Dun & Bradstreet Finland Oy – Violation Found (Finland, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Dun & Bradstreet Finland Oy failed to properly respond to requests from people wanting access to their personal data. They also charged a fee for access requests, which was found to be unlawful. This case highlights the importance of companies properly handling data access requests and not charging fees that violate privacy rules.
What happened
Dun & Bradstreet Finland Oy did not adequately respond to requests for personal data access and charged an unlawful fee for such requests.
Who was affected
Individuals who requested access to their personal data from Dun & Bradstreet Finland Oy were affected.
What the authority found
The DPA found that Dun & Bradstreet Finland Oy did not comply with GDPR requirements for responding to access requests and unlawfully charged a fee for access.
Why this matters
This ruling emphasizes that companies must respond correctly to data access requests and cannot impose fees that violate privacy regulations. Businesses should review their processes to ensure compliance with data access rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Dun & Bradstreet Finland Oy (the controller) is a credit information agency. It maintained a credit information register containing data on natural persons and businesses, as well as a contact information and personal marketing register. Data subjects emailed the controller requesting access to their personal data and information on the processing of their data. The controller replied with a standard email. It told them to use OmaData, its personal data access portal. It did not respond to the requests otherwise or take any further measures to implement them. The controller’s website stated that access was free once within a 12-month period. If a data subject requested access more than once within that period, the controller would charge EUR 9.90. This applied to requests concerning credit data. The DPA received several complaints between May 2018 and June 2021. It then opened an ex-officio investigation into the controller’s handling of access requests and its fee practice. The DPA held that the controller failed to respond properly to the data subjects’ requests and charged an unlawful fee for access requests. It breached Articles 12(2), (3), (4), (5), and 15(4) GDPR. The DPA issued the controller a reprimand and an order to bring its procedures into compliance when implementing the data subjects’ right of access. 1. The controller failed to properly respond to access requests In response to requests for access, the DPA found that the controller merely directed data subjects by email to the OmaData service. The controller did not inform data subjects, as required by Article 12(3) GDPR, what measures it would take in response to the request; nor did it inform the data subjects that it would not take action on the request. The DPA reasoned that this could reasonably lead data subjects to believe that access to their data was available only through OmaData. If data subjects did not wish to use that service, they had to contact the controller again. The controlle
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Dun & Bradstreet Finland Oy in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Dun & Bradstreet Finland Oy - Finland (2026). Retrieved from cookiefines.eu
Last updated: