The sanctions board of the Finnish Data Protection Ombudsman (DPO) has imposed an administrative fine amounting to 2,4 MEUR on the main postal service in Finland (Posti Jakelu Oy “Posti”). According to the DPO’s decision, Posti’s popular Omaposti (“OwnPost”) -service breaches the GDPR by automatically creating an electronic mailbox for users signing up to Posti’s OwnPost -service without their request to do so. The electronic mailbox has been linked to a wider set of Posti’s services, including postal delivery and pick-up services. The customer signing up for the OwnPost -service has not been able to choose whether to use the OwnPost electronic mailbox or not, because the different OwnPost services were all linked together in one single contract. Also, it was not possible for the OwnPost -customers to discontinue the use of the OwnPost mailbox without also having to discontinue the use of the other services belonging to the OwnPost -service package. Once taking into use the OwnPost -service the electronic mailbox has been directly activated which means that mail from Posti or other third parties may be sent to the electronic mailbox without any specific measures undertaken by the customer.
The DPO specifically addressed the following two issues in its decision:
• Information obligation: According to the DPO, Posti has not informed the customers of the purposes of the use of their personal data as required under the GDPR for the purposes of creating the electronic mailbox and how the mailbox is activated.
Posti has included information on the electronic mailbox in the OwnPost service agreement and also used conditional expressions (“you may receive your bills and letters electronically” and “you may receive messages in the service’s electronic mailbox in an electronic format”) when describing the service. According to the DPO the data subject has not, on the basis of the conditional expressions, been able to, understand that he or she has no control over whether the electronic mailbox is activated and starts to receive mail. The data subject may also have had reasons to believe that he or she must undertake specific measures to activate the mailbox. The information provided by Posti to data subjects has thus left key aspects of the processing of personal data unclear for the data subjects concerned. Also, as pointed out by the European Data Protection Board, controllers should avoid using conditional expressions when fulfilling their information obligation towards data subjects.
• Legal ground for processing: The DPO considers that Posti has not had a legal ground for processing personal data (GDPR Article 6 (1)) relating to those customers who have not separately ordered the electronic mailbox (which they have nevertheless been assigned). The legal basis for the processing of the personal data applied has been the entering into an agreement (GDPR Article (6) (1) (b)). The DPO states that in connection with processing personal data for the performance of the ordered OwnPost -services it has not been necessary for Posti to also process personal data for the purposes of creating the electronic mailbox. Rather, this has been an additional service, which has not always specifically been requested by the data subject. The DPO also emphasizes that the Court of Justice of the European Union (case C-252/21) has explicitly held that the legal processing ground “agreement” under Article 6(1)(b) of the GDPR must be interpreted narrowly, as it renders the processing of personal data lawful even without the data subject’s consent. The applicability of Article 6(1)(b) of the GDPR should have been assessed separately for each offered service (a data subject who had a need for a single service only was not able to refuse the other services).
About the administrative fine
When considering the amount of the administrative fine, the sanctions board of the DPO specifically paid attention to the fact that the OwnPost -service has over 2 million registered users, of which more than 1 million are active users. Further, the sanctions board considered that the infringement (processing of personal data without a proper legal ground) has been intentional. The sanctions board of the DPO also considered that there are no mitigating factors applicable to the circumstances of the case.
Posti has announced that it will appeal the decision.