Lde: Created page with “{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/258/2022 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tietosuojavaltuutettu/2026/2 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Origina…”
|Jurisdiction=Finland
|DPA-BG-Color=
|DPAlogo=LogoFI.png
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)
|Case_Number_Name=TSV/258/2022
|ECLI=
|Original_Source_Name_1=Finlex
|Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tietosuojavaltuutettu/2026/2
|Original_Source_Language_1=Finnish
|Original_Source_Language__Code_1=FI
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=
|Date_Decided=03.02.2026
|Date_Published=
|Year=2026
|Fine=
|Currency=
|GDPR_Article_1=Article 12(2) GDPR
|GDPR_Article_Link_1=Article 12 GDPR#2
|GDPR_Article_2=Article 12(4) GDPR
|GDPR_Article_Link_2=Article 12 GDPR#4
|GDPR_Article_3=Article 12(6) GDPR
|GDPR_Article_Link_3=Article 12 GDPR#6
|GDPR_Article_4=
|GDPR_Article_Link_4=
|GDPR_Article_5=
|GDPR_Article_Link_5=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=Wolt
|Party_Link_1=https://wolt.com/en/aut
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=lde
|
}}
The DPA found that Wolt violated [[Article 12 GDPR|Article 12 GDPR]] by failing to respond properly and in time to a data subject’s access request, thus failing to facilitate the exercise of rights or provide a timely refusal.
== English Summary ==
=== Facts ===
The data subject’s Wolt account was blocked in January 2022 following a food delivery order was marked as potentially fraudulent. The data subject then requested access to his personal data from Wolt. He first made a request in early 2022 and later sent a written access request by letter on 22 August 2022.
Wolt replied on 2 September 2022 that the response would be delayed due to staff absence and promised a reply by 30 September 2022. No response was ever provided.
Wolt later explained that multiple accounts existed under the data subject’s name with different email addresses, and that the email address mentioned in the letter did not correspond to a registered account. Wolt stated that it could not properly identify the complainant based on the letter and that the failure to respond resulted from human error.
The data subject also suspected that his payment data had been disclosed to third parties because payment attempts linked to his address had allegedly been blocked. Wolt stated that three failed transactions in April 2023 were prevented by its fraud detection system and denied any unlawful disclosure of payment data.
=== Holding ===
The DPA held that Wolt infringed Article 12(2) and 12(4) GDPR.
Even if Wolt could not identify the data subject based on the information provided, it was required to facilitate the exercise of rights and to inform the complainant within one month of the reasons for not acting on the request, including information about the right to lodge a complaint.
The authority accepted that Wolt had grounds under [[Article 12 GDPR#6|Article 12(6) GDPR]] to request additional information to verify the data subject’s identity. However, Wolt failed to inform the complainant how he could verify his identity and failed to issue a timely refusal.
Despite finding an infringement, the DPA did not issue a corrective order, considering that the failure resulted from human error, that Wolt had internal procedures in place, and that it had subsequently contacted the complainant to enable access. The suspicion regarding unlawful disclosure of payment data was not substantiated, and the case was closed.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
<pre>
Decision of the Data Protection Commissioner
Case
Exercise of the data subject’s right
Controller
Wolt Oy
Background of the case
The data subject has filed a complaint against the controller with the Berlin Data Protection Authority on 7 November 2022. The controller’s service is available in several other EU countries in addition to Germany. The controller’s main office is in Finland and therefore the Office of the Data Protection Commissioner has considered itself competent to handle the complaint as the lead supervisory authority in accordance with Article 56(1) of the General Data Protection Regulation ((EU) 2016/679). The Berlin Supervisory Authority transferred the complaint to the Office of the Data Protection Commissioner for processing on 22 December 2022.
The data subject’s claims and justifications
According to the complainant, the controller has blocked the complainant’s access to the application in January 2022 after an incorrect food delivery. The complainant had first requested a copy of his personal data in January 2022. The complainant had later also sent the request by letter on 22 August 2022.
On 2 September 2022, the controller had replied to the complainant and stated that the controller’s response would be delayed due to the holiday. The controller had promised to respond to the request by 30 September 2022. On 7 October 2022, the complainant had reminded the controller to implement the request. The complainant had not received a response from the controller.
The complainant also suspects that the controller has disclosed his payment information to third parties. The complainant states that his spouse or other persons who have ordered from his address using the controller’s application are unable to pay for their orders, and they have not been informed of the reason for this.
Information received from the controller
The Office of the Data Protection Ombudsman has requested an explanation from the controller on 5 May 2023. The controller has responded to the request for explanation on 21 June 2023.
According to the controller, there are several user accounts in its service under the name of the complainant. Two (2) user accounts have been opened under the name of the complainant, one (1) account under the name [name deleted] and one (1) user account referring to a business account. These registered user accounts have three (3) different email addresses: [addresses deleted].
The complainant contacted the controller in January 2022 regarding a delay in a certain delivery and the related compensation. Based on the controller’s internal investigation, the complainant requested in February 2022 by email to [address deleted] that the complainant’s user account be deleted. The deletion of the account was carried out in accordance with the controller’s internal policies. Based on the internal investigation of the controller, there are no documents that would indicate that the complainant had requested access to his/her data in January-February 2022 from officially registered user accounts known to the controller.
Later (23 August 2022), the controller received a letter dated 22 August 2022 requesting, among other things, access to personal data. The request concerned a user account with the email address [address deleted]. The letter also mentioned the order number as additional information. The controller launched an internal investigation to identify the complainant and verify the user account subject to the request.
The controller did not find a user account registered with the address [address deleted]. According to the controller, it investigated the matter and informed the complainant of the delay in responding on 2 September 2022 due to the temporary absence of the person handling the matter. However, due to human error, the complainant was never replied to thereafter.
The controller states that it did not instruct the complainant on how to proceed with the request for the right of inspection. According to the controller, the failure to provide instructions was contrary to the controller’s normal practice and internal guidelines. The controller states that it could not have properly identified the complainant from the letter.
According to the controller, it contacted the complainant in June 2023 and ensured that the complainant was informed of how to access his personal data.
According to the controller, there were three (3) unsuccessful purchases on the complainant’s account [name removed] (registered at [address removed]) in April 2023. These were prevented by the controller’s anti-fraud system. In addition, the controller did not find any information that someone else’s order related to this matter had been blocked.
The controller states in general that the blocking of a potential order at the payment stage could be due, for example, to a possible fraud prevention mechanism, which in this case could have been an unfortunate coincidence. In such a case, the reason for the blocking of an individual order will not be explained in more detail in the response to the user, so as not to inform the potential perpetrator of payment card fraud about the rules and the way in which payment card fraud is prevented.
Response of the data subject
On 14 April 2025, the Office of the Data Protection Supervisor forwarded the received report to the complainant, with the help of the Berlin Data Protection Authority, for the purpose of submitting a response. The complainant has not submitted a response.
Handling of the case in a cross-border cooperation procedure
The Office of the Data Protection Supervisor submitted a draft decision to the participating supervisory authorities on 18 December 2025. In addition to the Berlin Data Protection Authority, the supervisory authorities involved in the case were the data protection authorities of Sweden, Estonia, Slovenia, Brandenburg, Bavaria, Norway, Slovakia and Poland. None of the participating supervisory authorities objected to the draft decision within the period referred to in Article 60(4) of the GDPR.
Applicable law
According to Article 12(2) of the GDPR, the controller shall facilitate the exercise of the data subject’s rights under Articles 15 to 22.
According to Article 12(4) of the GDPR, if the controller does not take action on a request from the data subject, the controller shall inform the data subject without undue delay and at the latest within one month of receipt of the request of the reasons for not doing so and shall inform the data subject of the possibility of lodging a complaint with a supervisory authority and of the possibility of exercising other legal remedies.
According to Article 12(6) of the GDPR, where the controller has reasonable grounds to doubt the identity of a natural person who has made a request pursuant to Articles 15 to 12, the controller may request further information necessary to verify the identity of the data subject.
Article 15 of the GDPR provides for the right of access to personal data concerning the data subject. According to Article 15(1), the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where such personal data are being processed, access to the personal data and the information listed in that Article. According to Article 3, the controller must provide a copy of the personal data being processed.
According to Article 56(1) of the GDPR, the supervisory authority of the main establishment or single establishment of a controller or processor shall be competent to act as lead supervisory authority in respect of cross-border processing operations carried out by that controller or processor in accordance with the procedure laid down in Article 60, without prejudice to Article 55.
Article 60 of the GDPR provides for cooperation between the lead supervisory authority and the other participating supervisory authorities. According to Article 60(3) of the GDPR, the lead supervisory authority shall without delay submit the draft decision to the other participating supervisory authorities for an opinion and shall duly take their views into account.
According to Article 60(6) of the GDPR, if none of the other participating supervisory authorities has objected to the draft decision submitted by the lead authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to have approved that draft decision, which shall be binding on them.
Legal issue
The Data Protection Ombudsman assesses and decides on the complainant’s case on the basis of the General Data Protection Regulation as mentioned above. The case must be decided whether the controller has responded to the complainant’s request in accordance with Article 12(2), (4) and (6) of the General Data Protection Regulation.
In addition, the case must be assessed whether the corrective powers provided for in Article 58 of the General Data Protection Regulation are applicable.
Decision and reasoning of the Data Protection Ombudsman
Decision
The controller has not responded to the complainant’s request in accordance with Article 12(2) and (4) of the General Data Protection Regulation. The controller should have facilitated the exercise of the data subject’s rights by providing the data subject with information on how the data subject can confirm his or her identity. The controller should have informed the complainant without delay and at the latest within one month of receiving the request of the reason for rejecting the complainant’s request.
The controller has had grounds under Article 12(6) of the GDPR to request the data subject to provide additional information necessary to verify the data subject’s identity.
Order
The Data Protection Supervisor shall not issue an order under Article 58(2)(d) of the GDPR to the controller to comply with the data subject’s request for a copy of his or her personal data.
Reasons
Notification of refusal
Article 12 of the GDPR lays down detailed rules for the exercise of the data subject’s rights. According to paragraph 2 of that Article, the controller shall facilitate the exercise of the data subject’s rights under Articles 15 to 22. According to paragraph 4 of the article, if the controller does not take action on the basis of a request from the data subject, the controller shall inform the data subject without delay and at the latest within one month of receiving the request of the reasons for this and shall inform him/her of the possibility of lodging a complaint with a supervisory authority and of exercising other legal remedies.
The complainant had first requested a copy of his personal data from the controller in January 2022. However, according to the controller’s report, it has not found any documents that would show that the complainant had requested access to his data in January–February 2022.
The complainant had also sent the request by letter on 22 August 2022. According to the controller, the controller responded to the complainant’s letter on 2 September 2022 and stated that the controller’s response would be delayed due to a holiday. The controller had promised to respond to the request by 30 September 2022. The controller states in its report that the complainant was never responded to due to human error. The Data Protection Ombudsman considers that the controller has not responded to the complainant’s request in accordance with Article 12(4) of the General Data Protection Regulation. The controller should have informed the complainant without delay and at the latest within one month of receipt of the request of the reason for rejecting the complainant’s request.
According to the report received, the controller could not find the user account mentioned in the data subject’s request in its system. Furthermore, according to the controller, it could not properly identify the data subject based on the letter. The Data Protection Ombudsman considers that the controller had grounds to ask the data subject to provide additional information pursuant to Article 12(6) of the General Data Protection Regulation. However, the controller has not facilitated the exercise of the data subject’s right as required by Article 12(2) of the General Data Protection Regulation. The controller should have provided the data subject with information on how the data subject can confirm his or her identity in order to exercise his or her rights.
According to the explanation received from the controller, the controller has internal instructions according to which the complainant should have been responded to. According to the controller, it has contacted the complainant after the request for clarification and ensured that the complainant is informed about how he can obtain a copy of his personal data. Since, according to the controller, the action in violation of its internal instructions was due to human error, the Data Protection Supervisor considers that there is no need to use the corrective powers provided for in Article 58 of the General Data Protection Regulation in this matter.
On 14 April 2025, the Office of the Data Protection Supervisor forwarded the explanation received from the controller to the complainant through the Berlin Data Protection Authority. The complainant has been asked whether the controller has been in contact with the complainant and whether the complainant’s right under Article 15 of the General Data Protection Regulation has been exercised. According to the Berlin Data Protection Authority, the complainant has not responded to the inquiry within the stated deadline. The Data Protection Ombudsman considers that the matter concerning the exercise of the data subject’s right has been properly investigated in accordance with Article 57(1)(f) of the Data Protection Regulation and the case can be closed.
The complainant has also suspected that the controller has disclosed his payment information to third parties. Based on the explanation received from the controller, the Data Protection Ombudsman has no reason to suspect that the complainant’s personal data has been disclosed to third parties. The complainant has not submitted a response in which he would have questioned the controller’s explanation in the case. The Data Protection Ombudsman considers that the matter has also been properly investigated in this respect in accordance with Article 57(1)(f) of the Data Protection Regulation and the case can be closed.
Appeal
According to Section 25 of the Data Protection Act (1050/2018), this decision may be appealed to the Administrative Court in accordance with the provisions of the Act on Judicial Procedure in Administrative Matters (808/2019). The appeal shall be filed with the Helsinki Administrative Court.
Notification
The decision shall be notified in accordance with Section 60 of the Administrative Procedure Act (434/2003) by post against a receipt.
The decision has been made by the Data Protection Commissioner Anu Talus.
The decision is not legally binding.
</pre>