Administrative fine on Otavamedia for deficiencies in the implementation of data protection rights
The Data Protection Ombudsman discovered deficiencies in the implementation of requests for access to and erasure of data registered by Otavamedia Oy. In addition, requiring a form to be signed in order to identify the customer was against the data protection regulations.
From 2018 to 2021, eleven cases concerning Otavamedia were brought to the Office of the Data Protection Ombudsman. Among other things, the complainants had not received a response to their requests or enquiries concerning data protection rights.
The contact channels for data subjects must be tested regularly
According to the report by Otavamedia, some of the data protection requests had not been implemented due to a technical issue in the e-mail redirect when service providers were changed. During the error situation, the messages that arrived in the e-mail inbox reserved for data protection issues had not been directed to customer service staff members. The situation was only discovered due to the request for information by the Office of the Data Protection Ombudsman. At that time, the interruption of the e-mail redirect had lasted for seven months.
The Data Protection Ombudsman finds that Otavamedia should have taken care of the testing of the e-mail inbox, because it was the main electronic contact channel of data subjects in data protection matters.
The company later implemented all data protection requests subject to the complaints and reported that it had put a process in place for testing the e-mail regularly.
Unnecessary information must not be requested for identification
Data subjects were also able to submit requests concerning their own data to Otavamedia with a printable form. The form required the person's signature for identification purposes.
The Data Protection Ombudsman finds that through this method, Otavamedia gathered an excessive amount of information for identification. Otavamedia does not process signature data in other contexts; as a result, it would not have been possible to compare the signature with data already in its possession, for instance.
The Data Protection Ombudsman reminds all that the controller may not hinder data subjects in exercising their rights. For example, it is not possible to require data protection requests to be in a specific format without a justified reason. The General Data Protection Regulation does not include a requirement on mandatory signatures in order to verify identity, unlike the old Personal Data Act.
Administrative fine and caution due to data protection violations
The Office of the Data Protection Ombudsman's sanctions board imposed an administrative fine of EUR 85,000 on Otavamedia for deficiencies in the implementation of the rights of the data subject via an e-mail channel. The Data Protection Ombudsman ordered Otavamedia to correct its procedures in order to comply with the data protection regulations and stop using the signed form. In addition, the company was issued a caution for neglecting the rights of the data subject.
According to the sanctions board, the deficiencies in the procedure on implementing data protection rights have affected a large number of data subjects. The online services of Otavamedia reach more than 2 million Finns per month.
The decisions are legally valid.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.