The first four fines for non-compliance with the GDPR were issued in Finland in end May 2020. The fines were imposed by the Collegial Body of the Finnish Data Protection ombudsman (DPA), who began its work in end September 2019 only. All four decisions concern infringements of very basic GDPR obligations and principles such as not providing data subjects with required information, failure to carry out data protection impact assessments and collecting unnecessary personal data. The administrative fines imposed by the Collegial Body serve as a reminder that controller obligations are to be taken seriously and, as also stated by the Collegial Body, it is up to the controllers to know the contents of the GDPR. The Collegial Body did not accept controllers’ claims that the GDPR is unclear or that controllers need further guidance from the DPA in order to be able to know how to be GDPR compliant.
Case1: Non-compliance with transparency obligation; inadequate information on processing
In this first case the DPA received complaints from data subjects that had received direct marketing contacts from several companies, also from such companies with which no previous client relation existed. The direct marketing started after the data subjects having filed a change of address notification with Posti Oy, the main postal service in Finland.
According to the decision the data subjects had not, in connection with making the notification, been informed of their right to object to Posti Oy disclosing their address to third parties. The privacy policy was not available on the electronic notification form but only in the corner of each of Posti Oy’s webpages which, according to the Collegial Body, was not in line with GDPR’s transparency requirement. Additionally, the Collegial Body held that the transparency obligation was also not met since the privacy policy merely mentioned the right to object to processing without further explaining what this right entails. Some 161,500 data subjects had been affected by Posti Oy’s above GDPR violations.
Posti Oy was imposed with an administrative fine of EUR 100,000 but has announced that it will appeal the decision.
Case 2: Non-compliance with requirement to carry out data protection impact assessment (DPIA)
In the second case Kymen Vesi Oy, a water supply and treatment company, had monitored its employees by using location data received through a vehicle information system. The location data was, amongst other things, used for monitoring employees’ working time.
The GDPR requires that a DPIA is carried out where the processing, is likely to result in a high risk to the rights and freedoms of natural persons. In the case at hand the Collegial Body held that location data had systematically been used and was likely to constitute a high risk to the rights and freedoms of the employees, especially considering that employees are in a vulnerable position. The Collegial Body also emphasized that the processing of data relating to persons in a vulnerable position is included in the DPA’s list of processing activities requiring a DPIA and should also, for this reason, not be an unknown obligation for the controller.
Kymen Vesi Oy was imposed with an administrative fine of EUR 16,000.
Case 3: Collection of unnecessary data
The third case leading to fines concerned a company that collected unnecessary data pertaining to job candidates. The company (name not disclosed) had used an application form including questions relating to, amongst others, the applicant’s place of birth, church, family relations, apartment, name and profession of spouse, childrens’ year of birth, applicant’s health and possible pregnancy.
In this case the Collegial Body did not only assess whether the data collected was lawful under the GDPR but also under the Finnish Act on Privacy in Working Life. This Act is a special piece of legislation supplementing the GDPR as regards the processing of employee data. The Collegial Body held that the information that job applicants were asked to provide were not necessary for the employment and hence, that the company was in breach of the GDPR data minimization principle. According to this principle only such data that is necessary for the intended purpose (employment) may be collected from the data subject. Further, the company was also held to be in breach of the Finnish Act on Privacy in Working Life since, under the said act, only such data that is necessary for the employment may be collected from an employee. The company, however claimed that it had been voluntary to provide the company with the said data but this argument was not accepted by the Collegial Body since the above necessity requirement cannot even by consent be derogated from.
The company was imposed with an administrative fine of EUR 12,500.
Case 4: Non-compliance with requirement to carry out DPIA and inadequate information to data subjects
The fourth decision concerned Taksi Helsinki, Finland’s largest taxi dispatch company, which had failed to conduct a DPIA in connection with its security camera surveillance and location data processing as well as when carrying out automated decision-making and profiling connected to the company’s loyalty scheme.
Further, Taxi Helsinki’s privacy policy did not meet the transparency requirement of the GDPR since it did not include information on its camera surveillance system also recording sound. The privacy policy was also lacking information on Taksi Helsinki’s automated decision-making and profiling activities. Also, the Collegial Body held that the recording of sound was not in line with the GDPR’s principle of data minimization and ordered to company to cease with all such recording for which no special ground exist.
Taxi Helsinki was imposed with an administrative fine of EUR 72,000 and has announced that it will appeal the decision.
A few observations pertaining to the discussed cases:
- All the discussed cases were brought to the DPA’s attention through individual complaints. Even though the DPA supervises the activities of controllers and processors it goes without saying that the DPA’s resources are limited and the most efficient supervision is done by data subjects who today are increasingly aware of their rights under the GDPR.
- Reasonable time (i.e. two years since the GDPR entered into force in May 2018) has been given for controllers to make their activities GDPR compliant. The Collegial Body emphasized, at least for some of the controller obligations relating to the above discussed cases, that these obligations are very clear, do not require further guidance by the DPA and that two years is a reasonable time for rendering processing activities compliant with the GDPR. Hence, controllers will not be released from their liability under the GDPR by arguing that they do not know or understand the contents of the GDPR.
- The fact that the DPA has not previously taken a stand on a certain activity does not mean that such an activity is GDPR compliant. Under the first case discussed, the DPA had already in 2017 requested Posti Oy to review its practices relating to informing data subjects of its processing activities. The DPA contacted Posti Oy again in 2020 (based on individual complaints made) and found that some of Posti Oy’s practices were non-compliant with the GDPR transparency requirement. To its defence Posti Oy claimed that since the DPA had not contacted Posti Oy again before 2020 it was allowed to assume that its practices were approved by the DPA in 2017 and thus GDPR compliant. This view was not shared by the Collegial Body who, again, stated that it is the obligation of the controller to see that its activities are GDPR compliant. In fact the Collegial Body found Posti Oy’s non-compliant activities intentional. Therefore, it cannot be stressed enough that controllers cannot rely on processes and practices implemented under the previous data protection legislation being GDPR compliant (not even if their processing of personal data has been compliant with previous data protection legislation) but must re-assess their processes and practices in light of the obligations and principles set forth in the GDPR.
- Decisions are well argued with respect to GDPR Article 83 but the calculation method of fines is left unrevealed. All the above decisions include arguments for and against high fines as required by Article 83 (the intentional character of the infringement, controllers’ co-operation, previous relevant infringements, number of data subjects affected, financial benefits gained etc). However, the method used to calculate the amount of fines has not been revealed. In the first case concerning Posti Oy the maximum amount of fines was mentioned in the decision, the other decisions merely mentioned the turnover of the controller. Whether any calculation method exists remains to be seen – sanctions imposed for same infringements in other GDPR countries may obviously be used as a guideline when assessing possible sanctions for GDPR infringements. Under the GDPR the DPAs shall contribute to a consistent application of the GDPR throughout the EU/EEA.