Deputy Data Protection Ombudsman: individuals must be able to access their credit information for free
The Deputy Data Protection Ombudsman has determined that the credit information company Dun & Bradstreet Finland’s practice of allowing individuals to only check their credit information for free once per year is not compliant with data protection legislation. Several deficiencies were also found in the company’s practices for responding to personal data requests.
The Deputy Data Protection Ombudsman assessed Dun & Bradstreet’s practices on charging a fee for accessing personal data saved in the Positive credit register and other registers. Customers were regularly charged a fee if they requested their information more than once within a year. According to the Deputy Data Protection Ombudsman this is a violation of the data protection legislation.
‘As a rule, individuals have the right to access their personal data, including their credit information, free of charge. It is not permitted to automatically charge a fee for providing the data’, says Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa.
According to the law, a fee may only be collected in situations where the request is manifestly unfounded or excessive, for example if the same information is requested repeatedly.
‘The company’s field of business affects how often information must be provided free of charge. The more frequently personal data or a database is changed, the more often information may be requested without the requests being considered unfounded or excessive. Credit information can change very often’, says Pihamaa.
Deficiencies in responding to requests as well
The Office of the Data Protection Ombudsman also investigated Dun & Bradstreet’s practices for responding to customers who have requested access to their personal data. The customers received a pre-written message that only instructed them to log in to an online service.
The Deputy Data Protection Ombudsman determined that instructing customers to log in to an online service cannot be the only action a company takes when it receives a data request from a customer. The message should also clearly state that the data cannot be provided or that the customer must specify their request.
A notice was issued to the company and the company was instructed to remedy its practices for responding to data requests and providing the data. The decision is not yet final, as it can be appealed to an administrative court.
More information:
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. +358 29 566 6787
Information for organisations on respecting the right of access
Information to private individuals on exercising their right of access