Finnish Tax Administration – Complaint Upheld (Finland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish DPA was notified that the Finnish Tax Administration (the controller) had made unreasonable demands in order to fulfil the access request and had refused to provide a copy of the data subject's personal data to their representative. The data subject, who was resident abroad, had requested the controller to provide the personal data either by secure email or, alternatively, to the Finnish postal address of their representative. The DPA then asked the controller to explain how it facilitated the exercise of data subject rights. In response to the request, the controller clarified that it could only provide the personal data directly to the data subject, as the right of access under Article 15 GDPR is a personal right and requires the data subject’s own request. The controller also stated that it could not provide a copy of the data subject’s personal data by email. Instead, the controller suggested that the data subject could view their personal data by logging into the controller's secure MyTax service. Alternatively, the access request could be made in writing by sending a hand-signed access request form, in which case the controller would provide the personal data to the data subject by post. On the basis of the information provided by the controller, the DPA considered that the data subject's request could not be properly fulfilled by directing the data subject to view their personal data on the controller's online service, but that the controller should have provided the data subject with a copy of the personal data in accordance with Article 15(3) GDPR. The DPA noted that the controller could not require the data subject to sign the access request or to submit it by post. Such requirements do not facilitate the exercise of data subject rights, as required by Article 12(2) GDPR, but on the contrary make it unnecessarily burdensome to submit an access request. The DPA emphasised that the GDPR does not impose any formal requirements for requests regar
GDPR Articles Cited
The Finnish DPA was notified that the Finnish Tax Administration (the controller) had made unreasonable demands in order to fulfil the access request and had refused to provide a copy of the data subject's personal data to their representative. The data subject, who was resident abroad, had requested the controller to provide the personal data either by secure email or, alternatively, to the Finnish postal address of their representative. The DPA then asked the controller to explain how it facilitated the exercise of data subject rights. In response to the request, the controller clarified that it could only provide the personal data directly to the data subject, as the right of access under Article 15 GDPR is a personal right and requires the data subject’s own request. The controller also stated that it could not provide a copy of the data subject’s personal data by email. Instead, the controller suggested that the data subject could view their personal data by logging into the controller's secure MyTax service. Alternatively, the access request could be made in writing by sending a hand-signed access request form, in which case the controller would provide the personal data to the data subject by post. On the basis of the information provided by the controller, the DPA considered that the data subject's request could not be properly fulfilled by directing the data subject to view their personal data on the controller's online service, but that the controller should have provided the data subject with a copy of the personal data in accordance with Article 15(3) GDPR. The DPA noted that the controller could not require the data subject to sign the access request or to submit it by post. Such requirements do not facilitate the exercise of data subject rights, as required by Article 12(2) GDPR, but on the contrary make it unnecessarily burdensome to submit an access request. The DPA emphasised that the GDPR does not impose any formal requirements for requests regar
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Finnish Tax Administration in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Finnish Tax Administration - Finland (2024). Retrieved from cookiefines.eu
Last updated: