Company X – Complaint Upheld (Finland, 2022)

The controller is X Oy, a provider of parking services. When paying at a payment machine, the customer could choose to receive a digital receipt, a paper receipt, or no receipt. If the customer wanted a digital receipt, they had to give their phone number, so the receipt would have been delivered via SMS. However, when the receipt-printer in a payment machine had a technical failure, the customer was left with the impression that their only option to receive a receipt, was via SMS. Although the customer could have also requested a paper receipt from the customer service, they were not informed of this option. The data subject did not have the opportunity to receive a paper receipt (due to a technical failure) and filed a complaint with the Finnish DPA. The DPA noted that it is not necessary to provide a phone number to receive a receipt, since, even in case of a technical failure, one can contact the customer support to receive a receipt. However, customers knew not about this possibility because the payment machines, in case of a technical default, did not inform the customer that they could do so. Moreover, the DPA considered that, according to Article 25(2), the controller had to implement appropriate technical and organisational measures to ensure that, even in case of a technical failure, it would not collect more data than necessary. Since the controller neglected to implement those measures, the DPA found that the controller violated Article 5(1)(c) and Article 25 GDPR. In accordance with Article 58(2)(d) GDPR, the DPA ordered the controller to bring its processing operations into compliance with the GDPR. Hence, the controller has to implement such measures that, in case of a technical failure in a payment machine, the customer will not have the impression that they would need to provide their phone number in order to receive a receipt.