THREE ADMINISTRATIVE FINES ISSUED IN FINLAND

by Aleksi Nieminen 

Just as the second anniversary of the GDPR was looming close, the Data Protection Ombudsman’s collegial body, responsible for determining administrative fines in Finland, issued administrative fines against three Finnish companies for their infringements of data protection laws. The infringements concerned inadequate informing of data subjects, failure to carry out a data protection impact assessment (DPIA) and the collection of unnecessary personal data. These fines are also the first administrative fines issued in Finland since the GDPR became applicable. The decisions are not legally binding yet and the companies may appeal against the decisions to an administrative court.

Inadequate informing of data subjects 

The collegial body imposed a fine of EUR 100,000 on Posti Oy, a leading postal and logistics service company, for its failures to provide transparent information to data subjects in connection with Posti’s change of address services.

Posti’s practices were brought to the attention of the Data Protection Ombudsman as a result of several complaints (between 2017-2019) by individuals who had used Posti’s change of address services. According to the complaints, these individuals started to receive direct marketing from different companies after having provided their change of address notification to Posti.

In its decision, the Data Protection Ombudsman stated that Posti had not met the requirement of providing transparent information in its change of address services, especially in regards to the data subjects’ right to object to the disclosing of personal data for direct marketing purposes. Furthermore, the Data Protection Ombudsman noted that Posti had failed to provide information to the data subjects in a timely manner, i.e. at the time when their personal data was obtained.

Posti provided information on the right to object only to customers that had bought additional services from Posti. In this regard, the Data Protection Ombudsman stressed that Posti should not have set the data subjects in an unequal position, in respect to the realization of the right to privacy and data protection, based on whether someone has bought additional services. The infringement concerned approximately 161,000 customers of Posti during 2019 alone.

Interestingly, the collegial body noted that it could have issued an even higher fine for the infringement in question. However, the collegial body concluded that the fine issued in the case is effective, proportionate and dissuasive. Posti has already announced that it will appeal against the decision.

Failure to carry out a DPIA

In the second case, the collegial body imposed a fine of EUR 16,000 on Kymen Vesi Oy, a water supply management and water disposal company, for its failure to carry out a DPIA and to comply with the requirement of data protection by design and by default. In respect to data protection by design and by default, Kymen Vesi had failed to integrate the necessary safeguards to meet the requirements of the GDPR, as it had not carried out a DPIA before the processing in question actually started.

Again, in this case the Data Protection Ombudsman’s inspection followed from a complaint made by an individual. Kymen Vesi processed location data of its employees by locating their vehicles. This location data was used to monitor the employees’ working hours.

The Data Protection Ombudsman stressed in its decision that a data controller must carry out a DPIA when the processing likely results in high risk to the rights and freedoms of data subjects. Kymen Vesi should have carried out a DPIA since the processing of location data concerned data subjects in a vulnerable position (employees) and the data was used for systematic monitoring. In reference to the criteria list set in WP29 guidelines on DPIA and determining whether processing is likely to result in high risk, the processing conducted by Kymen Vesi satisfied three of the criteria (processing of location data, data subjects in vulnerable position and systematic monitoring of data subjects) when usually a DPIA is already required when two of the criteria are satisfied.

There is yet no information available as to whether Kymen Vesi will appeal against the decision.

Collection of unnecessary personal data

In the third case, the Data Protection Ombudsman ordered a company (name undisclosed) to delete unnecessary personal data as well as issued a reprimand against the company on inadequate documentation of personal data processing activities. Furthermore, the collegial body imposed a fine of EUR 12,500 on the company for collecting unnecessary personal data of job applicants.

In accordance with the Finnish Act on the Protection of Privacy in Working Life, an employer is only allowed to process personal data directly necessary for the employee’s employment relationship. In this case, the company had asked job applicants to provide information on military training, religious beliefs, health, possible pregnancy and family relations in its standard application form.

In its defense, the company argued that the provision of the above-mentioned personal data was voluntary. For this, the Data Protection Ombudsman noted firstly that the processing of data relating to religious beliefs, health and pregnancy must be regarded as processing of special categories of personal data and thus the processing was already carried-out in breach of Article 9 (1) of the GDPR. Secondly, in the context of job applicants, it does not matter if the company regards some of the personal data voluntary since the Act on the Protection of Privacy in Working Life provides that no exceptions can be made to the necessity requirement, even with the employee’s or the job applicant’s consent.

Going forward

The Data Protection Ombudsman has faced some criticism for its inactivity in enforcing the implementation of the GDPR in Finland. These first fines under the GDPR era in Finland highlight that the Data Protection Ombudsman is not afraid to use its powers when there is a clear breach of the requirements of data protection laws. In accordance with public communication provided by the Data Protection Ombudsman, more administrative fines will follow in the upcoming weeks.

Please contact Aleksi Niemininen or your usual DLA Piper contact if you would like further assistance.