The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine on Taksi Helsinki Oy for violations of data protection legislation on 26 May. The company had not assessed the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis. Deficiencies were also noted in the information provided to customers and the documentation of personal data processing.
The Office of the Data Protection Ombudsman started an investigation on Taksi Helsinki’s personal data processing in November 2019. Serious deficiencies were found in the company’s processing of personal data.
The impact of the processing had not been assessed in accordance with data protection legislation.
Taksi Helsinki replaced its camera surveillance system with one that records both video and audio in the summer of 2019. However, the company did not assess the compliance of the related personal data processing with the GDPR.
The Deputy Data Protection Ombudsman ordered the company to conduct a balance test to evaluate, for example the necessity of personal data processing and its impact on the interests and rights of the data subjects.
Taksi Helsinki also failed to conduct the impact assessments required by the GDPR before the start of processing. Data protection impact assessments would have been required for security camera surveillance, location data processing and automated decision-making and profiling connected to the company’s loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to carry out the required impact assessments.
No basis given for processing audio data
Taksi Helsinki reported that it processed the personal data of drivers, staff and the customers of its drivers with a camera surveillance system that records both video and audio. However, the company did not provide an explanation for why it only processed audio data from some of its taxis. The company later stated that the audio data had been processed by mistake.
The Deputy Data Protection Ombudsman found that the processing of audio data was not in line with the GDPR’s principle of data minimisation. She ordered Taksi Helsinki to ensure that the processing of audio data without appropriate grounds is stopped immediately.
Problems with basic data protection issues
The Deputy Data Protection Ombudsman’s investigation also revealed that Taksi Helsinki did not inform data subjects of the processing of their personal data in the manner required by data protection legislation. The notifications in the taxis did not say anything about audio recording or indicate from where customers could obtain information on it.
Neither did the company’s privacy statement contain information on the automated decision-making and profiling performed in its loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to change its policies for informing customers to provide clear information on its processing of personal data. The information must also be easily accessible.
Deficiencies related to documentation and the definition of personal data processing roles were also discovered in the investigation. The Deputy Data Protection Ombudsman ordered Taksi Helsinki to rectify its procedures.
Administrative fine imposed
Several serious shortcomings in the identification of risks, compliance with data protection principles and implementation of the rights of data subjects were identified in Taksi Helsinki’s processing of personal data.
The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki. This amount was proportionate, effective and cautionary in the assessment of the board.
The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.
To read the full decisions in Finnish, click here.
For further information, please contact the Finnish DPA: tietosuoja(at)om.fi
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and his two Deputy Data Protection Ombudsmen and has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.