Otavamedia Oy – €85,000 Fine (Finland, 2022)

Otavamedia Oy (controller) is a publishing company whose online services reach approximately 2 million Finns monthly. Between 2018 and 2021, eleven data subjects complained about the controller to the Finnish Office of the Data Protection Commissioner (DPA). Five complaints concerned the controller's requirement for data subjects to send a filled and signed paper form if they wished to exercise their right for erasure under Article 17 GDPR. The rest reported that the controller did not respond to their subject access requests under Article 15 GDPR that were sent via an online form. With regard to the erasure requests, the controller justified the demand for a person's signature by the need to prevent identity fraud. For the other cases, the controller explained that the requests in question did not reach its customer service staff due to a technical error in its emailing system that lasted for seven months. The DPA held that requiring the printing, filling and signing of a separate form to identify the data subject does not conform with Articles 12(2), 12(6), 5(1)(c) and 25(2) GDPR as it complicates the exercise of data subject rights and processes more personal data than necessary for the data subject's identification. The DPA stressed that the unnecessary collection of data subjects' signature data may actually increase, rather than decrease, the potential risks of misuse while making it more difficult for data subjects to exercise their rights. The controller should have also considered the nature of the personal data concerned, the nature of the request, and the context in which the request is made in determining the means of identification. Whilst controllers may offer different options for the exercise of data subjects' rights, digital identification, such as using the same identifiers when logging in online services provided by the controller, should be one of them. Furthermore, the DPA held that the controller neglected the data protection by design princ