Administrative fine imposed on collection agency for serious data protection violations – company did not respond to private citizens' requests to access their data
The Office of the Data Protection Ombudsman's Sanctions Board has imposed an administrative fine of 750,000 euros on Alektum Oy. The collection agency had not responded to requests to exercise the rights of the data subject. The company also obstructed and delayed the investigation by avoiding the supervisory authorities.
The Office of the Data Protection Ombudsman began an investigation after having received three complaints from private individuals. Two of the complaints said that Alektum Oy had not replied to requests to access the complainants' data. One of the complainants had received a reply from Alektum Oy, but had still not been given the requested copy of their personal data.
”The right of access is a key data protection right. If a person does not have access to their data, they have no opportunity to, for example, rectify inaccurate data or confirm the lawfulness of the processing”, says Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa.
The Office of the Data Protection Ombudsman's investigation revealed that Alektum Oy had regularly failed to reply to requests concerning the data protection rights of the data subject. An organisation that processes personal data is obliged to respond to requests concerning the exercise of the rights of the data subject within one month. If the requests are many or complex, the organisation serving as the controller can notify the data subject that it needs up to two months more for processing the request.
For one complainant, Alektum Oy explained its lack of response by alleging that it was no longer processing the data subject's personal data. Even if that was the case, the company should still have replied to the request and told the data subject that the company was no longer processing their personal data. The Sanctions Board fins that the company was not sufficiently familiar with the requirements of data protection legislation and its operations indicated indifference regarding the law.
The company failed to cooperate with the supervisory authority
The Office of the Data Protection Ombudsman made a variety of attempts to hear Alektum Oy during the investigation. The Sanctions Board finds that the company was unwilling to explain its conduct or cooperate with the Office of the Data Protection Ombudsman. According to the General Data Protection Regulation, an organisation acting as a controller must cooperate with the supervisory authority and supply the information requested by the data protection authority.
In its assessment, the Sanctions Board also considered the fact that the matter also involved the legal protection of the individuals involved. Debt-collection costs can ultimately be enforced by the authorities, and a debtor has the right to know about the threat of judicial debt collection.
The decisions of the Deputy Data Protection Ombudsman and Sanctions Board are not yet final. They can be appealed in the Administrative Court.
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. +358 29 566 6787
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.