The Administrative Court of Eastern Finland has rejected the appeal of the Finnish Business Register, which maintains the company directory, against an administrative penalty. In 2023, the Penalty Board of the Office of the Data Protection Ombudsman imposed a penalty of 23,000 euros on the company for violations related to the provision of call recordings and failure to comply with an earlier order from the authority.

The Office of the Data Protection Ombudsman investigated the operations of the Finnish Business Register based on several complaints received in 2019–2022. The private entrepreneurs who complained to the Data Protection Ombudsman had requested recordings of sales calls from the Finnish Business Register so that they could check the content of the call. According to the complainants, the summaries provided by the company did not correspond to the sales calls.

The Office of the Data Protection Ombudsman concluded in its decision in the summer of 2023 that the Finnish Business Register had not provided call recordings in accordance with data protection regulations. The Deputy Data Protection Ombudsman had previously ordered the company to correct its practice in providing recordings to comply with the law and instructed the company on the correct course of action. A penalty payment was imposed because the company had not complied with the order.

The Administrative Court rejected the appeal of the Finnish Business Register and upheld the decision of the Office of the Data Protection Ombudsman. The Administrative Court found that the company’s violation had been intentional and that it had failed to correct its practices despite the order and instructions.

The Finnish Business Register stated that it had not provided recordings of sales calls, as it said that the customer contacts were only related to complaints about invoices. The Administrative Court reminded that a company cannot refuse to provide recordings simply because the requester has not invoked their right of inspection under the General Data Protection Regulation. The company must assess for itself whether the General Data Protection Regulation obliges them to provide the requested personal data.

The Finnish Business Register is the subsidiary name of Suomen Avainsanat Oy.

The decision is final.

https://tietosuoja.fi/-/hallinto-oikeus-piti-voimassa-suomen-yritysrekisterille-maaratyn-seuraamusmaksun-tietosuojarikkomuksista