO of the optics group in Finland and has inquired about the response to the personal data deletion request made to the data protection officer in November 2018. The applicant has re-inquired on 11.9.2020. The applicant has received a reply from the Finnish CEO on 23.10.2020, regretting that the matter has not been confirmed and stating that the matter will be confirmed separately.</p><p> According to the applicant, the controller has recorded information without asking the applicant, which the applicant would not have wanted to provide to the controller even with his consent. According to the applicant, that information appears to have been obtained from a prescription written by an ophthalmologist. According to the applicant, the consent of the applicant has not been sought for the recording of the data.</p><p> On 25 November 202020, the applicant was asked what errors the report submitted by the data controller to the Office of the Data Protection Officer contains. According to the applicant, he orally requested the deletion of his data on his second visit to the store, about a week after the original purchase transaction, in November 2018.</p><p> According to the applicant, the movement claimed, numerous times and by several persons, that the data could not be deleted. According to the applicant, no reasons were given for this. According to the applicant, he was instead given a note with the contact details of the data protection officer of the controller. The applicant had sent an e-mail to this party, the content of which has been described above in connection with the applicant&#39;s claims.</p><p> According to the applicant, he has not been advised to use the form on the website. According to the applicant, he has still also sent the request via an electronic form. According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.</p><p> According to the applicant, he was never informed of the statutory obligation of opticians and ophthalmologists to draw up and keep patient records. The applicant denies being a patient of the controller. According to the applicant, he is an ordinary customer who has purchased an object from the registrar without receiving, for example, medical measurement services. According to the applicant, he did not know that the controller would set up a document containing information about him. According to the applicant, he was not informed that his data would be stored.</p><h4 id="OT10"> Legal issue</h4><p> The Data Protection Officer assesses and decides on the applicant&#39;s case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The following issues remain to be resolved:<br/> 1) whether there has been a ground for processing the applicant&#39;s personal data in accordance with Article 6 of the General Data Protection Regulation;<br/> 2) whether the processing of personal data by the controller in connection with the online form has complied with the principle of minimization in accordance with Article 5 (1) (c) of the General Data Protection Regulation; and<br/> 3) whether an order pursuant to Article 58 (2) (c) of the General Data Protection Regulation should be issued to the controller to comply with the applicant&#39;s request for his data to be deleted.</p><h4 id="OT11"> Decision of the EDPS</h4><p> The EDPS considers that the controller has had the grounds for processing personal data required by Article 6 of the General Data Protection Regulation.</p><p> The EDPS considers that the processing of personal data by the controller in the context of the online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.</p><p> The EDPS shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The EDPS notes that the activities of the controller have not complied with the obligations set out in Article 12 of the General Data Protection Regulation. The controller has not responded to the applicant&#39;s request as required by Article 12 (3) and (4) of the General Data Protection Regulation.</p><p> The EDPS instructs the controller to comply with the applicant&#39;s request to have his data deleted in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under section 2 of the Patient Status and Rights Act.</p><h4 id="OT12"> Reasoning</h4><h5 id="OT13"> The basis for the processing of personal data</h5><p> The processing of personal data must be subject to the grounds set out in Article 6 of the General Data Protection Regulation. It should be noted that consent is only one of the grounds for processing personal data provided for in Article 6. According to the controller &#39;s explanation, the processing of the applicant&#39; s personal data has been based on an agreement in accordance with Article 6 (b) and a legitimate interest of the controller in accordance with Article 6 (f).</p><p> If the data subject has used the services of an optician or ophthalmologist, the processing of personal data may also have been based on the data subject&#39;s legal obligation under Article 6 (c) of the General Data Protection Regulation.</p><p> According to a report received from the registrar, the applicant has ordered reading glasses through a local store. It should be noted that the determination of suitable lenses on the basis of an eye examination is a task which requires the professional competence of an optician (Consumer Law Practices in the Optical Sector, p. 5). In accordance with section 5 of the Health Care Professionals Act (559/1994), an optician is a health care professional. As a health care professional, an optician must, in accordance with section 12 of the Act on the Status and Rights of Patients (785/1992), enter in patient documents the information necessary to ensure the organization, planning, implementation and monitoring of patient care.</p><p> According to Section 2 (5) of the Act on the Status and Rights of Patients, patient records refer to documents or technical records used, prepared or received for the organization and implementation of patient care, which contain information about his or her state of health or other personal information. The preparation of patient documents, the more detailed content of the information to be recorded in them and the data retention periods are regulated in more detail by the Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009; later the Patient Document Decree). Section 10 of the Patient Documentation Decree defines the basic information to be defined in patient records. The information to be retained pursuant to subsection 1 (1) of the said section is the patient&#39;s name, date of birth, personal identity number, place of residence and contact information. The data must be kept in accordance with section 23 of the Patient Documentation Decree for the period referred to in the annex to the said decree.</p><p> For the reasons set out above, the EDPS considers that the controller has had the basis for the processing of personal data required by Article 6 of the General Data Protection Regulation.</p><h5 id="OT14"> On the processing of personal data in connection with the online form</h5><p> In accordance with Article 5 (1) (f) of the General Data Protection Regulation, the controller must ensure the confidentiality of personal data. Therefore, when exercising the data subject&#39;s rights, the controller must verify the identity of the requesting person. If the controller has reasonable grounds to doubt the identity of the natural person who made the request, the controller may, in accordance with Article 12 (6), request the provision of additional information necessary to establish the identity.</p><p> In accordance with Article 5 (1) (c) of the General Data Protection Regulation, the processing of personal data must comply with the principle of minimization. Personal data processed in accordance with the principle of minimization shall be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.</p><p> Given the principle of minimization of personal data, the controller should not ask the data subject for more information than is necessary to identify him or her.<br/> According to the applicant, the registrar&#39;s online form requires the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.</p><p> According to the report provided by the registrar, the same information that customers have provided when registering as a customer of an optician is processed in connection with the online form. According to the registrar, it uses the information in the form to verify the registered identity by comparing the information with the information in the customer register. The registrar has also stated that he updated the form used after 2018.</p><p> The information collected by the registrar on the online form for identification purposes is the same information that the registrar normally processes from registrants in its customer register. The EDPS therefore considers that the processing of personal data by the controller in the context of the online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.</p><h5 id="OT15"> The data subject&#39;s right to have his data deleted</h5><p> Article 17 of the General Data Protection Regulation provides for the right of the data subject to have his or her personal data deleted. According to this provision, the data subject has the right, under certain conditions, to have the controller delete personal data concerning the data subject without undue delay, and the controller has the obligation to delete personal data without undue delay.<br/> Article 12 (3) of the General Data Protection Regulation requires the controller to provide the data subject with information on the action taken on a request under Articles 15 to 22 without undue delay and in any case within one month of receipt of the request.</p><p> If the controller does not act on the data subject&#39;s request, the controller must, in accordance with Article 12 (4) of the General Data Protection Regulation, inform the data subject of the reasons without delay and at the latest within one month of receiving the request. In that case, the controller shall also inform about the possibility to lodge a complaint with the supervisory authority and to seek other legal remedies.</p><p> According to the registrar, the applicant had requested the deletion of his data in the shop, but had refused to use the online form created to make the request. According to the registrar, the applicant had sent a request for deletion to the e-mail address of the optician&#39;s entrepreneur.</p><p> According to the registrar, the entrepreneur of the business informed the applicant that the health care legislation requires the registrar to keep the health information for the period required by the legislation.<br/> According to the registrar, the applicant had written a blog post about the incident, to which the Finnish country manager of the optics group had published a response. In the reply, the Finnish Country Director generally describes the registrar&#39;s obligation to collect and store information that is considered to be patient data for the period required by law.</p><p> According to the applicant, he had requested the deletion of his personal data at a shop where he had been informed that the data could not be deleted. The reason for this was not stated according to the applicant. According to the applicant, he was given a piece of paper with the contact details of the data protection officer of the controller. The applicant sent their removal request to the email address provided to them. According to the applicant, he was not advised to use the form on the website. Nevertheless, the applicant also sent a deletion request to the controller using the online form.</p><p> According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.</p><p> It is still unclear what information was provided to the applicant when he requested the deletion of his information. It is also not clear from the explanation received whether the applicant&#39;s data has been deleted. What is clear, on the other hand, is that the applicant has been unaware of the conditions under which healthcare legislation retains data. It should also be noted that the general reply of the Finnish national director of the optician group published in response to the applicant&#39;s blog post cannot be considered as a notification within the meaning of Article 12 (3) and (4) of the General Data Protection Regulation.</p><p> On the basis of the above, the EDPS will issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. In view, in particular, of the controller &#39;s obligation to provide evidence laid down in Article 5 (2) of the General Data Protection Regulation, it must be considered that the controller&#39; s conduct does not comply with the obligations laid down in Article 12 of the General Data Protection Regulation. In particular, also taking into account the provisions of Article 5 (2) of the General Data Protection Regulation, the controller cannot be considered to have responded to the applicant&#39;s request as required by Article 12 (3) and (4) of the General Data Protection Regulation.</p><p> On the basis of the above, the EDPS orders the controller to comply with the applicant&#39;s request for deletion of his data in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under Section 2 of the Patient Status and Rights Act.</p><h4 id="OT16"> Applicable law</h4><p> Mentioned in the explanatory memorandum.</p><h4 id="OT17"> Appeal</h4><p> According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).</p><h4 id="OT18"> Further information on this decision will be provided by the rapporteur</h4><p> Meeri Blomberg, meeri.blomberg@om.fi, tel. +358 29 5666 755</p></div><!-- cached 18:13:02 24.02.2021 --></div></div><div id="sidebar"><div class="description"><h3 class="title material"> <a href="/fi/viranomaiset/tsv/">Data Protection Officer</a></h3><p> Decisions of the Data Protection Supervisor on the interpretation of the Data Protection Regulation and the Personal Data Act.</p></div><div id="document-sidebar"><div class="extra-links"><h3 class="other title"> Other material related to the material</h3><ul><li> <a href="/data/tsv/TSV_tyojarjestys_FI.pdf" class="pdf"><span>›</span> Rules of procedure of the Office of the Data Protection Officer</a></li></ul></div></div><div id="toc-container"><div id="toc-title"><h4> Table of contents</h4><h3> 2/16/2021</h3></div><div id="toc-content"><div id="toc"> <a href="#">Customer&#39;s request for personal data removal and processing of personal data established</a> <a href="#OT1">case</a> <a href="#OT2">requirements Applicants reasoned</a> <a href="#OT3">statement from the Registrar</a> <a href="#OT4">for the cross-border nature of the</a> <a href="#OT5">processing of personal data set</a> <a href="#OT6">information to data</a> <a href="#OT7">subject&#39;s right to have their data removed from</a> <a href="#OT8">the context of personal data in the online form</a> <a href="#OT9">The applicant&#39;s response</a> <a href="#OT10">The legal question</a> <a href="#OT11">of the EDPS Decision</a> <a href="#OT12">of reasons</a> <a href="#OT13">criterion of processing personal data</a> <a href="#OT14">processing of personal data in connection with an online form</a> <a href="#OT15">of a registered right of access to their data deleted</a> <a href="#OT16">Applicable law</a> <a href="#OT17">Appeal</a> <a href="#OT18">Further information on this decision will be provided by the rapporteur</a></div></div><div id="toc-footer"> <a class="to-top" href="#document">To the beginning of the page</a></div></div></div></div><div id="breadcrumbs-bottom"><div class="container"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Commissioner</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 16.2.2021">16.2.2021</span> </div></div><div id="sitemap"><div id="sitemap-content" class="container"><div id="sitemap-category-laki"><h5> <a href="/fi/laki/">Legislation</a></h5><ul><li> <a href="/fi/laki/ajantasa/">Up - to - date legislation</a></li><li> <a href="/fi/laki/alkup/">Acts in original</a></li><li> <a href="/fi/laki/kokoelma/">Electronic collection of legal acts</a></li><li> <a href="/fi/laki/smur/">Directory of legislative amendments</a></li><li> <a href="/fi/laki/kaannokset/">Translations of legal acts</a></li><li> <a href="/fi/laki/saame/">Acts in the Sámi language</a></li></ul></div><div id="sitemap-category-oikeus"><h5> <a href="/fi/oikeus/">Case law</a></h5><ul><li> <a href="/fi/oikeus/kko/">The Supreme Court</a></li><li> <a href="/fi/oikeus/kho/">The Supreme Administrative Court</a></li><li> <a href="/fi/oikeus/ho/">Rights of the Court</a></li><li> <a href="/fi/oikeus/hao/">Administrative rights</a></li><li> <a href="/fi/oikeus/mao/">Market law</a></li><li> <a href="/fi/oikeus/tt/">Industrial tribunal</a></li><li> <a href="/fi/oikeus/vako/">Insurance law</a></li><li> <a href="/fi/oikeus/eurooppa/">European courts</a></li><li> <a href="/fi/oikeus/foki/">Case law in the literature</a></li></ul></div><div id="sitemap-category-viranomaiset"><h5> <a href="/fi/viranomaiset/">Authorities</a></h5><ul><li> <a href="/fi/viranomaiset/normi/">Collections of regulations of public authorities</a></li><li> <a href="/fi/viranomaiset/tyoehto/">Collective agreements</a></li><li> <a href="/fi/viranomaiset/foka/">Chancellor of Justice of the Government</a></li><li> <a href="/fi/viranomaiset/ftie/">Data Protection Board</a></li><li> <a href="/fi/viranomaiset/tsv/">Data Protection Officer</a></li></ul></div><div id="sitemap-category-sopimukset"><h5> <a href="/fi/sopimukset/">Government contracts</a></h5><ul><li> <a href="/fi/sopimukset/sopsteksti/">Government contracts</a></li><li> <a href="/fi/sopimukset/sopsviite/">Government Contracts Reference Database</a></li><li> <a href="/fi/sopimukset/sopimussarja/">Electronic contract series</a></li><li><a href="/fi/sopimukset/verosopimusteksti/">
Customer's request for deletion of personal data and the basis for processing personal data
                      </a></li></ul></div><div id="sitemap-category-esitykset"><h5><a href="/fi/esitykset/">Government proposals</a></h5><ul><li> <a href="/fi/esitykset/he/">Government proposals</a></li></ul><h5> <a href="http://julkaisut.finlex.fi">Proceedings</a></h5><ul><li> <a href="http://lainvalmistelu.finlex.fi">Legislative Process Guide</a></li><li> <a href="http://helo.finlex.fi">Instructions for preparing Board proposals</a></li><li> <a href="http://lainkirjoittaja.finlex.fi">The Writer&#39;s Guide</a></li><li> <a href="http://yhdenvertaisuus.finlex.fi">Equality assessment</a></li><li> <a href="http://kuulemisopas.finlex.fi">Legislative Consultation Guide</a></li><li> <a href="http://kokeiluohje.finlex.fi">Trial Law Guide</a></li></ul></div><div id="sitemap-category-finlex"><h5> <a href="/fi/">Finlex®</a></h5><ul><li> <a href="/fi/uutiset/">News archive</a></li><li> <a href="/fi/rss/">RSS feeds</a></li><li> <a href="/fi/ohjeet/">Instructions</a></li><li> <a href="/fi/palaute/">Feedback</a></li><li> <a href="/fi/kayttoehdot/">Terms of use</a></li><li> <a href="/fi/saavutettavuusseloste/">Accessibility statement</a></li><li> <a href="/fi/sivukartta/">Sitemap</a></li></ul></div></div><div id="disclaimer"><p> Finlex ® is a public and free Internet service for legal material owned by the Ministry of Justice.<br /> Finlex content is produced and maintained by Edita Publishing Oy. Neither the Ministry of Justice nor Edita shall be liable for any errors that may occur in the content of the databases, direct or indirect damages caused to the user by their use, or interruptions in the use of the Internet data network or other disturbances.</p></div></div></body></html>
 
Thing
 
The applicant has asked the optician to delete his information, but has not received a response to his request.
Applicant 's claims and reasons
 
The applicant has been in contact with the Office of the Data Protection Commissioner on 19 November 2018 regarding the processing of personal data in the activities of the optician's shop (later also the “registrar”).
 
The applicant has done business with the controller's business and noticed that information about him or her has been stored in the controller's system. The applicant has contacted the registrar on 8 November 2018 and stated that he has not given his consent to the storage of his data.
 
The applicant has asked the controller to delete all his data. The applicant has inquired from the registrar why the online form collects information that the applicant says customers do not want to provide to the company. According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.
 
The applicant has stated that it should be possible to control the rights without filling in all the fields marked as mandatory on that form.
 
The applicant has not received a response to his / her inquiry from the controller and asks the EDPS to assess whether the controller has acted correctly.
Statement received from the controller
 
The Office of the Data Protection Commissioner has sent a request for clarification to the optics group's Finnish country company on 1 July 2019, to which the company declared to be the optics group's head office has submitted the report on 13 August 2019. The Office of the Data Protection Commissioner has requested an additional report from the Finnish country company on 23 April 2020, to which the head office of the optics group has submitted the report on 25 May 2020.
 
A report on the online form has been requested from the optics group's head office on October 1, 2020. A report has been requested from the local optician's shop on the exercise of the applicant's right on 1.10.2020. The head office of the Optician Group has submitted a response to the requests for clarification on 9 October 2020.
Cross - border nature of the case
 
The local office of the optician's shop is part of an international optician's group, which has made it necessary to determine whether the Data Protection Officer or the data protection authority of another country is the competent supervisory authority.
 
Based on the report received from the head office of the optician group, the local optician's company, the Finnish country company and the company defined as the head office of the optician group are responsible for making decisions on the processing of personal data in the applicant's case. The Registrar shall have its principal place of business in Guernsey.
 
Based on the explanation received, the local store is the registrar when the customer orders the product from the local store. The company, which has been declared the head office of the Optician Group, participates in the processing of personal data as a joint registrar and provides IT, marketing and other support services to local stores. The Group Data Protection Officer is a shared resource of the optician group that supports local entrepreneurs in enforcing the data subject’s rights. The online form is a mechanism by which the data subject's rights can be exercised on behalf of the local movement.
 
The optician group is not headquartered in the EU, so the procedure for cooperation between data protection authorities under Article 56 of the General Data Protection Regulation does not apply.
Basis for processing personal data
 
According to the explanation received from the controller, the processing of the applicant's personal data was based on an agreement under Article 6 (b) and a legitimate interest of the controller under Article 6 (f) to continue processing the data in order to provide a service to the customer.
Informing data subjects
 
According to the controller's report, data subjects are provided with the information required by Articles 12 to 14 of the General Data Protection Regulation on a sign placed on the counter of the shop and on cards indicating what information is collected, by whom and for what purpose. According to the controller, the customer goes through several privacy clauses at the time of booking and the controller states that he is referring to his data protection policy, which provides customers with additional information in accordance with Articles 12-14 of the General Data Protection Regulation.
The data subject's right to have his data deleted
 
According to the statement provided by the registrar, the applicant has ordered reading glasses through the registrar's local store. According to the registrar, the applicant has returned to the circulation and questioned the amount of data collected to execute the order. According to the registrar, the applicant has requested the deletion of his data but has refused to use the online form provided. The applicant has sent the business entrepreneur the message described above in connection with the applicant's claims, in which he requests, among other things, the deletion of his data.
 
According to a report from the registrar, the entrepreneur of the business has told the applicant that health care legislation requires the registrar to keep health records for a certain period of time. Retention of health information enables clients, health care providers, and authorities to evaluate the care they receive if they encounter problems in the future. According to the registrar, the business operator has informed the applicant that, at the request of the applicant, it can only anonymise the applicant's data within the retention period.
 
Based on the report provided by the registrar, the applicant has written a blog post about the incident, to which the Finnish country manager of the optics group has published a response. In his reply, the Finnish Country Director states that the registrar sells spectacles on the basis of a thorough examination carried out by an optician or an optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is equivalent to doing business with a healthcare professional.
 
The Finnish country manager of the optician's movement says that opticians have an obligation to collect information that is considered patient data and keep it for the period required by law. According to the writing, it is not possible for customers to sell individual glasses without processing their personal information.
 
In response, the Finnish country manager of the optician's store states that they process personal data as required by the general data protection regulation only for the purposes for which they were collected and about which customers have been informed in the store and on the registrar's website. If customers wish to exercise their rights under the General Data Protection Regulation, such as the right to have their data deleted, the controller has a process set up for this purpose on its website. The reason why the controller collects data again in this process is that the controller has a duty to verify the identity of the data subject. Without this, there could be a risk of data being erased incorrectly.
 
According to the reply, the applicant will be informed of the deletion of the data and the data collected on the online form will also be deleted.
Processing of personal data in connection with the online form
 
Based on the report received, not all customers have a default email address, so the registrar needs other information in addition to the email address to ensure customer service. The registrar uses customer data for this purpose. According to the registrar, it requests identifying information on the online form, which it can compare with the information in its possession. Usually, the information used for comparison is name, phone number, and email address. If at least three items of the information provided on the form match the customer data held by the controller, the controller considers this to be a sufficient reason to proceed with the customer's request.
 
If any of the information does not match the customer information, the registrar may call the customer to verify their identity. This may be the case, for example, when a customer sends a request online and the email address matches the customer information, but the phone number does not. If the controller is still unable to verify the identity, it may require the customer to present an identity card at the store.
 
According to the registrar, in most cases the identity of the data subject can be easily established without formal identification. The controller shall consider that the information it collects for this purpose is relevant, adequate, necessary and proportionate. The goal of the registrar has been to create an authentication process that is not intrusive to customers. The controller wants to point out that it does not collect information about customers that it does not already have in its register.
 
According to the explanation received, the data subject may make his request orally or in writing. The majority (approx. 99%) of the data subject's requests have been made via the online form. Since May 2018, the controller has reported a total of 12,547 requests across Europe.
 
According to the report provided by the registrar, the online form has changed after 2018. In the current form, the free-form field for specifying the request has been replaced by check boxes and the registrant will be asked to specify his relationship with the controller. In addition, looking at the updated form, it can be seen that instead of a personal identity number, the registrant is asked to fill in the date of birth.
 
The required information is marked with an asterisk. When at least three of the data completed in the request match the customer data, the controller considers this to be a sufficient reason to proceed with the customer's request. Surname, address, e-mail address and date of birth are used for this purpose.
 
Information on the store in which the data subject has transacted and what services the data subject has purchased will help the registrar to link the request to the local optician and the service used to execute the request.
 
The registrar considers that all the mandatory information on the form is necessary and that the form is simple and easy to use. The data subject's rights are exercised by the controller's data protection team and the data is used only to enforce the rights. The information is not available to other teams in the Group.
Applicant 's reply
 
The applicant is given the opportunity to respond in the matter. The applicant submitted the defense on 19.11.2020. In his defense, the applicant states that the report sent to the Office by the Data Protection Officer contains a number of errors.
 
The applicant states that he has not received any emails or other contacts from the controller throughout the process, with the exception of the reply received from the controller's employee in October 2020.
 
On 2 September 2020, the applicant has been in contact with the CEO of the optics group in Finland and has inquired about the response to the personal data deletion request made to the data protection officer in November 2018. The applicant has re-inquired on 11.9.2020. The applicant has received a reply from the Finnish CEO on 23.10.2020, regretting that the matter has not been confirmed and stating that the matter will be confirmed separately.
 
According to the applicant, the controller has recorded information without asking the applicant, which the applicant would not have wanted to provide to the controller even with his consent. According to the applicant, that information appears to have been obtained from a prescription written by an ophthalmologist. According to the applicant, the consent of the applicant has not been sought for the recording of the data.
 
On 25 November 202020, the applicant was asked what errors the report submitted by the data controller to the Office of the Data Protection Officer contains. According to the applicant, he orally requested the deletion of his data on his second visit to the store, about a week after the original purchase transaction, i.e. in November 2018.
 
According to the applicant, the movement claimed, numerous times and by several persons, that the data could not be deleted. According to the applicant, no reasons were given for this. According to the applicant, he was instead given a note with the contact details of the data protection officer of the controller. The applicant had sent an e-mail to this party, the content of which has been described above in connection with the applicant's claims.
 
According to the applicant, he has not been advised to use the form on the website. According to the applicant, he has still also sent the request via an electronic form. According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.
 
According to the applicant, he was never informed of the statutory obligation of opticians and ophthalmologists to draw up and keep patient records. The applicant denies being a patient of the controller. According to the applicant, he is an ordinary customer who has purchased an object from the registrar without receiving, for example, medical measurement services. According to the applicant, he did not know that the controller would set up a document containing information about him. According to the applicant, he was not informed that his data would be stored.
Legal issue
 
The Data Protection Officer assesses and decides on the applicant's case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The following issues remain to be resolved:
1) whether there has been a ground for processing the applicant's personal data in accordance with Article 6 of the General Data Protection Regulation;
2) whether the processing of personal data by the controller in connection with the online form has complied with the principle of minimization in accordance with Article 5 (1) (c) of the General Data Protection Regulation; and
(3) whether the controller should be ordered in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the applicant's request for his data to be deleted.
Decision of the EDPS
 
The EDPS considers that the controller has had the grounds for processing personal data required by Article 6 of the General Data Protection Regulation.
 
The EDPS considers that the processing of personal data by the controller in the context of the online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.
 
The EDPS shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The EDPS notes that the activities of the controller have not complied with the obligations set out in Article 12 of the General Data Protection Regulation. The controller has not responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation.
 
The EDPS instructs the controller to comply with the applicant's request to have his data deleted in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under section 2 of the Patient Status and Rights Act.
Reasoning
The basis for the processing of personal data
 
The processing of personal data must be subject to the grounds set out in Article 6 of the General Data Protection Regulation. It should be noted that consent is only one of the grounds for processing personal data provided for in Article 6. According to the controller 's explanation, the processing of the applicant' s personal data has been based on an agreement in accordance with Article 6 (b) and a legitimate interest of the controller in accordance with Article 6 (f).
 
If the data subject has used the services of an optician or ophthalmologist, the processing of personal data may also have been based on the data subject's legal obligation under Article 6 (c) of the General Data Protection Regulation.
 
According to a report received from the registrar, the applicant has ordered reading glasses through a local store. It should be noted that the determination of suitable lenses on the basis of an eye examination is a task which requires the professional competence of an optician (Consumer Law Practices in the Optical Sector, p. 5). Pursuant to section 5 of the Health Care Professionals Act (559/1994), an optician is a health care professional. As a health care professional, an optician must, in accordance with section 12 of the Act on the Status and Rights of Patients (785/1992), enter in patient documents the information necessary to ensure the organization, planning, implementation and monitoring of patient care.
 
According to Section 2 (5) of the Act on the Status and Rights of Patients, patient records refer to documents or technical records used, prepared or received for the organization and implementation of patient care, which contain information about his or her state of health or other personal information. The preparation of patient documents, the more detailed content of the information to be recorded in them and the data retention periods are regulated in more detail by the Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009; later the Patient Document Decree). Section 10 of the Patient Documentation Decree defines the basic information to be defined in patient records. According to subsection 1 (1) of the said section, the information to be retained is the patient's name, date of birth, personal identity number, place of residence and contact information.In accordance with section 23 of the Patient Documentation Decree, the data must be kept for the period referred to in the annex to the said decree.
 
For the reasons set out above, the EDPS considers that the controller has had the basis for the processing of personal data required by Article 6 of the General Data Protection Regulation.
On the processing of personal data in connection with the online form
 
In accordance with Article 5 (1) (f) of the General Data Protection Regulation, the controller must ensure the confidentiality of personal data. Therefore, when exercising the data subject's rights, the controller must verify the identity of the requesting person. If the controller has reasonable grounds to doubt the identity of the natural person who made the request, the controller may, in accordance with Article 12 (6), request the provision of additional information necessary to establish the identity.
 
In accordance with Article 5 (1) (c) of the General Data Protection Regulation, the processing of personal data must comply with the principle of minimization. Personal data processed in accordance with the principle of minimization shall be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
 
Given the principle of minimization of personal data, the controller should not ask the data subject for more information than is necessary to identify him or her.
According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.
 
According to the report provided by the registrar, the same information that customers have provided when registering as a customer of an optician is processed in connection with the online form. According to the registrar, it uses the information in the form to verify the registered identity by comparing the information with the information in the customer register. The registrar has also stated that he updated the form used after 2018.
 
The information collected by the registrar on the online form for identification purposes is the same information that the registrar normally processes from registrants in its customer register. The EDPS therefore considers that the processing of personal data by the controller in the context of an online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.
The data subject's right to have his data deleted
 
Article 17 of the General Data Protection Regulation provides for the right of the data subject to have his or her personal data deleted. According to this provision, the data subject has the right, under certain conditions, to have the controller delete personal data concerning the data subject without undue delay, and the controller has the obligation to delete personal data without undue delay.
Article 12 (3) of the General Data Protection Regulation requires the controller to inform the data subject of the action taken on a request under Articles 15 to 22 without undue delay and in any case within one month of receipt of the request.
 
If the controller does not act on the data subject's request, Article 12 (4) of the General Data Protection Regulation requires the controller to inform the data subject of the reasons without delay and at the latest within one month of receiving the request. In that case, the controller shall also inform about the possibility to lodge a complaint with the supervisory authority and to seek other legal remedies.
 
According to the registrar, the applicant had requested the deletion of his data in the shop, but had refused to use the online form created to make the request. According to the registrar, the applicant had sent a request for deletion to the e-mail address of the optician's entrepreneur.
 
According to the registrar, the business entrepreneur told the applicant that health care legislation requires the registrar to keep health information for the period required by the legislation.
According to the registrar, the applicant had written a blog post about the incident, to which the Finnish country manager of the optics group had published a response. In the reply, the Finnish Country Director generally describes the registrar's obligation to collect and store information that is considered to be patient data for the period required by law.
 
According to the applicant, he had requested the deletion of his personal data at a shop where he had been informed that the data could not be deleted. The reason for this was not stated according to the applicant. According to the applicant, he was given a piece of paper with the contact details of the data protection officer of the controller. The applicant sent their removal request to the email address provided to them. According to the applicant, he was not advised to use the form on the website. Nevertheless, the applicant also sent a deletion request to the controller using the online form.
 
According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.
 
It is still unclear what information was provided to the applicant when he requested the deletion of his information. It is also not clear from the information received whether the applicant's data has been deleted. It is clear, on the other hand, that the applicant has been unaware of the conditions under which healthcare legislation retains data. It should also be noted that the general reply of the Finnish country manager of the optician group published in response to the applicant's blog post cannot be considered as a notification within the meaning of Article 12 (3) and (4) of the General Data Protection Regulation.
 
On the basis of the above, the EDPS will issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. In view, in particular, of the controller 's obligation to provide evidence laid down in Article 5 (2) of the General Data Protection Regulation, the controller' s conduct must be considered not to comply with the obligations laid down in Article 12 of the General Data Protection Regulation. In particular, also taking into account the provisions of Article 5 (2) of the General Data Protection Regulation, the controller cannot be considered to have responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation.
 
On the basis of the above, the EDPS orders the controller to comply with the applicant's request for deletion of his data in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under Section 2 of the Patient Status and Rights Act.
Applicable law
 
Mentioned in the explanatory memorandum.
Appeal
 
According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).
 
The decision is not yet final.
 
</pre>
</pre>

Revision as of 09:18, 7 April 2021

Tietosuojavaltuutetun toimisto - 8235/154/18
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 6 GDPR
Article 12 GDPR
Article 17 GDPR
Article 58(2)(c) GDPR
Data Protection Act (Tietosuojalaki) 1050/2018
Sosiaali- ja terveysministeriön asetus potilasasiakirjoista 298/2009
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 16.02.2021
Fine: None
Parties: n/a
National Case Number/Name: 8235/154/18
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: V

The Finnish DPA (Tietosuojavaltuutetun Toimisto) ordered a data controller to comply with the customer's request to have their personal data deleted in so far as their processing is not required by Finland's national legislation concerning patient records and the rights of patients.

English Summary

Facts

In November, 2018, a customer (data subject) purchased glasses from an optician (data controller), and later noticed that the optician had stored his personal data in their system. Data subject requested the controller to delete his data, on the basis that he had not given his consent for storing the data. To proceed with his request for deletion, data subject was asked to fill in an online form where data subject had to provide even more personal data. Data subject refused and instead, wrote a public blog post which was accepted by the DPAs as a valid data subject request.

Dispute

Holding

Finnish Data Protection Ombudsman considered that the data controller had a legal basis for processing the data subject' personal data under national law which requires retention of certain personal data of their customers for a period determined by the Patient Data Record Act. Controller also had legal basis to process patient data which were necessary for their identification when data subject wishes to use their rights. However, the controller had not adequately informed the data subject about the processing of requests for deletion, nor about reasons behind rejection of the data subject's request.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Customer's request for deletion of personal data and the basis for processing personal data

Thing

The applicant has asked the optician to delete his information, but has not received a response to his request.
Applicant 's claims and reasons

The applicant has been in contact with the Office of the Data Protection Commissioner on 19 November 2018 regarding the processing of personal data in the activities of the optician's shop (later also the “registrar”).

The applicant has done business with the controller's business and noticed that information about him or her has been stored in the controller's system. The applicant has contacted the registrar on 8 November 2018 and stated that he has not given his consent to the storage of his data.

The applicant has asked the controller to delete all his data. The applicant has inquired from the registrar why the online form collects information that the applicant says customers do not want to provide to the company. According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.

The applicant has stated that it should be possible to control the rights without filling in all the fields marked as mandatory on that form.

The applicant has not received a response to his / her inquiry from the controller and asks the EDPS to assess whether the controller has acted correctly.
Statement received from the controller

The Office of the Data Protection Commissioner has sent a request for clarification to the optics group's Finnish country company on 1 July 2019, to which the company declared to be the optics group's head office has submitted the report on 13 August 2019. The Office of the Data Protection Commissioner has requested an additional report from the Finnish country company on 23 April 2020, to which the head office of the optics group has submitted the report on 25 May 2020.

A report on the online form has been requested from the optics group's head office on October 1, 2020. A report has been requested from the local optician's shop on the exercise of the applicant's right on 1.10.2020. The head office of the Optician Group has submitted a response to the requests for clarification on 9 October 2020.
Cross - border nature of the case

The local office of the optician's shop is part of an international optician's group, which has made it necessary to determine whether the Data Protection Officer or the data protection authority of another country is the competent supervisory authority.

Based on the report received from the head office of the optician group, the local optician's company, the Finnish country company and the company defined as the head office of the optician group are responsible for making decisions on the processing of personal data in the applicant's case. The Registrar shall have its principal place of business in Guernsey.

Based on the explanation received, the local store is the registrar when the customer orders the product from the local store. The company, which has been declared the head office of the Optician Group, participates in the processing of personal data as a joint registrar and provides IT, marketing and other support services to local stores. The Group Data Protection Officer is a shared resource of the optician group that supports local entrepreneurs in enforcing the data subject’s rights. The online form is a mechanism by which the data subject's rights can be exercised on behalf of the local movement.

The optician group is not headquartered in the EU, so the procedure for cooperation between data protection authorities under Article 56 of the General Data Protection Regulation does not apply.
Basis for processing personal data

According to the explanation received from the controller, the processing of the applicant's personal data was based on an agreement under Article 6 (b) and a legitimate interest of the controller under Article 6 (f) to continue processing the data in order to provide a service to the customer.
Informing data subjects

According to the controller's report, data subjects are provided with the information required by Articles 12 to 14 of the General Data Protection Regulation on a sign placed on the counter of the shop and on cards indicating what information is collected, by whom and for what purpose. According to the controller, the customer goes through several privacy clauses at the time of booking and the controller states that he is referring to his data protection policy, which provides customers with additional information in accordance with Articles 12-14 of the General Data Protection Regulation.
The data subject's right to have his data deleted

According to the statement provided by the registrar, the applicant has ordered reading glasses through the registrar's local store. According to the registrar, the applicant has returned to the circulation and questioned the amount of data collected to execute the order. According to the registrar, the applicant has requested the deletion of his data but has refused to use the online form provided. The applicant has sent the business entrepreneur the message described above in connection with the applicant's claims, in which he requests, among other things, the deletion of his data.

According to a report from the registrar, the entrepreneur of the business has told the applicant that health care legislation requires the registrar to keep health records for a certain period of time. Retention of health information enables clients, health care providers, and authorities to evaluate the care they receive if they encounter problems in the future. According to the registrar, the business operator has informed the applicant that, at the request of the applicant, it can only anonymise the applicant's data within the retention period.

Based on the report provided by the registrar, the applicant has written a blog post about the incident, to which the Finnish country manager of the optics group has published a response. In his reply, the Finnish Country Director states that the registrar sells spectacles on the basis of a thorough examination carried out by an optician or an optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is equivalent to doing business with a healthcare professional.

The Finnish country manager of the optician's movement says that opticians have an obligation to collect information that is considered patient data and keep it for the period required by law. According to the writing, it is not possible for customers to sell individual glasses without processing their personal information.

In response, the Finnish country manager of the optician's store states that they process personal data as required by the general data protection regulation only for the purposes for which they were collected and about which customers have been informed in the store and on the registrar's website. If customers wish to exercise their rights under the General Data Protection Regulation, such as the right to have their data deleted, the controller has a process set up for this purpose on its website. The reason why the controller collects data again in this process is that the controller has a duty to verify the identity of the data subject. Without this, there could be a risk of data being erased incorrectly.

According to the reply, the applicant will be informed of the deletion of the data and the data collected on the online form will also be deleted.
Processing of personal data in connection with the online form

Based on the report received, not all customers have a default email address, so the registrar needs other information in addition to the email address to ensure customer service. The registrar uses customer data for this purpose. According to the registrar, it requests identifying information on the online form, which it can compare with the information in its possession. Usually, the information used for comparison is name, phone number, and email address. If at least three items of the information provided on the form match the customer data held by the controller, the controller considers this to be a sufficient reason to proceed with the customer's request.

If any of the information does not match the customer information, the registrar may call the customer to verify their identity. This may be the case, for example, when a customer sends a request online and the email address matches the customer information, but the phone number does not. If the controller is still unable to verify the identity, it may require the customer to present an identity card at the store.

According to the registrar, in most cases the identity of the data subject can be easily established without formal identification. The controller shall consider that the information it collects for this purpose is relevant, adequate, necessary and proportionate. The goal of the registrar has been to create an authentication process that is not intrusive to customers. The controller wants to point out that it does not collect information about customers that it does not already have in its register.

According to the explanation received, the data subject may make his request orally or in writing. The majority (approx. 99%) of the data subject's requests have been made via the online form. Since May 2018, the controller has reported a total of 12,547 requests across Europe.

According to the report provided by the registrar, the online form has changed after 2018. In the current form, the free-form field for specifying the request has been replaced by check boxes and the registrant will be asked to specify his relationship with the controller. In addition, looking at the updated form, it can be seen that instead of a personal identity number, the registrant is asked to fill in the date of birth.

The required information is marked with an asterisk. When at least three of the data completed in the request match the customer data, the controller considers this to be a sufficient reason to proceed with the customer's request. Surname, address, e-mail address and date of birth are used for this purpose.

Information on the store in which the data subject has transacted and what services the data subject has purchased will help the registrar to link the request to the local optician and the service used to execute the request.

The registrar considers that all the mandatory information on the form is necessary and that the form is simple and easy to use. The data subject's rights are exercised by the controller's data protection team and the data is used only to enforce the rights. The information is not available to other teams in the Group.
Applicant 's reply

The applicant is given the opportunity to respond in the matter. The applicant submitted the defense on 19.11.2020. In his defense, the applicant states that the report sent to the Office by the Data Protection Officer contains a number of errors.

The applicant states that he has not received any emails or other contacts from the controller throughout the process, with the exception of the reply received from the controller's employee in October 2020.

On 2 September 2020, the applicant has been in contact with the CEO of the optics group in Finland and has inquired about the response to the personal data deletion request made to the data protection officer in November 2018. The applicant has re-inquired on 11.9.2020. The applicant has received a reply from the Finnish CEO on 23.10.2020, regretting that the matter has not been confirmed and stating that the matter will be confirmed separately.

According to the applicant, the controller has recorded information without asking the applicant, which the applicant would not have wanted to provide to the controller even with his consent. According to the applicant, that information appears to have been obtained from a prescription written by an ophthalmologist. According to the applicant, the consent of the applicant has not been sought for the recording of the data.

On 25 November 202020, the applicant was asked what errors the report submitted by the data controller to the Office of the Data Protection Officer contains. According to the applicant, he orally requested the deletion of his data on his second visit to the store, about a week after the original purchase transaction, i.e. in November 2018.

According to the applicant, the movement claimed, numerous times and by several persons, that the data could not be deleted. According to the applicant, no reasons were given for this. According to the applicant, he was instead given a note with the contact details of the data protection officer of the controller. The applicant had sent an e-mail to this party, the content of which has been described above in connection with the applicant's claims.

According to the applicant, he has not been advised to use the form on the website. According to the applicant, he has still also sent the request via an electronic form. According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.

According to the applicant, he was never informed of the statutory obligation of opticians and ophthalmologists to draw up and keep patient records. The applicant denies being a patient of the controller. According to the applicant, he is an ordinary customer who has purchased an object from the registrar without receiving, for example, medical measurement services. According to the applicant, he did not know that the controller would set up a document containing information about him. According to the applicant, he was not informed that his data would be stored.
Legal issue

The Data Protection Officer assesses and decides on the applicant's case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The following issues remain to be resolved:
1) whether there has been a ground for processing the applicant's personal data in accordance with Article 6 of the General Data Protection Regulation;
2) whether the processing of personal data by the controller in connection with the online form has complied with the principle of minimization in accordance with Article 5 (1) (c) of the General Data Protection Regulation; and
(3) whether the controller should be ordered in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the applicant's request for his data to be deleted.
Decision of the EDPS

The EDPS considers that the controller has had the grounds for processing personal data required by Article 6 of the General Data Protection Regulation.

The EDPS considers that the processing of personal data by the controller in the context of the online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.

The EDPS shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The EDPS notes that the activities of the controller have not complied with the obligations set out in Article 12 of the General Data Protection Regulation. The controller has not responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation.

The EDPS instructs the controller to comply with the applicant's request to have his data deleted in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under section 2 of the Patient Status and Rights Act.
Reasoning
The basis for the processing of personal data

The processing of personal data must be subject to the grounds set out in Article 6 of the General Data Protection Regulation. It should be noted that consent is only one of the grounds for processing personal data provided for in Article 6. According to the controller 's explanation, the processing of the applicant' s personal data has been based on an agreement in accordance with Article 6 (b) and a legitimate interest of the controller in accordance with Article 6 (f).

If the data subject has used the services of an optician or ophthalmologist, the processing of personal data may also have been based on the data subject's legal obligation under Article 6 (c) of the General Data Protection Regulation.

According to a report received from the registrar, the applicant has ordered reading glasses through a local store. It should be noted that the determination of suitable lenses on the basis of an eye examination is a task which requires the professional competence of an optician (Consumer Law Practices in the Optical Sector, p. 5). Pursuant to section 5 of the Health Care Professionals Act (559/1994), an optician is a health care professional. As a health care professional, an optician must, in accordance with section 12 of the Act on the Status and Rights of Patients (785/1992), enter in patient documents the information necessary to ensure the organization, planning, implementation and monitoring of patient care.

According to Section 2 (5) of the Act on the Status and Rights of Patients, patient records refer to documents or technical records used, prepared or received for the organization and implementation of patient care, which contain information about his or her state of health or other personal information. The preparation of patient documents, the more detailed content of the information to be recorded in them and the data retention periods are regulated in more detail by the Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009; later the Patient Document Decree). Section 10 of the Patient Documentation Decree defines the basic information to be defined in patient records. According to subsection 1 (1) of the said section, the information to be retained is the patient's name, date of birth, personal identity number, place of residence and contact information.In accordance with section 23 of the Patient Documentation Decree, the data must be kept for the period referred to in the annex to the said decree.

For the reasons set out above, the EDPS considers that the controller has had the basis for the processing of personal data required by Article 6 of the General Data Protection Regulation.
On the processing of personal data in connection with the online form

In accordance with Article 5 (1) (f) of the General Data Protection Regulation, the controller must ensure the confidentiality of personal data. Therefore, when exercising the data subject's rights, the controller must verify the identity of the requesting person. If the controller has reasonable grounds to doubt the identity of the natural person who made the request, the controller may, in accordance with Article 12 (6), request the provision of additional information necessary to establish the identity.

In accordance with Article 5 (1) (c) of the General Data Protection Regulation, the processing of personal data must comply with the principle of minimization. Personal data processed in accordance with the principle of minimization shall be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Given the principle of minimization of personal data, the controller should not ask the data subject for more information than is necessary to identify him or her.
According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.

According to the report provided by the registrar, the same information that customers have provided when registering as a customer of an optician is processed in connection with the online form. According to the registrar, it uses the information in the form to verify the registered identity by comparing the information with the information in the customer register. The registrar has also stated that he updated the form used after 2018.

The information collected by the registrar on the online form for identification purposes is the same information that the registrar normally processes from registrants in its customer register. The EDPS therefore considers that the processing of personal data by the controller in the context of an online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.
The data subject's right to have his data deleted

Article 17 of the General Data Protection Regulation provides for the right of the data subject to have his or her personal data deleted. According to this provision, the data subject has the right, under certain conditions, to have the controller delete personal data concerning the data subject without undue delay, and the controller has the obligation to delete personal data without undue delay.
Article 12 (3) of the General Data Protection Regulation requires the controller to inform the data subject of the action taken on a request under Articles 15 to 22 without undue delay and in any case within one month of receipt of the request.

If the controller does not act on the data subject's request, Article 12 (4) of the General Data Protection Regulation requires the controller to inform the data subject of the reasons without delay and at the latest within one month of receiving the request. In that case, the controller shall also inform about the possibility to lodge a complaint with the supervisory authority and to seek other legal remedies.

According to the registrar, the applicant had requested the deletion of his data in the shop, but had refused to use the online form created to make the request. According to the registrar, the applicant had sent a request for deletion to the e-mail address of the optician's entrepreneur.

According to the registrar, the business entrepreneur told the applicant that health care legislation requires the registrar to keep health information for the period required by the legislation.
According to the registrar, the applicant had written a blog post about the incident, to which the Finnish country manager of the optics group had published a response. In the reply, the Finnish Country Director generally describes the registrar's obligation to collect and store information that is considered to be patient data for the period required by law.

According to the applicant, he had requested the deletion of his personal data at a shop where he had been informed that the data could not be deleted. The reason for this was not stated according to the applicant. According to the applicant, he was given a piece of paper with the contact details of the data protection officer of the controller. The applicant sent their removal request to the email address provided to them. According to the applicant, he was not advised to use the form on the website. Nevertheless, the applicant also sent a deletion request to the controller using the online form.

According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.

It is still unclear what information was provided to the applicant when he requested the deletion of his information. It is also not clear from the information received whether the applicant's data has been deleted. It is clear, on the other hand, that the applicant has been unaware of the conditions under which healthcare legislation retains data. It should also be noted that the general reply of the Finnish country manager of the optician group published in response to the applicant's blog post cannot be considered as a notification within the meaning of Article 12 (3) and (4) of the General Data Protection Regulation.

On the basis of the above, the EDPS will issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. In view, in particular, of the controller 's obligation to provide evidence laid down in Article 5 (2) of the General Data Protection Regulation, the controller' s conduct must be considered not to comply with the obligations laid down in Article 12 of the General Data Protection Regulation. In particular, also taking into account the provisions of Article 5 (2) of the General Data Protection Regulation, the controller cannot be considered to have responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation.

On the basis of the above, the EDPS orders the controller to comply with the applicant's request for deletion of his data in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under Section 2 of the Patient Status and Rights Act.
Applicable law

Mentioned in the explanatory memorandum.
Appeal

According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).

The decision is not yet final.