Otavamedia Oy – €85,000 Fine (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Otavamedia Oy was fined for making it difficult for users to exercise their rights to delete their personal data. The company required users to send a signed paper form to request deletion, which was seen as unnecessary and complicated. This ruling highlights the need for companies to make it easy for users to manage their personal information.
What happened
Otavamedia Oy required users to submit a signed paper form to request the deletion of their personal data.
Who was affected
Users who wanted to exercise their right to delete their personal data from Otavamedia Oy.
What the authority found
The Finnish DPA ruled that Otavamedia's requirement for a signed form violated data protection rules by complicating the process for users to exercise their rights.
Why this matters
This ruling underscores the importance of simplifying processes for users to manage their personal data. Companies should adopt user-friendly methods for handling data requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Otavamedia Oy (controller) is a publishing company whose online services reach approximately 2 million Finns monthly. Between 2018 and 2021, eleven data subjects complained about the controller to the Finnish Office of the Data Protection Commissioner (DPA). Five complaints concerned the controller's requirement for data subjects to send a filled and signed paper form if they wished to exercise their right for erasure under Article 17 GDPR. The rest reported that the controller did not respond to their subject access requests under Article 15 GDPR that were sent via an online form. With regard to the erasure requests, the controller justified the demand for a person's signature by the need to prevent identity fraud. For the other cases, the controller explained that the requests in question did not reach its customer service staff due to a technical error in its emailing system that lasted for seven months. The DPA held that requiring the printing, filling and signing of a separate form to identify the data subject does not conform with Articles 12(2), 12(6), 5(1)(c) and 25(2) GDPR as it complicates the exercise of data subject rights and processes more personal data than necessary for the data subject's identification. The DPA stressed that the unnecessary collection of data subjects' signature data may actually increase, rather than decrease, the potential risks of misuse while making it more difficult for data subjects to exercise their rights. The controller should have also considered the nature of the personal data concerned, the nature of the request, and the context in which the request is made in determining the means of identification. Whilst controllers may offer different options for the exercise of data subjects' rights, digital identification, such as using the same identifiers when logging in online services provided by the controller, should be one of them. Furthermore, the DPA held that the controller neglected the data protection by design princ
Related Enforcement Actions (0)
No other enforcement actions found for Otavamedia Oy in FI
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
9 May 2022
Authority
DPA Tietosuojavaltuutetu
Fine Amount
€85,000
About this data
Cite as: Cookie Fines. Otavamedia Oy - Finland (2022). Retrieved from cookiefines.eu
Last updated: