In end May 2020 the first four fines for non-compliance with the GDPR were issued in Finland (please read our full news on these cases here). Now, three years later the Finnish Supreme Administrative Court has issued two rulings concerning the imposition of administrative fines under the GDPR relating to two of the above (appealed) cases. This is the first time the Finnish Supreme Administrative Court has ruled on the imposition of administrative fines under the GDPR.
We have summarised the outcome of the rulings below:
Case 1: Non-compliance with transparency obligation (Posti Oy)
Back in May 2020 Posti Oy (the main postal service in Finland) was imposed with an administrative fine of EUR 100,000 for disclosing the contact details of its clients to third parties without the data subjects having been properly informed of their contact details being shared with third parties and their right to object to such processing. Posti Oy appealed this decision and claimed amongst others that the Collegial Body of the Finnish Data Protection Ombudsman (DPA) should in the first place have used its corrective powers and only after this assessed the need to impose an administrative fine.
The Supreme Administrative Court did, however, not share this view but ruled that the administrative fine could be imposed without the DPA having first used its other corrective powers, such as, for example, issuing a reprimand or an order to correct non-compliant processing activities. Further, the Supreme Administrative Court ruled that the controller must take active steps or actively direct the data subject to the location of the privacy policy by means of, for example, a direct link or QR code. The links to Posti Oy’s relevant privacy policy had been difficult to find and had also not been particularly clearly distinguished from other links.
Based on the above the Supreme Administrative Court did not overturn the administrative fine of EUR 100,000.
Key takeaways
1) Right to information requires active measures by controller
The Supreme Administrative Court considered that the data subject’s right to information means that a controller through active measures must make the information set forth in GDPR Art 13 and 14 available to the data subject. Even if the GDPR does not in this respect include the words “active measure” this can still be derived from the WP 29 Guideline on transparency under the GDPR that amongst others state that “a data controller must take active steps to furnish the information in question to the data subject or to actively direct the data subject to the location of it”.
2) Basic data subjects’ rights must at this stage be complied with
Controllers have had reasonable time for rendering processing activities compliant with the GDPR. For example, at the time of imposing the discussed administrative fines the GDPR had been in force for two years and already in 2020 the DPA stated that two years is a reasonable time for rendering processing activities compliant with the GDPR. It is difficult to see that there today, some five years after the entry into force of the GDPR, would be any excuses for not in this respect complying with the GDPR. Since data subjects’ right to information and transparency has become topical through the Supreme Administrative Court decision the DPA may going forward be very strict in its interpretation as regards data subjects’ right to information and controllers’ transparency obligation.
3) An administrative fine may be imposed irrespective of the DPA having used its other corrective powers
This means that an administrative fine can be considered proportionate even if the DPO has not used its corrective powers (such as issuing a reprimand for example) before imposing the fine.
4) The number of data subjects affected by the non-GDPR compliant activity central in this case when considering conditions for imposing an administrative fine
In the case at hand Posti Oy’s non-GDPR compliant activities relating to transparency and the provision of information affected some 161,000 persons. Even if these persons did not suffer any concrete financial loss or other material damage the Supreme Administrative Court held that the number of affected persons was the most important factor when considering the conditions for imposing an administrative fine. This is important to remember for controllers processing personal data relating to a considerable number of data subjects.
Case 2: Collection of unnecessary data (Company A)
The other case from May 2020 that was appealed concerns company A (name not disclosed) that was claimed to have collected unnecessary data pertaining to job candidates. Company A was imposed with an administrative fine of EUR 12,500 but appealed this decision on the grounds that the DPA in its view lacked evidence that Company A had collected data pertaining to job candidates in non-compliance with the GDPR.
According to Company A it had not used the form containing questions relating to unnecessary data for recruitment processes after the entry into force of the GDPR. To the extent the form had been used before the GDPR was in force, any such collected information that was not necessary for the recruitment process had been securely deleted. The Supreme Administrative Court shared Company A’s view on the fact that the DPA had not obtained evidence on the non-GDPR compliant use of the said form and also stated that the conclusion on the non-GDPR compliant use of the form was made based on the information provided by Company A and not by having proper evidence on the matter. The Supreme Administrative Court further ruled that the DPA could have further examined the matter by, for example asking Company A to provide it with information on the personal data it collects and processes relating to job applicants.
Based on the above the administrative fine of EUR 12,500 was overturned by both the Administrative Court and the Supreme Administrative Court.
Key takeaways
1) Administrative fines constitute punitive sanctions and the DPA (not the controller) is primarily responsible for the investigations which cannot solely be based on a reversed burden of proof but must comply with the presumption of innocence
Even if the GDPR’s principle of accountability to some extent entails a reverse burden of proof, meaning that a controller must prove its compliance with the GDPR. The DPA shall base its investigations on the presumption of innocence when considering the imposing and administrative fine and the relevant party shall not need to present any negative statement on itself. This because administrative fines under the GDPR are comparable to criminal cases when it comes to procedural guarantees for a due process.
2) The GDPR provides the DPA with waste investigative powers which should be used especially in connection with imposing an administrative fine
Considering the punitive character of the administrative fine the Supreme Administrative Court emphasized the DPA’s obligation to use its investigative powers in accordance with GDPR art 58 (2) when considering the imposition of a possible administrative fine.