- Date of final decision: 9 May 2022
- Cross-border case or national case: National case
- Controller: Otavamedia Oy
- Legal Reference: Data minimisation (Article 5(1)(c)), transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), right of access (Article 15), right to erasure (Article 17), data protection by design and by default (Article 25)
- Decision: Administrative fine, reprimand and order to comply
- Key words: rights of the data subject, identification
Summary of the Decision
Origin of the case:
From 2018 to 2021, eleven cases concerning Otavamedia were brought to the Finnish SA. Among other things, the complainants had not received a response to their requests or enquiries concerning data protection rights.
According to the report by Otavamedia, some of the data protection requests had not been implemented due to a technical issue in the e-mail redirect when service providers were changed. During the error situation, the messages that arrived in the e-mail inbox reserved for data protection issues had not been directed to the customer service. The situation was only discovered due to the request for information by the Finnish SA. At that time, the situation had lasted for seven months.
The Finnish SA finds that Otavamedia should have taken care of the testing of the e-mail inbox, because it was the main electronic contact channel of data subjects in data protection matters.
Data subjects were also able to submit requests concerning their own data with a printable form. The form required the person's signature for identification purposes. The Finnish SA finds that through this method, Otavamedia gathered an excessive amount of information for identification. The Finnish SA notes that the controller may not hinder data subjects in exercising their rights.
The Finnish SA imposed an administrative fine of EUR 85,000 on the controller for deficiencies in the implementation of the rights of the data subject via the e-mail channel. The Finnish SA ordered the controller to correct its procedures in order to comply with the data protection regulations and stop using the signed form. In addition, the company was issued a reprimand for neglecting the rights of the data subject.
For further information: decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.