Wolt – Complaint Upheld (Finland, 2026)

The data subject’s Wolt account was blocked in January 2022 following a food delivery order was marked as potentially fraudulent. The data subject then requested access to his personal data from Wolt. He first made a request in early 2022 and later sent a written access request by letter on 22 August 2022. Wolt replied on 2 September 2022 that the response would be delayed due to staff absence and promised a reply by 30 September 2022. No response was ever provided. Wolt later explained that multiple accounts existed under the data subject’s name with different email addresses, and that the email address mentioned in the letter did not correspond to a registered account. Wolt stated that it could not properly identify the complainant based on the letter and that the failure to respond resulted from human error. The data subject also suspected that his payment data had been disclosed to third parties because payment attempts linked to his address had allegedly been blocked. Wolt stated that three failed transactions in April 2023 were prevented by its fraud detection system and denied any unlawful disclosure of payment data. The DPA held that Wolt infringed Article 12(2) and 12(4) GDPR. Even if Wolt could not identify the data subject based on the information provided, it was required to facilitate the exercise of rights and to inform the complainant within one month of the reasons for not acting on the request, including information about the right to lodge a complaint. The authority accepted that Wolt had grounds under Article 12(6) GDPR to request additional information to verify the data subject’s identity. However, Wolt failed to inform the complainant how he could verify his identity and failed to issue a timely refusal. Despite finding an infringement, the DPA did not issue a corrective order, considering that the failure resulted from human error, that Wolt had internal procedures in place, and that it had subsequently contacted the complainant to enable a