Anonymous (X & Y) – Complaint Upheld (Finland, 2021)

Between 4 September 2018 and 3 June 2019, four complaints were lodged with the Finnish DPA concerning unsolicited direct marketing calls made by automated calling systems (commonly referred to as 'Robocalls'). Company Y was conducting these robocalls on behalf of Company X. Having regard to the facts of the case, Y was thus acting as a processor in the sense of Article 4(8) GDPR, while X was acting as a controller in the sense of Article 4(7) GDPR. The Finnish DPA had already discussed and ruled on the lawfulness of X and Y's data processing operations in two other cases (case n°2890/161/2021, and case n°2889/161/21 respectively). In the context of these proceedings, it had become apparent that X and Y had not signed a data processing agreement, as normally required by Article 28(3) GDPR. The Finnish DPA therefore decided to analyse this specific point separately. Taking into account all the information collected from both parties, the Finnish DPA came to the conclusion that there was no personal data processing agreement between X and Y at the time when Y processed personal data on behalf of X. The Finnish DPA therefore concluded that Article 28 (3) GDPR had been breached. Regarding the possibility to impose a fine on Y, the Sanction Chamber of the Finnish DPA, after considering all the relevant circumstances, concluded that imposing a pecuniary sanction would not be proportionate. The Sanction Chamber of the Finnish DPA considered those facts in particular: (1) the fact that the duty to enter into a data processing agreement mainly lies with the controller (X) rather than the processor (Y); (2) the fact that Y had a very low annual turnover (i.e. only 839.33 EUR for the year 2020) and; (3) the fact that Y had already ceased all processing operations on 1 March 2021 and had filed for bankruptcy on 18 June 2021.