Suomen Asiakastieto Oy – Complaint Upheld (Finland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Suomen Asiakastieto Oy, a Finnish credit information company, registered inaccurate data about people due to errors from 2011 to 2017. The Finnish DPA found that the company processed this data without a legal basis, violating GDPR rules. This decision emphasizes the need for companies to ensure data accuracy and have a valid legal basis for processing.
What happened
Suomen Asiakastieto Oy registered inaccurate credit data due to errors from external sources, without a legal basis.
Who was affected
Individuals whose credit information was inaccurately recorded in the company's register.
What the authority found
The Finnish DPA found that the company processed personal data without a valid legal basis, violating GDPR.
Why this matters
This case underscores the need for companies to verify the accuracy of data from external sources and ensure they have a legal basis for processing. It serves as a reminder to maintain data integrity and compliance with GDPR.
GDPR Articles Cited
National Law Articles
Controller is Suomen Asiakastieto Oy, a company that keeps a credit information register. This register gives an overview of the creditworthiness of debtors, whose debts are shown in the register. Suomen Asiakastieto Oy receives information from the Legal Register Centre regarding court cases in which a debtor challenges a payment obligation. [https://gdprhub.eu/index.php%3Ftitle=Tietosuojavaltuutetun_toimisto_(Finland)_-_8211/161/19 Because the Courts and the Legal Register Centre made errors between 2011 and 2017, this information, turned out to be inaccurate and transferred without a legal basis, because it did not fulfil the obligations of Article 6(1) of the (Finnish) Credit Information Act]. Since the controller relied on the information provided by the Legal Register Centre, they also registered inaccurate personal data without a legal basis. A data subject who was registered in controller's credit register because of four cases, requested the DPA to order controller to delete their personal data from the controller’s credit information register, because it was processed without a legal basis and the controller did not provide clear criteria on which they determined the debtor's creditworthiness. The controller, however, argued that they carefully assessed each outcome of court cases to determine the creditworthiness of the debtor, that they had a legal basis to process this information (Article 6(1) Credit Information Act), and that they could not establish fixed criteria of this assessment, since this is “to some extend a matter of human reasoning and consideration” and must therefore be done on a case-by-case basis. First, the DPA noted that, although the issues occurred between 2011 and 2017, the issues had continued since the GDPR entered into force, and therefore, the GDPR applied to this case. Second, the DPA stated that that in each of the four instances, the entries should not have been registered, because these conditions laid down in Article 6(
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (1)
Other enforcement actions involving Suomen Asiakastieto Oy in FI
Details
About this data
Cite as: Cookie Fines. Suomen Asiakastieto Oy - Finland (2021). Retrieved from cookiefines.eu
Last updated: