Alektum Oy – €750,000 Fine (Finland, 2022)

Alektum Oy has declined to answer data subjects request to review their data. The company also hampered and slowed down the investigation The case is based on three different reports made to DPA. In two cases data subject didn't receive any replies from the company and in one case data subject got a general reply but not the information requested. In the case of one data subject, Alektum Oy explained the non-response by saying that it no longer processed personal data of the data subject. DPA stated that even then, the company should have responded to the data subject and inform that they no longer process the data subjects personal data. In case 6707/154/2018 data subject requested to use his right to be forgotten as defined in article 17. Alektum Oy denied to remove data from their system. DPA hold that controller had right to decline the request because the data subject still had outstanding account for the controllers client and the information was still needed for the purpose it was originally collected. The controller should have inform the data subject when his data would be removed. DPA hold that Alektum Oy has violated GDPR Article 15 Subsection 1 and 2 as well as Article 12 Subsection 3 in all three cases. DPA imposed fine of 750,000 euros for the controller.