The company did not respond to private persons’ requests to access their data
Recent sanctions for data protection violations in Finland, an update offered by Lexia – the exclusive law firm member of PrivacyRules for the Finnish jurisdiction. Summary from Markus Myhrberg and Erika Leinonen.
The Office of the Data Protection Ombudsman’s Sanctions Board has imposed an administrative fine of 750,000 euros on the debt collection company. The company had not responded to requests to exercise the rights of the data subject and obstructed and delayed the investigation by avoiding the supervisory authorities.
The company had regularly failed to reply to requests concerning the data protection rights of the data subject. Organizations that process personal data are obliged to respond to requests concerning the rights of the data subject within 1 month. If there are several requests or they are complicated, the controller organization may indicate that it needs an additional period of up to two months. In addition, even if the company no longer processes the personal data of the person, the company must still respond to the person and inform him or her that the data is no longer processed.
In the assessment of the size of the fine it was considered that the matter also concerned the legal protection of the persons. Debt-collection costs can ultimately be enforced by the authorities, and a debtor has the right to know about the threat of judicial debt collection.
Further information: The Office of the Finnish Data Protection Ombudsman
Additional decisions by the Finnish authority: