The Office of the Data Protection Ombudsman Has Imposed its First Administrative Fines
On the eve of the two-year anniversary of the General Data Protection Regulation ((EU) 2016/679, the “GDPR”), i.e. on 18 May 2020, the Office of the Data Protection Ombudsman, which serves as the Finnish supervisory authority, imposed its first administrative fines under Article 83 of the GDPR. Approximately a week later, on 26 May 2020, the Office of the Data Protection Ombudsman continued this streak by issuing yet another decision on administrative fines.
Pursuant to Section 44 of the Finnish Data Protection Act, administrative fines are imposed in Finland by the so-called collegial body of sanctions that is comprised of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. The collegial body began its work at the end of September 2019.
Administrative fines have now been imposed in four cases. The cases concerned the failure to adequately inform data subjects of their data protection rights, the failure to carry out a data protection impact assessment (“DPIA”) and the collection of unnecessary personal data in an employment context. The most recently resolved case featured several fundamental and serious breaches of the GDPR.
The decisions are not final and can be appealed to the Administrative Court.
Insufficient information provided to persons submitting a notification of a change of address
In one of the cases, the data subjects who had lodged a complaint with the Office of the Data Protection Ombudsman each claimed that, following a change of address notification submitted to Posti, they had received direct marketing and other communications from various companies. This included companies with whom they did not have an existing customer relationship prior to receiving such communications. Some of the data subjects stated that they had not been provided with sufficient information on how their personal data was processed or on their right to object to having their personal data be disclosed to other controllers.
The Office of the Data Protection Ombudsman stated that Posti should have clearly informed all data subjects submitting a change of address notification of their right to object to the disclosure of their personal data to other controllers. Pursuant to the decision, Posti had properly notified only those data subjects who had purchased additional services subject to a separate charge in addition to submitting their change of address notification of their rights.
The collegial body of sanctions imposed an administrative fine of EUR 100,000 on Posti.
The employer had not carried out a DPIA even though it processed the location data of its employees
In another case, the Office of the Data Protection Ombudsman had received a complaint claiming that an employer had used a mileage tracking system to locate its vehicles and, by doing so, had processed location data concerning its employees. Despite the fact that the employer had tracked the vehicles and thus inevitably the employees driving those vehicles, the controller had not carried out a DPIA.
Pursuant to Article 35 of the GDPR, the controller shall carry out a DPIA where the processing of personal data is “likely to result in high risk to the rights and freedoms of natural persons”. Pursuant to the non-binding guidelines on data protection impact assessments (WP248rev.01) issued by the European Data Protection Board, processing activities such as observing or monitoring the data subjects on the one hand and the processing of data of a highly personal nature, such as location data, on the other hand, may constitute processing “likely to result in a high risk”, in which case a DPIA is to be carried out.
The collegial body of sanctions imposed an administrative fine of EUR 16,000 on the employer.
The company had collected unnecessary personal data from employee candidates
In the third case, pursuant to the complaint lodged with the Office of the Data Protection Ombudsman, the controller had unnecessarily collected the personal data of jobseekers and employees. The Finnish Act on the Protection of Privacy in Working Life establishes a general necessity requirement, under which the employer is only allowed to process personal data that is directly required by the relevant employment relationship. No exceptions can be made to the necessity requirement, even with the employee’s consent.
The company had ignored the necessity requirement when collecting the personal data of its prospective employees and requested information on, among other things, religious beliefs, health status, possible pregnancy, and familial relationships. The Office of the Data Protection Ombudsman also discovered inadequacies in the company’s compliance with the accountability principle – in particular in maintaining the required documentation on its processing activities.
The collegial body of sanctions imposed an administrative fine of EUR 12,500 on the controller.
Several fundamental and serious breaches of the GDPR
In the most recent case from 26 May, the Office of the Data Protection Ombudsman had begun an ex officio investigation into the data protection matters of Taksi Helsinki Oy based on an anonymous tip. The investigation revealed several fundamental and serious breaches of the GDPR by the company.
The breaches included the unnecessary processing of data regarding persons travelling in vehicles operated by the company, the failure to carry out DPIAs on the processing of data collected through camera surveillance in the company’s vehicles, processing location data in connection with the company’s dispatch system, and profiling related to the company’s loyalty programme. Furthermore, the company had not provided data subjects with sufficient information on its processing activities in a timely manner. The company had also not compiled sufficient documentation on its processing operations (e.g. documentation defining the role of third parties involved in the processing of personal data).
The administrative fine imposed by the collegial body of sanctions was EUR 72,000.
The key takeaways of the decisions
All of the above cases demonstrate the meaning and importance of maintaining data protection related documentation and providing adequate information to the relevant data subjects. It is worth noting that, in two of the cases, the Data Protection Ombudsman did not object to the processing activities of the companies per se, but rather issued fines precisely due to insufficient documentation and a lack of accountability. Companies must make sure that they keep data protection related documentation available. Maintaining such documentation does not necessarily have to be burdensome.
The second lesson to be learned is that companies must ensure that they communicate about their personal data processing measures successfully. Borenius uses the term “tietosuojaviestintä” to describe the way companies should communicate on their processing activities: simply maintaining legal data protection documentation that, in substance, fulfils the requirements of the GDPR is not enough if the company does not communicate with the data subjects appropriately and in an accessible and timely manner. This kind of communication requires not only legal expertise but also the involvement of service design and communications experts. Legal experts must work together with service designers to develop a customer path that provides both a positive customer experience and discloses information required under the GDPR.
Finally, the third lesson to bear in mind is that companies must assess when to carry out DPIAs more carefully. It would seem that Finnish controllers have been rather conservative in their assessment of whether a DPIA is necessary, but this threshold is likely to be lower in the future. Furthermore, the need for a DPIA with respect to existing data processing activities might need to be revisited.
Borenius’ lawyers are available to assist in addressing any questions you may have regarding these new decisions.