Office of the Data Protection Ombudsman makes first decision as lead supervisory authority in a cross-border case – right of access implementation did not comply with data protection rules
The Data Protection Ombudsman has ordered Nissan Nordic Europe Plc to correct its practices regarding the data subject's right of access to data. The controller did not provide information to a customer who had requested access to their personal data within the deadline set by the General Data Protection Regulation (GDPR). This is the first ruling by the Data Protection Ombudsman in a cross-border case involving the processing of personal data of data subjects residing in several EU countries.
The controller had indicated that it would provide the car dealer with the information requested by the customer within the time limit laid down in the GDPR. However, the information was not provided and the customer complained to the Danish supervisory authority. After being contacted by the Danish supervisory authority, the controller said it would provide the data to the customer. However, after two months, the customer reported that they still had not received the information they had requested.
The Nissan Automotive Europe S.A.S. Group’s central administration is located in France, but the decisions concerning the processing of personal data that is the subject of the complaint are to be made by Nissan Nordic Europe Plc. Nissan Nordic Europe Plc’s headquarters is located in Finland and the company operates in several Nordic and Baltic countries. As the processing of personal data in this case is carried out by an business located in Finland, the Finnish supervisory authority, the Office of the Data Protection Ombudsman, acted as the lead supervisory authority.
The right of access also applies to telephone call recordings
According to the explanation provided by the controller, human error was the cause of the data not having been provided to the customer within the deadline. The customer was later provided with the requested information, except for the telephone call recordings. However, the information was not provided until almost two years after the request.
According to the controller, the telephone call recordings had not been disclosed by the data controller because the third party had been identifiable from them. However, the controller had reserved an opportunity for the customer to visit its headquarters to listen to the call recordings that were still in its possession at the time. The Office of the Data Protection Ombudsman nevertheless considers that the controller's practice of exercising the right of access to the telephone records did not comply with the GDPR.
The controller is obligated to provide the data subject with a copy of the personal data processed. Such a copy of the call recordings may be provided in written form, for example, as a transcript or, where appropriate, electronically, such as a digital recording. The controller may choose to provide the data subject with the opportunity to listen to the call recording, but this cannot be the only way to exercise the right of access.
Furthermore, the Data Protection Ombudsman notes that, in practice, telephone recordings always include personal data concerning another person, and this cannot be considered as an obstacle to the exercising of the data subject's rights.
The Data Protection Ombudsman issued a warning to the controller for processing personal data in breach of the GDPR and an order to change its practices to comply with data protection legislation. The controller has said that it will clarify the cause of the error and has updated its procedures and instructions for exercising the right of access.
The decision is not yet final.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766