Tietosuojavaltuutetun toimisto - 9209/157/2019

From GDPRhub
Tietosuojavaltuutetun toimisto - 9209/157/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(4) GDPR
Article 17(3) GDPR
Article 21(2) GDPR
Article 21(3) GDPR
Article 25(2) GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 22.01.2021
Published: 17.02.2021
Fine: None
Parties: n/a
National Case Number/Name: 9209/157/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: V

Y

English Summary[edit | edit source]

Facts[edit | edit source]

Y

Dispute[edit | edit source]

Holding[edit | edit source]

Y

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Ensuring adequate measures to enforce the data subject's rights

Thing

The right to have data deleted and the right to object to the processing of personal data for direct marketing
Applicant 's claims and reasons

On 27 November 2019, the Finnish Competition and Consumer Authority transferred the applicant's case to the Office of the Data Protection Commissioner in accordance with section 21 of the Administrative Procedure Act (434/2003).

The applicant's case concerns the data subject's rights under Articles 17 and 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the free movement of personal data and the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). At the request of the applicant, the controller has not exercised the applicant's right under Article 21 (2) of the General Data Protection Regulation to object to the processing of personal data for direct marketing, even though the controller has twice indicated that it prohibits direct marketing to the applicant.

In addition, the applicant has asked the controller to delete all personal data of the applicant. The data controller has refused to delete the data due to the data subject's obligation to retain personal data.
Statement received from the applicant

In 2014, the applicant purchased eyeglasses and sunglasses from the registrar's optician's shop. The applicant has started receiving contacts from the registrar in late 2017 - early 2018. As a result, on 7 March 2018, the applicant has asked the registrar to delete the applicant's data and asked the registrar to stop communicating with the applicant. The registrar has replied to the applicant, stating that the controller has tried to contact the applicant by telephone due to an eye examination invitation, and at the same time stated that he has entered a ban on direct marketing in the applicant's data. Despite the ban on direct marketing subscribed by the registrar, the applicant has received a direct marketing letter from the registrar by post on 19 November 2018, after which the applicant has contacted the registrar again and requested that his data be deleted.The registrar has replied to the applicant and stated that the direct marketing was due to an IT reason.

Since then, on 22 November 2018, the applicant has still contacted the controller to return to the request for data deletion. The applicant has informed the controller that he has requested the deletion of the data twice, but has not received a reply to this request at all. The applicant has therefore submitted his request for a third time. The registrar has replied to the applicant on 23 November 2018 and stated that the registrar is not allowed by law to delete the applicant's data, as the data contains health information that the registrar must keep by law. At the same time, the data controller has stated that he has in-activated the applicant's data so that the applicant's data will no longer be visible in the shop and therefore marketing will no longer take place.

The applicant has again received a direct marketing message from the registrar via SMS on 21 November 2019 and has been in contact with the registrar as a result. The registrar has replied and stated that the applicant has been marked with a marketing ban, but due to a technical error, the applicant has still received a direct marketing message.
Statement received from the controller

By a request for clarification dated 20 March 2020, the Office of the Data Protection Officer has requested clarification from the controller in order to clarify the applicant's case. The registrar has submitted his report on 30 June 2020.

In his statement, the controller shall state the following. The registrar's clients (optician's patients) will be sent an eye examination invitation for the next examination, generally two years after the last visit. If the patient (registered) refuses to send an eye examination invitation, this information is recorded in the store's patient information system. The data controller is currently saying that he is asking patients for consent to save the data

With regard to the applicant's case, the controller regrets what happened. The applicant has changed his / her surname after the applicant became a registrar's customer in 2014. The applicant's ban on direct marketing has not been properly targeted in the registrar's system due to a replication file jam. However, that jam was fixed immediately when it was noticed.
Applicant 's reply

In accordance with section 34 of the Administrative Procedure Act (434/2003), the Office of the Data Protection Commissioner has reserved the opportunity for the applicant to provide a response as a result of the data controller's report. The applicant has not submitted a response by the deadline of 31.8.2020.
Choice of applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999). According to section 8 of the Data Protection Act, the Data Protection Commissioner acts as the national supervisory authority referred to in the General Data Protection Decree in connection with the Ministry of Justice.

Pursuant to Section 305 (1) (4) of the Act on Electronic Communications Services (917/2014), the Data Protection Commissioner monitors compliance with the provisions of Sections 200 and 202–204 concerning direct marketing.

The applicant has submitted a request to the controller for data deletion and a ban on direct marketing for the first time on 7 March 2018, ie during the application of the Personal Data Act, and for the second time on 19 November 2018, ie during the application of the General Data Protection Regulation. For the third time, the applicant has submitted a request for a ban on direct marketing on 21 November 2019, ie during the application of the General Data Protection Regulation and the Data Protection Act. The applicant's case was initiated at the Office of the Data Protection Commissioner on 27 November 2019.

Pursuant to section 38 (3) of the Data Protection Act, Articles 12 and 15-18 of the General Data Protection Regulation, which impose more extensive obligations on the controller than required by the provisions in force at the time of entry into force of the Data Protection Act, do not apply in a case concerning the exercise of the right of inspection or rectification of data if: the application of these provisions of the Data Protection Regulation would be unreasonable for the controller. As the applicant's case has been initiated after the application of the Data Protection Act, the transitional provision pursuant to section 38 (3) of the Data Protection Act will not apply to the right to delete data.

However, the changed legislation must be taken into account. A key principle in EU law is the principle of legal certainty. A number of judgments of the European Court of Justice have led to a ban on the application of retroactive legislation from this principle. According to that prohibition, acts of European Union law do not, as a general rule, have retroactive effect.

In that regard, the case - law has identified two types of retroactivity: actual retroactivity and material retroactivity. Effective retroactivity refers to the application of new legislation to a fact that has fully materialized during the old legislation. In the case law of the European Court of Justice, such de facto retroactivity is in principle prohibited.

Substantive retroactivity refers to the application of new legislation with future effects in a situation that has arisen while the previous legislation was in force, and legally relevant activities will continue during the new legislation. The European Court of Justice has accepted such material retroactivity. The Court has ruled that EU law must be regarded as having legal effects when it enters into force, even when the new legislation determines the consequences of situations which began during the old legislation. The Court has also drawn attention to the need for legal protection for individuals when assessing the permissibility of retroactive legislation.

In the present case, the conduct complained of, namely that the controller did not exercise the applicant's right under Article 12 (4) of the General Data Protection Regulation in refusing to comply with Article 17 of the General Data Protection Regulation and did not stop sending direct marketing at the applicant's request, during the Personal Data Act, and activities have continued since the entry into force of the General Data Protection Regulation. As legally relevant activities have continued during the new legislation, the general data protection regulation will apply.
Applicable law
General privacy setting

Article 12 (1) of the General Data Protection Regulation requires the controller to take appropriate measures to provide the data subject with the information under Articles 13 and 14 and all processing data under Articles 15 to 22 and 34 in a concise, transparent, easily understandable and accessible format in clear and simple language. especially when the information is intended specifically for a child. According to Article 12 (4) of the General Data Protection Regulation, if the controller does not act on a data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request, of the possibility to lodge a complaint with the supervisory authority and other remedies.

Under Article 17 (3) (b) of the General Data Protection Regulation, the controller is not obliged to delete personal data if their processing is necessary to comply with a statutory obligation under the law of a Member State to process them.

Under Article 21 (2) of the General Data Protection Regulation, the data subject has the right to object at any time to the processing of personal data concerning him or her if the personal data are processed for direct marketing purposes. According to paragraph 3 of the same Article, if the data subject objects to the processing of personal data for direct marketing purposes, they may no longer be processed for that purpose.

Article 25 (2) of the General Data Protection Regulation requires the controller to take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.
Retention of patient records

According to section 12 of the Act on the Status and Rights of Patients (785/1992; later the Patients Act), a healthcare professional pursuant to section 2 of the Health Care Professionals Act (559/1994) shall enter in patient documents the information necessary to ensure the organization, planning, implementation and monitoring of patient care. . The health care unit and the self-employed health care professional must keep the patient records for the time required for the organization and implementation of the patient's care, possible claims related to the care and scientific research.

The preparation of patient documents, the more detailed content of the information to be recorded in them and the data retention periods are regulated in more detail by the Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009; later the Patient Document Decree). Section 10 of the Decree defines the basic information to be defined in patient records. According to subsection 1 (1) of the said section, the information to be retained is the patient's name, date of birth, personal identity number, place of residence and contact information. The data must be kept in accordance with section 23 of the Patient Documentation Decree for the period referred to in the annex to the said decree.
Legal issue

The Data Protection Officer will assess and resolve the applicant's case in accordance with the above-mentioned General Data Protection Regulation and the Data Protection Act. The following legal issues need to be assessed

1. whether the controller has exercised the applicant's right of objection under Article 21 (2) of the General Data Protection Regulation in accordance with Article 21 (3); and

2. whether the controller should be ordered to exercise the applicant's right to delete data in accordance with Article 17 (1) of the General Data Protection Regulation.

If the controller has not acted in accordance with the General Data Protection Regulation, the EDPS must assess whether the remedial powers under Article 58 (2) of the General Data Protection Regulation should be exercised.
Decision and justification of the EDPS
Decision

The controller has not exercised the applicant's right under Article 21 (2) of the General Data Protection Regulation to object to the processing of personal data for direct marketing in accordance with Article 21 (3).

The applicant's request for the deletion of personal data is rejected. The applicant shall not be entitled to have personal data deleted pursuant to Article 17 (3) (b).
Note

The Data Protection Officer shall issue a remark to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation concerning the controller's failure to comply with its obligations under Articles 12 (4), 21 (2) and 25 (2) of the General Data Protection Regulation.
Reasoning

The applicant has asked the data controller to terminate the communication for the first time on March 7, 2018 and for the second time on November 19, 2018. The registrar has responded to both requests and stated the importance of the direct marketing ban. In addition, the registrar has informed the applicant in connection with both messages that the direct marketing was due to an error. However, after one year, 21.11.2019, the applicant has received direct marketing from the registrar.

The EDPS considers that the controller has not exercised the applicant's right under Article 21 (2) of the General Data Protection Regulation under Article 21 (3), as the applicant's personal data have been processed for direct marketing purposes despite the applicant's ban on direct marketing.

The controller has reported the error to the applicant, which has been corrected as soon as the error is detected. However, the EDPS notes that the request for deletion has been made three times by the applicant. Each time the registrar has responded to the applicant and stated that he has marked a ban on direct marketing. Despite this, the applicant has received direct marketing. The EDPS considers that the controller has not ensured that the applicant's right is exercised and that the applicant's personal data are processed in accordance with the General Data Protection Regulation. Thus, the EDPS considers that in the processing of personal data by the controller, the controller has not taken appropriate technical and organizational measures to ensure that:that it processes only personal data necessary for the processing (Article 25 (2)).

The EDPS does not consider it necessary to impose other remedies on the controller in accordance with Article 58 (2) of the General Data Protection Regulation with regard to direct marketing. Although the applicant has received direct marketing, the controller has now stopped processing the applicant's personal data for direct marketing. The registrar has also said that he has changed his approach so that the patient has the right to refuse to send eye examination invitations.

When submitting a ban on direct marketing, the applicant must 7.3. and 19.11.2018 submitted a request for deletion of data. The controller did not respond to the request for deletion, but only informed of the ban on direct marketing relevant to the applicant's data. For the third time on 22 November 2018, the applicant has requested that his data be deleted and requested a justification as to why his request has not been responded to.

The controller has refused to exercise the applicant's right to delete data under Article 17 due to the statutory retention obligation imposed on the controller. The registrar is an optician's shop which is required to draw up patient records and to keep them in accordance with Article 23 of the Patient Records Decree for at least the period referred to in the annex to that decree. The patient document must contain, among other things, the applicant's contact information (Section 10 (1) (1) of the Act). Under Article 17 (3) (b) of the General Data Protection Regulation, the data subject does not have this right to have the data deleted if the processing is necessary to comply with a legal obligation. The EDPS considers thatthat the data subject is not entitled to have the data deleted in order to comply with a statutory obligation incumbent on the controller.

Although the controller has not been obliged to delete the applicant's personal data, the EDPS draws attention to the fact that the controller has only provided the applicant with information as to why the applicant's personal data are not deleted only after the applicant's third request. According to Article 12 (4) of the General Data Protection Regulation, the controller shall provide the data subject without delay and at the latest within one month of receipt of the request with a reason for not complying with the applicant's request. Following the applicant's first two requests, the controller has not provided the applicant with the reasons why it has not exercised the right.
Applicable law

EU General Data Protection Regulation (2016/679) Article 12 (4), Article 17 (3), Article 21 (2) and (3), Article 25 (2), Article 58 (2) (b)

Section 2 of the Health Care Professional Personnel Act (559/1994)

Section 12 of the Patient Status and Rights Act (785/1992)

Sections 9, 10 and 23 of the Decree of the Ministry of Social Affairs and Health on patient documents (298/2009)
Appeal

According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).

The decision is not yet final.