Wolt – Complaint Upheld (Finland, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Wolt faced a complaint for not responding to a user's request for personal data access. The company failed to provide a timely response and did not properly inform the user about how to verify their identity. This case serves as a reminder for businesses to handle user requests promptly and clearly.
What happened
Wolt did not respond to a user's request for access to their personal data within the required time frame.
Who was affected
A user of Wolt whose account was blocked and sought access to their personal data.
What the authority found
The Finnish DPA ruled that Wolt violated GDPR Articles 12(2) and 12(4) by not facilitating the user's rights and failing to communicate effectively.
Why this matters
This case shows that companies must prioritize user requests for data access and be clear about the process. Small businesses should ensure they have procedures in place to handle such requests efficiently.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject’s Wolt account was blocked in January 2022 following a food delivery order was marked as potentially fraudulent. The data subject then requested access to his personal data from Wolt. He first made a request in early 2022 and later sent a written access request by letter on 22 August 2022. Wolt replied on 2 September 2022 that the response would be delayed due to staff absence and promised a reply by 30 September 2022. No response was ever provided. Wolt later explained that multiple accounts existed under the data subject’s name with different email addresses, and that the email address mentioned in the letter did not correspond to a registered account. Wolt stated that it could not properly identify the complainant based on the letter and that the failure to respond resulted from human error. The data subject also suspected that his payment data had been disclosed to third parties because payment attempts linked to his address had allegedly been blocked. Wolt stated that three failed transactions in April 2023 were prevented by its fraud detection system and denied any unlawful disclosure of payment data. The DPA held that Wolt infringed Article 12(2) and 12(4) GDPR. Even if Wolt could not identify the data subject based on the information provided, it was required to facilitate the exercise of rights and to inform the complainant within one month of the reasons for not acting on the request, including information about the right to lodge a complaint. The authority accepted that Wolt had grounds under Article 12(6) GDPR to request additional information to verify the data subject’s identity. However, Wolt failed to inform the complainant how he could verify his identity and failed to issue a timely refusal. Despite finding an infringement, the DPA did not issue a corrective order, considering that the failure resulted from human error, that Wolt had internal procedures in place, and that it had subsequently contacted the complainant to enable a
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Wolt in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Wolt - Finland (2026). Retrieved from cookiefines.eu
Last updated: