Companies' direct-marketing practices scrutinized by Finnish data-protection authority
4 February 2020 by Cynthia Kroet
Companies' direct-marketing practices have come under scrutiny in Finland to check their compliance with the EU's General Data Protection Regulation, the country's deputy data-protection ombudsman has told MLex.
"We investigate all the [data protection] complaints we receive. This means that we have many ongoing and parallel investigations right now. To give an example, we're now investigating some cases that concern direct marketing," said Anu Talus in a phone interview from Helsinki.
"The cases concern consent and having the right requirements for this," she added.
Although the Finnish regulator hasn't issued any GDPR fines since the entry into force of the rules in May 2018, Talus said that financial penalties "are an option" in some of the ongoing cases.
Until now, some Finnish companies that breached data-protection rules have received reprimands. Those companies include finance firm Svea Ekonomi, which was ordered to correct its practices after a complaint about the data it used to assess the creditworthiness of customers.
Talus works alongside the data-protection ombudsman on GDPR matters, while Jari Råman — the other deputy — is in charge of cases related to the Data Protection Law Enforcement Directive. Any potential financial penalties need to be agreed on by the three officials.
Rise of complaints
The regulator's office saw the number of data-protection cases rise from about 3,800 three years ago to some 10,000 last year. The office is assessing whether its staffing levels are appropriate or if more resources are needed to deal with the complaints. But, despite the high number of cases, the regulator is still able to carry out own-initiative audits.
Overall, company awareness about GDPR in Finland is quite high, Talus said.
"Most of the businesses have adapted quite well to the requirements, this is, in particular, the case with bigger companies, but it has been harder for SMEs," she said.
Before May this year, the European Commission is expected to present a review with its findings on the effectiveness of the GDPR. Talus said the rules could use some clarification, but added that at this stage, there's "no reason" to make changes, nor to propose amendments.
"We are, of course, waiting for some of the missing pieces [in the legislation], on e-privacy for instance," she said.
The e-privacy bill, first proposed three years ago, was meant to enter into force in parallel with the GDPR, but has been delayed due to a disagreement between the European Parliament, national governments and the commission on issues such as the "cookie walls" that block access to websites without users' consent.
"I'm encouraging all the efforts to conclude this file. And we just hope that solutions regarding the supervisory authority in the text will not create more layers of complexity into the EU decision making process," Talus said.
EU industry chief Thierry Breton said late last month that the proposal is still on the table, despite the deadlock.