Received:	30.05.2018 13:00
Category:	Request access to personal data

Hi Vladimir!


First of all I'm very sorry for the inconvenience. You have a right to access the personal data we are keeping about you and I have done it behalf of you today 30th of May. Your personal data will be sent to you to Omaposti (netbank).

I noticed that you have requested to receive it via netbank and also via post, but we prefer OmaPosti because of its safety and quickness. I hope this is ok for you. I'll refund your account (20e) for all this trouble and for possible printing costs it will cause you.

General Data Protection Regulation's (GDPR) implementation date was last Friday 25th of May 2018, so before that we weren't able to handle your request and we have informed you wrongly that you can only make the request in our branch. The easiest way is to do it in www.nordea.fi, but I have done it now for you.

Thank you for your patience.

Best regards

Johanna

Nordea 24/7
0200 3000 (pvm/mpm)
Ulkomailta soitettaessa +358 200 3000 (ulkomaan puhelun hinta)
ma-su 24h/vrk

 

My answer to Nordea, dd. 07/06/2018

Re. my SAR / Subject Access Request per GDPR, dd. 30.4.2018

Dear Johanna!

Thank you for your attempt to correct Nordea's GDPR-non-conform handling of my SAR (by offering me to visit a Nordea office - for receiving there a responce to my SAR).

I can't accept your offer to print out by my own means the answer from Nordea, 

because it is (1) not conform to GDPR, and (2) is subject to my (absent) consent to stop paper letter communication with Nordea / in exchange to e-media.

Moreover I consider it a dangerous sign of misunderstanding of consumer-relevant laws & risks by leading Finnish institutions, like e.g. telecoms and banks, when e-media communication bears more risks than paper letters:

- it is obligation of the institution (per EU law) to deliver its answer to consumer

- and offering to consumer to access BY OWN MEANS to an institution's resource is not a delivery of an answer from an institution.

And the reason is: personal costs, imho. I.e. attempts by institutions to transfer payment of communication costs from institution to a person, that increases costs from industrial solutions to personal solutions. Like e.g. costs of printing out "electronic bill" at home printer.

Similar strategic mistake of increasing the costs (& endangering the security) of communication I see at Suomi.fi:

- its new public portal suggests consumers to take a NEW - and provider-centric (not user-interests-centric) - obligation of regular checking services' messages

- and Suomi.fi considers a service's message to be delivered to consumer in the moment of sending the message,

  that can be true - per EU law - only for some cases of sending a PAPER letter by Post, but not for cases of sending an electronic message,

  BEFORE a consumer confirms his irreversible (!) consent to receive e-messages ONLY, i.e. NO MORE paper message.

And also - subject to person's consent to consider e-message delivered in the moment of sending by an institution,

i.e. NOT IN THE MOMENT OF RECEIVING the message by a person. A lawyer could provide here links to the relevent EU laws,

but I hope that Nordea lawyers can provide these links without my help.

  This consent is not granted to Nordea by any consumer in advance, at least in my case: it would cost me too much

(e.g. (1) home printing vs industrial; (2) insecure email interchange, that even KELA considers not GDPR-conform), in return-for-nothing.

A better solution (Hybrid Mail, combining e-media & paper: not either/or, like NetPosti) is recently introduced in Germany,

- and I hope that before Nordea finds any better consumer-centric solution,

we should receive paper letters: when user wishes it. This is EU law.

One more reason for a consumer to prefer a "dead-tree version" of communication (paper letter):

- an average person's IT skills doesn't allow him/her to check if e-message delivers personal data in full, in answer to his/her SAR:

- like e.g. misleading/false "disclosing" of personal data of a subject by granting an access to a "personal data zip-file" by Facebook:

- a simple check to a web service MySocialBook.com shows that Facebook keeps my personal data from 2012:

- this commercial service offers me a printed 'photo-book', with my Facebook posts & comments, dated from 2012,

  whereas Facebook - answering my SAR- has recently provided me access to a "relevant" zip-file of "ALL" my personal data for 1 year only.

How can I prove that Nordea would provide me access to full amount of my personal data files,

  if I don't have a "dead-tree version" of these zip-files? Could I refer to Data Protection Officer/in court to insufficiency of "my ALL" data from a zip-file?

I do hope that Nordea handling of my personal data communication is more EU laws abiding than Facebook's, that is why I kindly ask you to base it at paper,

in order not to lead consumers to "zero-trust" base, like e.g. Facebook does (and - regretfully - some telecoms, banks).

Therefore I ask you kindly to answer my SAR by postal letter, - like Kela did.

And if my personal data at Nordea consumes so much paper as at Kela (500 sheets double side printed, black&white): printing the sheets at my home printer would cost me several times more than 20 €, that you "kindly" offered me "for all this trouble and for possible printing costs".

But for Nordea to order 1000 pages/500 sheets printed and delivered to my home would cost 5,3 € postage + 1,5 cents/page x 1000 =  20,3 €.

Please comment.

 

Best regards,

Vladimir Kuparinen

"MySocialBook" discloses its affiliation with illegal demand from Facebook to give consent to ads

10/02/2017: showing my data images from 2012

07/06/2018: not showing my data images. Because of absent consent to Facebook illegal demand