Oikeusrekisterikeskus – Complaint Upheld (Finland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Finland's data protection authority found that the Legal Register Centre shared incorrect credit information about debtors due to a coding error by the courts. This mistake led to inaccurate data being passed to credit companies, affecting people's creditworthiness. The ruling highlights the importance of accurate data handling and accountability in public institutions.
What happened
The Legal Register Centre shared incorrect credit information about debtors due to a coding error by the courts.
Who was affected
Debtors whose court case outcomes were incorrectly coded and shared with credit information companies.
What the authority found
The Finnish DPA decided that the Legal Register Centre failed to ensure accurate data protection measures, leading to the sharing of incorrect personal data.
Why this matters
This case emphasizes the need for public institutions to maintain accurate data handling processes and take responsibility for errors. It serves as a reminder that even public bodies must comply with data protection rules to avoid harming individuals' credit records.
GDPR Articles Cited
National Law Articles
Controller is the Legal Register Centre, a public institution operating for the Finnish Ministry of Justice. It receives information from the courts, on the outcome of court cases in which a debtor challenges a claim. Then, they provide this information to third parties, like companies that hold a credit information register such as Suomen Asiakastieto Oy and Bisnode Finland Oy. These companies use that information to determine the debtor’s creditworthiness, by assessing the debtor’s ability and/or willingness to pay, after which they can enter this information in their credit information register. Now, Article 6(1) of the (Finnish) Credit Information Act only allows for such information on debtors to be registered if the debtor is either unwilling, and/or unable to pay. Hence, not all information is to be transferred to the companies. Therefore, courts assign a particular code to their judgements, to mark whether the conditions of Article 6(1) have been fulfilled. In 2017, the parliamentary ombudsman concluded that, between 2011 and 2017, courts had assigned the wrong codes to judgements, because a factual challenge by the debtor, of the debt obligation, was automatically registered as unwillingness or inability to pay ([https://www.oikeusasiamies.fi/r/fi/ratkaisut/-/eoar/945/2016 decision EOAK/945/2016]). This had led the Legal Register Centre to register, and transfer, inaccurate personal data on these debtors because the conditions laid down in Article 6(1) Credit Information Act had not been fulfilled. According to the Legal Register Centre, it was not responsible for this mistake. First, the DPA noted that the controller must implement appropriate data protection policies, pursuant to Article 24 GDPR, and that there must be technical and organisational measures in place to assure the data protection principles and protect the rights of data subjects. Moreover, the DPA considered that the entry of payment information in the credit information register concer
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Oikeusrekisterikeskus in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Oikeusrekisterikeskus - Finland (2021). Retrieved from cookiefines.eu
Last updated: