The Helsinki Administrative Court has annulled the EUR 2.4 million administrative fine imposed on the main postal service in Finland (Posti Jakelu Oy “Posti”) by the Sanctions Board of the Office of the Data Protection Ombudsman in November 2024. The decision concerns data protection shortcomings in the OmaPosti service and constitutes an important precedent for the bundling of services and the application of the GDPR.
Background to the case
At the heart of the dispute was the onboarding process for Posti’s digital services. Creating a Posti account is a prerequisite for accessing Posti’s digital services. However, opening an account also automatically creates an electronic OmaPosti mailbox for the customer. Electronic messages may start arriving in the mailbox without the customer taking any active steps.
The Data Protection Ombudsman identified two main issues in Posti’s practices. First, Posti had not clearly informed customers of the purposes of the use of their personal data as required under the GDPR associated with the creation and activation of the OmaPosti mailbox. Posti has included information on the electronic mailbox in the OwnPost service agreement and also used conditional expressions (“you may receive your bills and letters electronically” and “you may receive messages in the service’s electronic mailbox in an electronic format”) when describing the service. According to the Data Protection Ombudsman the data subject has not, on the basis of the conditional expressions, been able to, understand that he or she has no control over whether the electronic mailbox is activated and starts to receive mail. For this reason, the company received a reprimand and an order to bring its processing activities into compliance with the GDPR.
Second, and in the Data Protection Ombudsman’s view more serious, there was no lawful basis for the personal data processing involved in creating and enabling the OmaPosti mailbox. The Ombudsman argued that the processing could not rely on contractual necessity because the service requested by the customer could have been provided without automatically creating an electronic mailbox. According to the Data Protection Ombudsman, this has rather been an additional service, which has not always specifically been requested by the data subject. It was on the basis of this alleged lack of a lawful basis that the Sanctions Board imposed the EUR 2.4 million administrative fine on Posti.
A two-part decision by the Administrative Court
The Administrative Court agreed with the Ombudsman that Posti had not provided sufficient information about the creation and activation of the OmaPosti mailbox. In this respect, the Court upheld the reprimand and corrective order.
However, the Court overturned the Ombudsman’s interpretation that Posti lacked a lawful basis for processing personal data in relation to the OmaPosti mailbox. According to the Court, Posti is entitled, based on freedom of enterprise and freedom of contract, to bundle its digital services into a single service package. This entitlement remains even if not all users of the OmaPosti service expressly want the OmaPosti mailbox. The Court therefore found that Posti had a lawful basis under the GDPR to process personal data related to the OmaPosti mailbox as necessary for the performance of the contract concerning the use of Posti’s digital services. Because the fine was imposed solely on the grounds that the Ombudsman considered the lawful basis to be lacking, the Administrative Court annulled the entire decision on the administrative fine. As a result, Posti was relieved of the EUR 2.4 million payment.
Significance of the Decision
The decision strengthens companies’ ability to build their (digital) services as integrated service packages, even when customers have not individually requested each element of the package. This is a significant clarification, as GDPR enforcement has traditionally emphasised data minimisation and narrowly defined necessity. The decision demonstrates, however, that contractual necessity may also be assessed in light of a company’s business model and the technical structure of its services.
Going forward, companies may continue to bundle multiple service components into a single contract and require customers to accept the package as a whole, provided that the bundle is genuinely necessary for delivering the service.
The decision also underscores the central importance of transparency under the GDPR. Even where a valid legal basis for processing exists, insufficient information may still lead to reprimands and corrective orders. Especially the use of the conditional expressions must be avoided by controller-companies. Companies must pay particular attention to ensuring that users are clearly and understandably informed about all functionalities included in a bundled service.