The Data Protection Ordinance also applies to the transmission data of the mobile phone subscription when it concerns personal data, according to the deputy data protection commissioner in his recent decision. The deputy data protection commissioner also emphasizes that the information must be submitted electronically, if requested.

The deputy data protection commissioner investigated the operation of the mobile phone operator based on the complaint he received. The person had requested access to all information related to the use of his mobile phone subscription. He had listed as such information the start and end times of calls, recipients of calls, location information, forwarding information and other technical information. He had asked to receive the information electronically.

The mobile phone operator had only provided the person with some of the information he requested and mainly in paper form by post. Some of the requested information could be downloaded from the operator’s electronic self-service service.

The deputy data protection commissioner considered that the mobile phone operator had acted in violation of the data protection legislation when it had not submitted the information electronically despite the request. The mobile phone operator justified its actions with, among other things, data security problems and the fact that it could not verify that the e-mail address belonged to the person who made the request. The deputy data protection commissioner emphasized that the information could have been sent by mail, for example with a memory stick instead of paper printouts. The deputy data protection commissioner issued a notice to the mobile phone operator.

The decision of the Deputy Data Protection Commissioner also raised the issue of the concept of proxy data. An assessment of whether it is personal data is made separately for each relayed data. Not all proxy data is necessarily personal data, and the data protection regulation only applies to proxy data that is personal data. In this case, the deputy data protection commissioner did not assess the matter, because the person who filed the complaint did not say which individual proxy data he wanted to receive.

It is not within the authority of the data protection officer to define which information is proxy data and which proxy data of one’s own mobile phone subscription a person is entitled to receive. The definition of these matters belongs to the Finnish Transport and Communications Agency Traficom.

The decision is not yet legally binding.

https://tietosuoja.fi/-/apulaistietosuojavaltuutettu-matkapuhelinliittyman-valitystiedot-voivat-olla-henkilotietoja