Tietosuojavaltuutetun toimisto - 9401/163/18
|Tietosuojavaltuutetun toimisto - 9401/163/18|
|Authority:||Tietosuojavaltuutetun toimisto (Finland)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 58(2)(d) GDPR
Article 58(2)(b) GDPR
|National Case Number/Name:||9401/163/18|
|European Case Law Identifier:||n/a|
|Original Source:||Finlex (in FI)|
Finnish DPA ordered Euroclear Finland Oy to align its data disclosure activities with data protection regulations. Disclosing shareholder register information via the company's telephone service and disclosing information for direct marketing purposes was held to be unlawful.
A data subject filed a complaint about Euroclear's data disclosing practices. The Finnish DPA investigated the complaint to see if Euroclear was violating data protection laws. Euroclear Finland Oy maintains the public shareholder registers required by law. The company provided a telephone service through which it disclosed information obtained from the shareholder registers of limited liability companies. Shareholder registers are public in nature and can be viewed usually at one of the Euroclear branches. Because of the public nature of the shareholder registers, the company argued that the telephone service was equivalent and comparable to the viewing of the shareholder registers at one of their branches, and therefore lawful.
In addition to the phone service, Euroclear disclosed shareholder register information for direct marketing purposes. Euroclear argued on the basis of the national Companies Act, that since the Act stipulates that copies of the shareholder register, or part thereof, may be disclosed, and the law does not limit the purpose for disclosure, this enabled Euroclear to disclose the obtained information for direct marketing purposes.
Furthermore, Euroclear maintained that they were the data processor and that the limited liability companies, whose shareholder register information was being disclosed, were the controllers. Therefore Euroclear did not have an obligation to inform the data subjects about the data disclosure activities in relation to direct marketing purposes.
The disclosure of shareholder register information via the company’s telephone service was not legal. Methods by which shareholder registers can be made public are expressly provided by law, and telephone service is not one of these methods. Furthermore, the company erroneously assessed its role under GDPR. As Euroclear had made decisions regarding the processing activities, they are therefore considered as being the controller. A processor cannot make decisions independently regarding data disclosure. The company also failed to comply with their obligations as a controller. The company did not inform the data subjects about the disclosure of data for direct marketing purposes, and therefore did not meet the transparency principle set out in Article 5(1)(a) of GDPR. Informing data subjects about their rights regarding direct marketing on their website was not sufficient; the information should have been provided at the time of data processing activities took place.
Therefore, as per Article 58 (2) (b), DPA issued a reprimand to the controller as per and, as per Article 58 (2) (d), ordered the controller to bring the processing operations in compliance with GDPR provisions.
The decision is not final and Euroclear plans to appeal the decision in the administrative court.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.