Deputy Data Protection Ombudsman: having a representative submit a request to inspect data is allowed
In her decision, the Deputy Data Protection Ombudsman deemed that data subjects can request to inspect the personal data collected on them by having a representative submit the request on their behalf and have the organisation to deliver their data to the representative. Data protection legislation does not prevent data subjects from exercising their rights through another person.
The data subject who contacted the Office of the Data Protection Ombudsman had requested the Finnish Tax Administration to deliver all information on the data subject to their representative’s postal address. The Finnish Tax Administration had refused to provide the information to the representative and stated that the information could only be delivered to the data subject themself.
The Deputy Data Protection Ombudsman required the Finnish Tax Administration to enable the use of a representative when requesting to inspect personal data.
The General Data Protection Regulation does not prevent data subjects from using a representative when they wish to inspect their personal data. The Data Protection Ombudsman’s previous statement, according to which data subjects cannot have a representative to submit a data inspection request for them, was issued when the previous Personal Data Act (523/1999) was in force and therefore is no longer valid under current legislation. If the request is made with the help of another person, the requirements for authorising the other person to legally represent the data subject must be complied with.
Submitting data inspection requests must be supported
The Office of the Data Protection Ombudsman also examined in a broader scale how the Finnish Tax Administration has handled data inspection requests from data subjects. The result was that the Finnish Tax Administration still followed some obsolete practices that were based on the now repealed Personal Data Act.
The Deputy Data Protection Ombudsman reminds that there are no formal requirements for data inspection requests and it is not allowed to require that the request is signed by hand or made by completing a certain form. Data subjects also cannot generally be required to make the request in person or by regular mail. In fact, organisations must ensure that they make exercising their rights as easy as possible for data subjects. However, they must still ensure data security, meaning they must find a balance between making sure that exercising rights is easy and making sure it is secure.
Organisations can provide an electric service for inspecting personal data. However, if a data subject requests a copy of their data, it is not sufficient to direct the data subject to such a service.
The Finnish Tax Administration was required to update its practices for personal data inspection requests to be in line with the requirements of the General Data Protection Regulation.
Decision of the Deputy Data Protection Ombudsman (in Finlex, in Finnish)
Further information:
Deputy Data Protection Ombudsman Annina Hautala, annina.hautala(at)om.fi, tel. +358 29 566 6776