The Office of the Data Protection Ombudsman’s sanctions board imposed administrative fines on three companies for violations of data protection legislation on 18 May. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.
Deficiencies in information provided in connection with change-of-address notifications
The individuals who filed a complaint with the Data Protection Ombudsman had received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy, which is the leading postal service operator in Finland. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti had not informed the data subjects of their rights, including the right to object the disclosure of data, in connection with making change-of-address notifications.
The company should have informed its customers clearly about their right to object to the processing of their personal data. Posti had submitted such notifications only to customers who bought additional services in addition to making the change-of-address notification.
Posti had notified the Data Protection Ombudsman that it would look into possibilities for improving the transparency of personal data processing already in 2017. The company finally improved its practices for informing customers in 2020, after the Office of the Data Protection Ombudsman had contacted Posti again. The violations affected 161,000 customers in 2019 alone.
The sanctions board imposed an administrative fine of EUR 100,000 on Posti Oy.
The data protection impact assessment on the processing of employee location data had been neglected
The second decision concerned a complaint made to the Data Protection Ombudsman about how Kymen Vesi Oy processed the location data of its employees by tracking vehicles with a vehicle information system. The controller had not made the impact assessment required by the GDPR before starting to process the location data. The location data was used for monitoring working hours, among other things.
A data protection impact assessment is required if the processing is likely to result in a high risk to the rights and freedoms of data subjects. The assessment is necessary for example if the location data of vulnerable individuals is processed or the location data is used for systematic monitoring. The decision of situations in which a data protection impact assessment of the processing of location data is required can be found on the Data Protection Ombudsman’s website.
The sanctions board imposed an administrative fine of EUR 16,000 on Kymen Vesi Oy.
Job applicants’ personal data was collected unnecessarily
In the third case, the Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. According to the Finnish Act on the Protection of Privacy in Working Life, the employer is only permitted to process data that is necessary in light of the employment relationship. Deficiencies were also discovered in the controller’s documentation related to compliance with the GDPR.
The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects.
The Data Protection Ombudsman ordered the company to delete the unnecessary data and issued a reprimand on the deficiencies in documentation. The sanctions board also imposed an administrative fine of EUR 12,500 on the company.
The decisions are not final since those can be appealed in the administrative court. The Office of the Data Protection Ombudsman publishes the name of the organisation on which the administrative fine was imposed if the matter is considered to be of public significance or the organisation could be confused with another.
Sanctions must be proportionate, efficient and cautionary
This was the first time that the sanctions board imposed administrative fines for violations of data protection regulations. The board has the right to impose administrative fines for data protection violations. The maximum amount of the administrative fine is 4 % of the company’s turnover or EUR 20 million.
The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, with the Data Protection Ombudsman serving as chairman. The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act.
To read the full decisions in Finnish, click here
For further information, please contact the Finnish DPA: reijo.aarnio(at)om.fi