Finnish Tax Administration – Complaint Upheld (Finland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish Data Protection Authority upheld a complaint against the Finnish Tax Administration for making it hard for a person living abroad to access their personal data. This is important because it shows that organizations must make it easy for users to exercise their rights. The authority found that the Tax Administration's requirements were too burdensome.
What happened
The Finnish Tax Administration made unreasonable demands to fulfill a data access request from a person living abroad.
Who was affected
A person living abroad who requested access to their personal data from the Finnish Tax Administration.
What the authority found
The authority decided that the Tax Administration did not properly facilitate the person's right to access their data as required by GDPR.
Why this matters
This ruling highlights the need for organizations to simplify the process for users to access their personal data. It reinforces the importance of user-friendly practices in data protection.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Finnish DPA was notified that the Finnish Tax Administration (the controller) had made unreasonable demands in order to fulfil the access request and had refused to provide a copy of the data subject's personal data to their representative. The data subject, who was resident abroad, had requested the controller to provide the personal data either by secure email or, alternatively, to the Finnish postal address of their representative. The DPA then asked the controller to explain how it facilitated the exercise of data subject rights. In response to the request, the controller clarified that it could only provide the personal data directly to the data subject, as the right of access under Article 15 GDPR is a personal right and requires the data subject’s own request. The controller also stated that it could not provide a copy of the data subject’s personal data by email. Instead, the controller suggested that the data subject could view their personal data by logging into the controller's secure MyTax service. Alternatively, the access request could be made in writing by sending a hand-signed access request form, in which case the controller would provide the personal data to the data subject by post. On the basis of the information provided by the controller, the DPA considered that the data subject's request could not be properly fulfilled by directing the data subject to view their personal data on the controller's online service, but that the controller should have provided the data subject with a copy of the personal data in accordance with Article 15(3) GDPR. The DPA noted that the controller could not require the data subject to sign the access request or to submit it by post. Such requirements do not facilitate the exercise of data subject rights, as required by Article 12(2) GDPR, but on the contrary make it unnecessarily burdensome to submit an access request. The DPA emphasised that the GDPR does not impose any formal requirements for requests regar
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Finnish Tax Administration in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Finnish Tax Administration - Finland (2024). Retrieved from cookiefines.eu
Last updated: