The Office of the Data Protection Ombudsman's sanctions board imposed an administrative fine on ParkkiPate Oy on 21 April for processing personal data in violation of data protection legislation. The violations concerned a failure to realise the rights of the data subject, shortcomings in limiting the storage period of data, and practices related to identifying data subjects.
The Office of the Data Protection Ombudsman had received several complaints about the controller's activities. Those who complained to the Office of the Data Protection Ombudsman had asked the controller for information on, among other things, the source of their personal data and the basis for its processing. In addition, applicants had asked for access to their data or erasure of the data.
The controller had refused to deliver the data until it had verified the requester’s identity. For this verification, the controller had asked those making the requests to disclose information such as their personal identity codes and addresses. The controller took the view that it could not sufficiently identify the parking tickets in question solely by the names of the data subjects and the case numbers assigned to the parking ticket.
Only necessary data for the identification of data subjects should be collected
If the controller has a justified reason for doubting the identity of the person making a request, it can ask for further information to verify their identity. According to the principle of data minimisation, however, no more data should be requested than is necessary for identifying the person.
The controller has consistently demanded that everyone wishing to exercise their data protection rights must identify themselves with their personal identity codes. However, the data originally held by the controller has not included personal identity codes, so it cannot have compared a personal identity code provided by a data subject to data already in its possession.
The Data Protection Ombudsman considers that the controller has violated the General Data Protection Regulation by regularly processing personal data more extensively than would have been necessary for identifying the data subjects. Neither has anything come to light in the matter to demonstrate that the controller would have had justified cause to doubt the identities of those requesting to exercise their rights. Therefore, the controller should have fulfilled the data subjects’ requests for gaining access to their data.
The storage period of data must be limited and communicated to the data subject
In its report, the controller said that it photographs the vehicles and stores the photographs and copies of the parking ticket forms for accounting purposes. The controller has considered that it cannot erase the data due to potential future legal action and the statutory obligations of, for example, the Accounting Act. The Data Protection Ombudsman states that photographs of vehicles or parking ticket forms do not constitute information related to receipts that should be stored for the period provided for in the Accounting Act.
Neither can data be stored indefinitely on the grounds that the controller could submit the matter to the courts sometime in the future. The GDPR states that the storage period of personal data or the criteria for determining its length must be specified and the storage period must be minimised.
Shortcomings were also found in the ways in which the controller informs data subjects of the processing of their personal data.
The company incurred an administrative fine for violations of data protection legislation
The Data Protection Ombudsman considers that the company’s operations have regularly violated the GDPR. The Data Protection Ombudsman issued a reprimand to the controller for processing personal data in violation of the GDPR and ordered the controller to bring its practices into compliance with the law.
The Office of the Data Protection Ombudsman's sanctions board imposed an administrative fine of 75,000 euro on the company.
The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.
Sanctions board decision (in Finlex, in Finnish)
Decisions of the Office of the Data Protection Ombudsman in Finlex (in Finnish)
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.