Administrative fine imposed on Suomen Asiakastieto for non-compliance with the Data Protection Ombudsman's order
The Sanctions Board of the Office of the Data Protection Ombudsman has imposed an administrative fine on 440,000 euros on Suomen Asiakastieto Oy for failing to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The Sanctions Board stresses that the processing of payment default information has a significant impact on the rights and freedoms of individuals.
In 2021, the Office of the Data Protection Ombudsman investigated Suomen Asiakastieto's processing of payment default information based on final decisions. At the time, the Data Protection Ombudsman found that information based on decisions issued in civil cases should not have been stored as payment default entries.
The Sanctions Board pointed out that a payment default entry has a significant impact on the rights and freedoms of individuals. For example, a payment default entry can cause the credit card issuer to demand the card's return, and it will probably be more difficult for the individual to obtain credit in the future. The Legal Register Centre discloses payment default information to Suomen Asiakastieto on a daily basis for entering into the credit information register. Payment default entries made into the credit information register are also extensively disclosed for a variety of purposes.
”Inaccurate payment default entries can result in the individual being refused a rental flat or home insurance, for example. Such information often concerns people in difficult situations who may not have the resources to defend their own rights”, says Data Protection Ombudsman Anu Talus.
Inaccurate payment default entries based on final decisions should have been erased
In November 2021, the Data Protection Ombudsman ordered the company to rectify its practices in registering payment default entries based on final decisions and to erase all inaccurate payment default entries which had resulted from such practices. The company was ordered to submit a report of the measures which it had taken due to the order and to report the number of erased payment default entries to the Office of the Data Protection Ombudsman. Suomen Asiakastieto did not appeal the decision.
In its report to the Office of the Data Protection Ombudsman, the company stated that it had changed its practice for registering payment default entries based on final decisions. The company stated that it was practically impossible for it to find the entries related to disputed cases from its register retrospectively, since it had not been informed by the Legal Register Centre of which decisions had been delivered to it on inaccurate grounds.
The Office of the Data Protection Ombudsman contacted Suomen Asiakastieto in January 2023 in order to consult the company for the assessment of sanction. The company stated that it had interpreted the Data Protection Ombudsman's order incorrectly and had now erased all payment default entries based on final decisions from its register.
The Sanctions Board of the Office of the Data Protection Ombudsman finds that the controller has consciously decided not to comply with the Data Protection Ombudsman's order. The company's conduct must thus be considered intentional.
According to the Office of the Data Protection Ombudsman, the inaccurate payment default entries could have been erased because the Legal Register Centre discloses payment default information based on final decisions to Suomen Asiakastieto in the format in which they are saved in the register of court decisions. Decisions can be retrieved from the register for 10 years from their date of issue.
The Credit Information Act was amended with regard to payment default entries based on final decisions in June 2022. According to the Act, a payment default entry based on a final court decision may only be registered if the amount or basis of the demand for payment has not been contested.
The decision is not final and can be appealed in the Administrative Court.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.