Dun & Bradstreet Finland Oy – Violation Found (Finland, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Dun & Bradstreet Finland failed to properly handle requests from people wanting to access their personal data. This is important because everyone has the right to know what information companies hold about them. The company was told to improve its procedures to comply with data access rights.
What happened
Dun & Bradstreet Finland did not respond correctly to requests for access to personal data and charged an unlawful fee for extra requests.
Who was affected
Individuals who requested access to their personal data held by Dun & Bradstreet Finland.
What the authority found
The data protection authority found that the company breached multiple GDPR rules by not responding adequately and charging for access.
Why this matters
This ruling emphasizes that companies must respect individuals' rights to access their data without unnecessary fees. It serves as a reminder for businesses to have clear and compliant data access procedures.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Dun & Bradstreet Finland Oy (the controller) is a credit information agency. It maintained a credit information register containing data on natural persons and businesses, as well as a contact information and personal marketing register. Data subjects emailed the controller requesting access to their personal data and information on the processing of their data. The controller replied with a standard email. It told them to use OmaData, its personal data access portal. It did not respond to the requests otherwise or take any further measures to implement them. The controller’s website stated that access was free once within a 12-month period. If a data subject requested access more than once within that period, the controller would charge EUR 9.90. This applied to requests concerning credit data. The DPA received several complaints between May 2018 and June 2021. It then opened an ex-officio investigation into the controller’s handling of access requests and its fee practice. The DPA held that the controller failed to respond properly to the data subjects’ requests and charged an unlawful fee for access requests. It breached Articles 12(2), (3), (4), (5), and 15(4) GDPR. The DPA issued the controller a reprimand and an order to bring its procedures into compliance when implementing the data subjects’ right of access. 1. The controller failed to properly respond to access requests In response to requests for access, the DPA found that the controller merely directed data subjects by email to the OmaData service. The controller did not inform data subjects, as required by Article 12(3) GDPR, what measures it would take in response to the request; nor did it inform the data subjects that it would not take action on the request. The DPA reasoned that this could reasonably lead data subjects to believe that access to their data was available only through OmaData. If data subjects did not wish to use that service, they had to contact the controller again. The controlle
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Dun & Bradstreet Finland Oy in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Dun & Bradstreet Finland Oy - Finland (2026). Retrieved from cookiefines.eu
Last updated: