Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FINNISH SUPERVISORY AUTHORITY: the Authority has taken the first decision as lead supervisory authority in a cross-border case: the access right has not been exercised in compliance with personal data protection legislation

FINNISH SUPERVISORY AUTHORITY: the Authority has taken the first decision as lead supervisory authority in a cross-border case: the access right has not been exercised in compliance with personal data protection legislation

The European Data Protection Supervisor has ordered to Nissan Nordic Europe Oy to correct its own policy connected to the data subject right to access to data.

The data controller has not provided to data to the client who has required the access to their own personal data within the expiration term required by the General Data Protection Regulation. This is the first decision of the Authority in a cross-border case in which the personal data processing refers to data subject’s resident in different European countries.

The data controller has provided to the person who has to deal with the car dealership information required within the term established into the General Data Protection Regulation. Anyway, any information has been provided, and this bring the client to present a complaint at the Danish Data Protection Authority.

After contact with the Danish supervisory authority, the controller has stated that he would have provided the information to the customer. Still, after two months, the customer has stated that he has not received the information requested.

Nissan Automovite Europe SAS takes place in France, but decisions on the processing of data disputed persons are made at Nissan Nordic Europe Oy. Nissan Nordic Europe Oy takes place in Finland and operates in different Nordic and Baltic countries. Because the processing of personal data on the case is part of an office located in Finland, the Finnish supervisory authority, that is the Office of the Data Protection Authority, has acted as the main supervisory authority on the matter.

The right to access data also applies to call registrations

According to the data provided to the controller, the information has not been provided to the customer within the expiry date due to a human error. The information requested has been successively provided to the customer, with the exception of the call logs. However, the information was not provided until almost two years after the request.

According to the Authority, the call logs have not been provided because the third party has been identifiable from them. Still, the Authority had reserved for the client the possibility of showing up at the office to listen to the registrations of calls that in the past were in its possession.

Still, the Finnish Data Protection Authority considers that the practice of the controller in exercising the right of inspection for the purposes of call registrations was not in line with the General Data Protection Regulation.

The controller provides the data subject with a copy of the personal data processed. A copy of the call registrations can be provided in written form, for example, orthographically or, in second instance, electronically as a registration.

The controller may, if he wishes, provide the data subject with the possibility of listening to the call registration, but this may not be the only way to exercise the right of access.

Furthermore, the Finnish Data Protection Authority stresses that registrations of calls in practice always include the personal data of another person and this cannot be considered an obstacle to the exercise of a registered right.

The Finnish Data Protection Authority has issued an observation to the data controller in merit to the processing of personal data in violation of the General Data Protection Regulation, as well as an order to change their procedures in order to act the right registered in accordance with data protection law. The controller has stated that it will investigate the cause of the error and update its procedures and instructions for the exercise of the right of access.

The decision is not final.

Päätös_4182.146.2019

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FINLANDIA

Recommended to you

Advanced Research