https://gdprhub.eu/api.php?action=feedcontributions&user=Ilkku&feedformat=atomGDPRhub - User contributions [en]2024-03-28T08:32:49ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_137/161/20&diff=12153Tietosuojavaltuutetun toimisto (Finland) - 137/161/202020-11-11T13:25:53Z<p>Ilkku: fine amount was incorrect</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=137/161/20<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuojavaltuutetun toimisto<br />
|Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/22406974/Ty%C3%B6nhakijoiden+henkil%C3%B6tietojen+ker%C3%A4%C3%A4minen+tarpeettomasti.pdf/6cedce13-60cd-c6f9-60cf-b9c8e17db10a/Ty%C3%B6nhakijoiden+henkil%C3%B6tietojen+ker%C3%A4%C3%A4minen+tarpeettomasti.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=12500<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 9(1) GDPR<br />
|GDPR_Article_Link_4=Article 9 GDPR#1<br />
<br />
<br />
|National_Law_Name_1=Finnish Act on the Protection of Privacy in Working Life <br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members. <br />
<br />
===Dispute===<br />
Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR?<br />
<br />
===Holding===<br />
The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions.<br />
<br />
As some of the data processed was not directly necessary for the employment relationship, this in turn violated the GDPR’s lawfulness and data minimization principles (Article 5(1)(a) and (c)) and also Article 6(1).<br />
<br />
Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR.<br />
<br />
==Comment==<br />
The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR.<br />
<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_3425/157/2019,_3578/157/2019,_3846/157/2019,_3871/157/2019,_3891/152/2019,_3918/157/2019,_4338/157/2019,_4666/154/2019,_5973/157/2019,_6773/157/2019_ja_7022/157/2019&diff=11489Tietosuojavaltuutetun toimisto (Finland) - 3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/20192020-10-06T12:56:24Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=3425/157/2019, 3578/157/2019, 3846/157/2019, 3871/157/2019, 3891/152/2019, 3918/157/2019, 4338/157/2019, 4666/154/2019, 5973/157/2019, 6773/157/2019 ja 7022/157/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200632<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=23.07.2020<br />
|Date_Published=23.07.2020<br />
|Year=2020<br />
|Fine=7000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2c<br />
|GDPR_Article_3=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2d<br />
<br />
<br />
|National_Law_Name_1=Information Society Code (917/2014)<br />
|National_Law_Link_1=https://www.finlex.fi/en/laki/kaannokset/2014/en20140917.pdf<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA imposed a 7,000 euro fine to a company that sent out direct marketing communications without obtaining prior consent from data subject, and for also neglecting data subjects’ rights. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA received 11 complaints regarding Acc Consulting (Independent Consulting Oy) company’s direct marketing communication practices. According to the national law section 200 of the Information Society Code (917/2014), consent must be obtained from data subjects in the context of direct marketing. Furthermore, the consent must comply with Article 4(11) of GDPR. <br />
The direct marketing communication was sent to the data subjects via SMS. The SMS contained instructions on how to opt-out from the direct marketing communications. Despite data subjects opting out, they still continued to receive marketing messages. <br />
The controller claimed that the direct marketing communications were targeted at companies, and under section 202 of the Information Society Code, no prior consent is needed to send direct marketing communications to companies. The DPA ruled that as the work phone numbers were specific to an employee and not the company as a whole, and the marketing message content did not relate to the data subject’s work activities, the communication was seen directed to natural persons instead of companies.<br />
<br />
Furthermore, some of the data subjects had submitted requests to the controller regarding exercising their rights under GDPR. The controller failed to answer the data subjects in a timely manner and in accordance with the GDPR. The controlled had not taken any action regarding these requests either. <br />
<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
Finnish DPA imposed a 7,000 euro fine to the company for sending out direct marketing communications without prior consent and also for neglecting data subjects’ rights. When imposing the fine, the DPA considered it as a mitigating factor that the data subjects had not suffered any financial harm.<br />
Furthermore, as per Article 58(2)(c) and (d) GDPR, the DPA ordered the controller to comply with the data subjects’ requests and to bring its practices in line with the Regulation. <br />
The decision is not yet final <br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_9401/163/18&diff=11299Tietosuojavaltuutetun toimisto (Finland) - 9401/163/182020-09-11T13:09:49Z<p>Ilkku: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=9401/163/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200641<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=10.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2d<br />
|GDPR_Article_3=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2b<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA ordered Euroclear Finland Oy to align its data disclosure activities with data protection regulations. Disclosing shareholder register information via the company's telephone service and disclosing information for direct marketing purposes was held to be unlawful.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A data subject filed a complaint about Euroclear's data disclosing practices. The Finnish DPA investigated the complaint to see if Euroclear was violating data protection laws.<br />
Euroclear Finland Oy maintains the public shareholder registers required by law. The company provided a telephone service through which it disclosed information obtained from the shareholder registers of limited liability companies. Shareholder registers are public in nature and can be viewed usually at one of the Euroclear branches. Because of the public nature of the shareholder registers, the company argued that the telephone service was equivalent and comparable to the viewing of the shareholder registers at one of their branches, and therefore lawful. <br />
<br />
In addition to the phone service, Euroclear disclosed shareholder register information for direct marketing purposes. Euroclear argued on the basis of the national Companies Act, that since the Act stipulates that copies of the shareholder register, or part thereof, may be disclosed, and the law does not limit the purpose for disclosure, this enabled Euroclear to disclose the obtained information for direct marketing purposes. <br />
<br />
Furthermore, Euroclear maintained that they were the data processor and that the limited liability companies, whose shareholder register information was being disclosed, were the controllers. Therefore Euroclear did not have an obligation to inform the data subjects about the data disclosure activities in relation to direct marketing purposes.<br />
<br />
<br />
===Dispute===<br />
<br />
<br />
===Holding===<br />
The disclosure of shareholder register information via the company’s telephone service was not legal. Methods by which shareholder registers can be made public are expressly provided by law, and telephone service is not one of these methods.<br />
Furthermore, the company erroneously assessed its role under GDPR. As Euroclear had made decisions regarding the processing activities, they are therefore considered as being the controller. A processor cannot make decisions independently regarding data disclosure.<br />
The company also failed to comply with their obligations as a controller. The company did not inform the data subjects about the disclosure of data for direct marketing purposes, and therefore did not meet the transparency principle set out in Article 5(1)(a) of GDPR. Informing data subjects about their rights regarding direct marketing on their website was not sufficient; the information should have been provided at the time of data processing activities took place.<br />
<br />
Therefore, as per Article 58 (2) (b), DPA issued a reprimand to the controller as per and, as per Article 58 (2) (d), ordered the controller to bring the processing operations in compliance with GDPR provisions.<br />
<br />
The decision is not final and Euroclear plans to appeal the decision in the administrative court. <br />
<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_9401/163/18&diff=11298Tietosuojavaltuutetun toimisto (Finland) - 9401/163/182020-09-11T13:08:45Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=9401/163/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200641<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=10.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2d<br />
|GDPR_Article_3=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2b<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA ordered Euroclear Finland Oy to align its data disclosure activities with data protection regulations. Disclosing shareholder register information via the company's telephone service and disclosing information for direct marketing purposes was held to be unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject filed a complaint about Euroclear's data disclosing practices. The Finnish DPA investigated the complaint to see if Euroclear was violating data protection laws.<br />
Euroclear Finland Oy maintains the public shareholder registers required by law. The company provided a telephone service through which it disclosed information obtained from the shareholder registers of limited liability companies. Shareholder registers are public in nature and can be viewed usually at one of the Euroclear branches. Because of the public nature of the shareholder registers, the company argued that the telephone service was equivalent and comparable to the viewing of the shareholder registers at one of their branches, and therefore lawful. <br />
<br />
In addition to the phone service, Euroclear disclosed shareholder register information for direct marketing purposes. Euroclear argued on the basis of the national Companies Act, that since the Act stipulates that copies of the shareholder register, or part thereof, may be disclosed, and the law does not limit the purpose for disclosure, this enabled Euroclear to disclose the obtained information for direct marketing purposes. <br />
<br />
Furthermore, Euroclear maintained that they were the data processor and that the limited liability companies, whose shareholder register information was being disclosed, were the controllers. Therefore Euroclear did not have an obligation to inform the data subjects about the data disclosure activities in relation to direct marketing purposes.<br />
<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The disclosure of shareholder register information via the company’s telephone service was not legal. Methods by which shareholder registers can be made public are expressly provided by law, and telephone service is not one of these methods.<br />
Furthermore, the company erroneously assessed its role under GDPR. As Euroclear had made decisions regarding the processing activities, they are therefore considered as being the controller. A processor cannot make decisions independently regarding data disclosure.<br />
The company also failed to comply with their obligations as a controller. The company did not inform the data subjects about the disclosure of data for direct marketing purposes, and therefore did not meet the transparency principle set out in Article 5(1)(a) of GDPR. Informing data subjects about their rights regarding direct marketing on their website was not sufficient; the information should have been provided at the time of data processing activities took place.<br />
Therefore, as per Article 58 (2) (b), DPA issued a reprimand to the controller as per and, as per Article 58 (2) (d), ordered the controller to bring the processing operations in compliance with GDPR provisions.<br />
<br />
The decision is not final and Euroclear plans to appeal the decision in the administrative court. <br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_1809/452/18&diff=11246Tietosuojavaltuutetun toimisto (Finland) - 1809/452/182020-09-04T09:55:39Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=1809/452/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200661<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=29.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_1=Article 58 GDPR#2d<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
A housing cooperative had incorrectly judged that the use of an electric lock system did not process personal data. The Finnish DPA ruled that, as individuals could be indirectly identified, the housing cooperative had acted unlawfully and ordered to bring the data processing activities in line with GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
An applicant contacted the Finnish DPA, expressing data protection concerns over the housing cooperative's electric lock system and its implementation. According to the applicant, the residents were not informed about the details of the lock system. <br />
The electric lock system in question is installed at the entrance doors of the apartment building. <br />
According to the housing cooperative (controller), they do not receive any information from the lock, and the lock company that manages the system only allows access to the data at the request of the police. The housing cooperative therefore had made an assessment that the use of the electric lock system did not involve processing of personal data.<br />
<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The door opening data is personal data. Data does not need to be directly linked to the data subject in order to qualify as personal data. <br />
Individuals that use the electric keys can be identified in instances where the key identification information is matched with a specific apartment. Especially those residents that are living alone, they can in practice be identified with a high degree of certainty. <br />
<br />
The processing of personal data always requires a legal basis for processing, and compliance with the other data protection provisions. As the controller had assessed that no personal data was being processed, it had not defined the legal basis for processing the data, nor in any other way ensured the timely fulfillment of the obligations to the controller under the GDRP. The processing of the personal data has therefore been unlawful.<br />
<br />
As per Article 58(2) d, the Finnish DPA ordered the housing cooperative to bring the personal data processing activities in line with GDPR.<br />
<br />
The decision is not final.<br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_3846/157/2019&diff=11189Tietosuojavaltuutetun toimisto (Finland) - 3846/157/20192020-08-24T07:04:49Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=3846/157/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200622<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=23.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=Article 21 GDPR<br />
|GDPR_Article_Link_2=Article 21 GDPR<br />
<br />
<br />
|National_Law_Name_1=§200 s 1<br />
|National_Law_Link_1=https://www.finlex.fi/en/laki/kaannokset/2014/en20140917.pdf<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Data subject objected to direct marketing as per Article 21 GDPR and requested for their data to be deleted as per Article 17 GDPR. The Finnish DPA held that the controller had not fulfilled their duty in accordance with the articles.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject received direct marketing messages via SMS to their work phone. The data subject tried to object to the direct marketing as per controller's instructions on the SMS. Despite this, the data subject received more direct marketing messages thereafter. The data subject emailed the controller directly to object to direct marketing as per Article 21 section 2 GDPR and asked for their data to be deleted in accordance with Article 17. <br />
<br />
The data subject had not consented to direct marketing.<br />
<br />
The controller claimed that they did not need prior consent from the recipient as the direct marketing communications was not directed towards a natural person, but rather a legal person under section 202 of the national Information Society Code (917/2014).<br />
The controller was unable to confirm whether they had received the data subject’s objection and deletion request, or whether these requests were fulfilled by the controller. <br />
<br />
<br />
=== Dispute ===<br />
DPA considered the following legal questions:<br />
1) Has the controller sent out direct marketing communications?<br />
2) If yes, was the marketing communication directed at a legal or a natural person?<br />
3) Whether the controller had fulfilled the following to requests made by the data subject:<br />
- Right to be forgotten as per Article 17 GDPR<br />
- Right to object to direct marketing as per Article 21 GDPR<br />
<br />
<br />
=== Holding ===<br />
DPA held that the controller had sent out direct marketing communications and that it was directed towards a natural person under section 200 subsection 1 of the national Information Society Code (917/2014), and thusly the controller would have needed the data subject's prior consent. <br />
The controller had not fulfilled their obligations under Article 17 and 21 GDPR.<br />
The controller must give the data subject an opportunity to unsubscribe easily and without payment.<br />
<br />
In accordance with Article 58 section 2 C, the DPA ordered the controller to delete the data subject’s data in accordance with Article 17 GDPR. <br />
In accordance with Article 58 section 2 D, the DPA ordered the controller to change their measures when handling data subject’s rights, namely the right to be forgotten and the right to object to direct marketing. <br />
<br />
The decision is not final.<br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_3425/157/2019&diff=11128Tietosuojavaltuutetun toimisto (Finland) - 3425/157/20192020-08-14T08:44:38Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=3425/157/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200621<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=23.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12 GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA held that controller should have acquired data subject's consent before sending direct marketing communications to the data subject's work pone<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject filed a complaint with the Finnish DPA regarding Acc Consulting company's direct marketing practices. Data subject received direct marketing communications to their work phone. The SMS had a number that the data subject should call to unsubscribe. The data subject tried calling, but no one answered.<br />
<br />
=== Dispute ===<br />
DPA considered the following legal questions:<br />
1) Has the controller sent out direct marketing communications?<br />
2) If yes, was the marketing communication directed at a legal or a natural person?<br />
3) Had the controller given the data subject the right to object to direct marketing as per Article 12 GDPR.<br />
<br />
<br />
=== Holding ===<br />
DPA held that the controller had sent out direct marketing communications and that it was directed towards a natural person under section 200 subsection 1, and thusly the controller would have needed the data subject's prior consent. The controller must give the data subject an opportunity to unsubscribe easily and without payment. <br />
<br />
The controller must correct its direct marketing communications practice and is obliged to notify the DPA of any changes.<br />
<br />
The decision is not final.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_2984/182/2019&diff=10781Tietosuojavaltuutetun toimisto (Finland) - 2984/182/20192020-07-06T17:30:08Z<p>Ilkku: minor additions to give context to the case</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=2984/182/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200601<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 25(2) GDPR<br />
|GDPR_Article_Link_2=Article 25 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA holds that having data subject's address information on a parking permit does not meet the data minimization requirement under Article 5 (1) (c) GDPR. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Data subject had asked the controller whether they could mask the data subject’s address information from the parking permit. The parking permit with the data subject’s address information was kept on the dashboard of the car . The controller refused the data subject’s request. <br />
The data subject filed a complaint with the Finnish DPA. <br />
<br />
<br />
=== Dispute ===<br />
Whether the controller has complied with the principle of data minimization as per Article 5 (1) (c) and Article 25 (2) GDPR?<br />
<br />
=== Holding ===<br />
The Finnish DPA held that the controller has not complied with the principle of data minimization set out in Article (1) (c) and Article 25 (2) GDPR. Having the data subject's address information was not necessary for the purpose for which the personal data was being processed.<br />
<br />
The DPA ordered the controller to remove the data subject's address information from the car parking permit. <br />
<br />
The decision is not final.<br />
<br />
== Comment ==<br />
In their reply to the Finnish DPA, the controller failed to give a reason why having the data subject's address on the parking permit was necessary for the purpose for which the personal data was being processed. <br />
<br />
Furthermore, in their reply, the controller stated that even if the address information would not be stated on the parking permit, the information could still be ascertained via public sources. The DPA clarified that even if personal data is public or otherwise easily accessible, the principle of data minimization must still be respected.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
THING<br />
<br />
Applicant 's claims and reasons<br />
<br />
On 8 April 2019, the applicant initiated a case in the office of the Data Protection Commissioner concerning the information entered on the card indicating the parking permit (the so-called parking permit tag). The applicant has stated that he has rented a parking space from the registrar. A parking permit sticker showing the number and period of validity of the parking permit in question, the name of the controller as well as the name of the property at […] and the identification of the houses owned and operated by the controller ( […]) shall be affixed to the dashboard of the vehicle parked in question .). The applicant has questioned the above requirement to display a home address. The applicant has stated that, due to his work, he is unable to keep a parking ticket permanently displayed in his vehicle. The applicant has also stated that, on some occasions after his working day, he forgot to display his parking permit sticker in his vehicle, as a result of which he has received private parking inspection fees. The applicant has been in contact with both the registrar and the company providing parking supervision in the area. The applicant has suggested that his registration number be recorded in such a way that forgetting the parking ticket does not lead to private parking fees. The applicant has also suggested that he cover the address information on the parking permit. The applicant's proposals have not been accepted.<br />
<br />
Statement received from the controller<br />
<br />
The applicant has stated that he has been in contact with the controller. The applicant had suggested masking the address information. The proposal was not accepted. The Office of the Data Protection Officer has requested clarification from the controller. The registrar has submitted his report on 27.5.2020.<br />
<br />
The report states that the controller owns a proportion of a plot of land on which a car park is located. The car park has a total of […] parking spaces. The registrar owns and manages […] designated parking spaces under the management sharing agreement, of which […] belong to the company-owned property at […] and […] to the company-owned property at […] as required by the town plan and building permit. In addition, the car park has parking spaces for six other properties in the area.<br />
<br />
The registrar shall require the user of the car park to display a parking permit sticker bearing the name of the registrar and […]. The report also states that, due to irregularities in the car park, the car park is monitored by a private car company. The car park has a total of eight different property parking spaces. However, the parking attendant must be able to distinguish whether the person who parked the vehicle in the parking lot was entitled to park the vehicle in the parking lot in question. The controller has considered that it would not be sufficient to indicate the name of the issuer of the parking permit on the parking permit. In this case, a resident of […] could park the vehicle in the parking spaces reserved for residents of the property located at […]. The parking attendant would have no means of detecting improper parking. The registrar has about […] objects of right of residence all over Finland. The alternative information content of the parking ticket presented above could also lead to a person holding a parking ticket being able to park the vehicle on any property owned by the registrar.<br />
<br />
In addition, the report states that the exact address of the person who rented the parking space is not indicated on the parking permit. The number of the residential apartment is not marked on the parking permit. Identification information B – C is marked on the parking permit tag. The property at […] is not exclusively owned by the controller. The registrar owns a fixed part of the property and owns and manages the B and C houses located on the property. The management agreement for the land in question indicates which […] parking spaces belong to the property at […] and which to the property at […]. The division of property agreement has been entered as a special right in the land in question in the law auction and mortgage register maintained by the National Land Survey of Finland. It is therefore a public document. Everyone thus has the opportunity to find out at which address for each parking space the person who parked the vehicle lives or does business, even without a parking permit.<br />
<br />
It is not required to display a parking permit sticker other than when parking at the parking facility in question. It is the parking lot user's own decision to leave the parking permit tag visible when parking elsewhere. The registrar has considered that displaying a parking ticket in a car park does not cause undue inconvenience to the user of the car park, especially given that in most car parks parking requires at least the start time, for example by displaying a parking disc, and forgetting this will result in a parking error.<br />
<br />
The report provided states that the controller has not received much feedback from other car park users regarding the questioning. In the view of the registrar, the lack of feedback means that, in most cases, the address information of the car owner or keeper can be easily ascertained using the registration number. The report also states that if a car park user has concealed his address and it is important for him, for example, to keep his address information confidential, he must ensure that he does not keep a parking ticket in his vehicle when parked outside the car park in question.<br />
<br />
For the reasons set out above, the controller has considered that its activities have not been disproportionate to the provisions of the General Data Protection Regulation - such as the principle of data minimization. However, the report states that if the company's operations are considered to be in breach of the information minimization principle, the company is prepared to replace the address of the property entered on the parking permit tags with an identification code consisting of numbers. Finally, the report emphasizes that, nevertheless, the address details of the holder of the vehicle parked in the car park could still be ascertained, as mentioned above, due to the public nature of the sharing agreement. It is also possible at this time for the user of the parking space to remove the parking permit tag from view when parking elsewhere.<br />
<br />
Applicant 's reply<br />
<br />
No reply has been requested from the applicant. In accordance with section 34 (2) (5) of the Administrative Procedure Act (434/2003), the hearing has been considered manifestly unnecessary. In the document of initiation, the applicant has questioned the necessity of the information marked on the parking permit. A wider consultation of the applicant would not have affected the outcome of the case.<br />
<br />
Applicable law<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a law directly applicable in the Member States. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).<br />
<br />
Legal issue<br />
<br />
The Assistant Data Protection Officer assesses and decides the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).<br />
<br />
The matter must be resolved:<br />
<br />
(1) whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation in the processing of personal data in connection with parking permits; and<br />
<br />
(2) whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations into line with the provisions of the General Data Protection Regulation.<br />
<br />
DECISION OF THE ASSISTANT DATA PROTECTION SUPERVISOR<br />
<br />
The Assistant Data Protection Officer shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation in the processing of personal data in connection with parking permits.<br />
<br />
The Assistant EDPS shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data carried out in connection with parking permits in accordance with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation.<br />
<br />
The registrar shall ensure that the address or transaction information of the holder of the permit no longer appears on the parking permit tickets.<br />
<br />
Reasoning<br />
<br />
The principle of data minimization<br />
<br />
Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.<br />
<br />
As mentioned above, the personal data processed must be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and not limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may be processed only if<br />
<br />
As mentioned above, this is a matter of the principle of data minimization, a principle which the European Data Protection Board has also issued practical guidelines in the context of its guidelines (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 13.11.2019). According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be if the purpose of the processing cannot be achieved by other means. (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (issued 13.11.2019), p. 19.) In practice, therefore, as little personal data as possible should be collected in each situation.<br />
<br />
In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.<br />
<br />
On the present case<br />
<br />
The report states that, due to irregularities in the car park, the parking of the car park has been entrusted to a private car park company. The car park has a total of eight different property parking spaces. However, the parking attendant must be able to distinguish whether the person who parked the vehicle in the parking lot was entitled to park the vehicle in the parking lot in question. The registrar has considered that it would not be sufficient to indicate the name of the issuer of the parking permit on the parking permit. In this case, a resident of […] could park the vehicle at […]parking spaces for residents of the property. The parking attendant would have no means of detecting improper parking. The registrar has hundreds of right-of-occupancy properties all over Finland. The alternative information content of the parking ticket presented above could also lead to a person holding a parking ticket being able to park the vehicle on any property owned by the registrar.<br />
<br />
In its report, the controller has emphasized that the address information of the holder of the vehicle parked in the parking lot can otherwise be ascertained due to the publicity of the management sharing agreement.<br />
<br />
It should be noted that no evidence has been adduced to show that the address information is necessary to ensure that the person who parked the vehicle in the car park was entitled to park the vehicle in the car park in question. The controller himself has stated that the current practice could be replaced by, for example, identification data consisting of numbers. The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided.<br />
<br />
For the sake of clarity, whether this information is public or otherwise available, this fact does not remove the obligation to comply with the principle of data minimization laid down in Article 5 (1) (c) of the General Data Protection Regulation.<br />
<br />
For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data carried out in connection with parking permits in accordance with the General Data Protection Regulation.<br />
<br />
Applicable law<br />
<br />
Mentioned in the explanatory memorandum.<br />
<br />
The decision is not final.<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_2984/182/2019&diff=10780Tietosuojavaltuutetun toimisto (Finland) - 2984/182/20192020-07-06T17:25:14Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=2984/182/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200601<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 25(2) GDPR<br />
|GDPR_Article_Link_2=Article 25 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA holds that having data subject's address information on a parking permit does not meet the data minimization requirement under Article 5 (1) (c) GDPR. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Data subject had asked the controller whether they could mask the data subject’s address information from the parking permit. The parking permit with the data subject’s address information was kept on the dashboard of the car . The controller refused the data subject’s request. <br />
The data subject filed a complaint with the Finnish DPA. <br />
<br />
<br />
=== Dispute ===<br />
Whether the controller has complied with the principle of data minimization as per Article 5 (1) (c) and Article 25 (2) GDPR?<br />
<br />
=== Holding ===<br />
The Finnish DPA held that the controller has not complied with the principle of data minimization set out in Article (1) (c) and Article 25 (2) GDPR. The DPA ordered the controller to remove the data subject's address information from the car parking permit. <br />
<br />
The decision is not final.<br />
<br />
== Comment ==<br />
In their reply to the Finnish DPA, the controller failed to give a reason why having the data subject's address was necessary for the purpose for which the personal data was being processed. <br />
<br />
Furthermore, in their reply, the controller stated that the address information could be ascertained via public sources. The DPA clarified that even if personal data is public or otherwise easily accessible, the principle of data minimization must be respected.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
THING<br />
<br />
Applicant 's claims and reasons<br />
<br />
On 8 April 2019, the applicant initiated a case in the office of the Data Protection Commissioner concerning the information entered on the card indicating the parking permit (the so-called parking permit tag). The applicant has stated that he has rented a parking space from the registrar. A parking permit sticker showing the number and period of validity of the parking permit in question, the name of the controller as well as the name of the property at […] and the identification of the houses owned and operated by the controller ( […]) shall be affixed to the dashboard of the vehicle parked in question .). The applicant has questioned the above requirement to display a home address. The applicant has stated that, due to his work, he is unable to keep a parking ticket permanently displayed in his vehicle. The applicant has also stated that, on some occasions after his working day, he forgot to display his parking permit sticker in his vehicle, as a result of which he has received private parking inspection fees. The applicant has been in contact with both the registrar and the company providing parking supervision in the area. The applicant has suggested that his registration number be recorded in such a way that forgetting the parking ticket does not lead to private parking fees. The applicant has also suggested that he cover the address information on the parking permit. The applicant's proposals have not been accepted.<br />
<br />
Statement received from the controller<br />
<br />
The applicant has stated that he has been in contact with the controller. The applicant had suggested masking the address information. The proposal was not accepted. The Office of the Data Protection Officer has requested clarification from the controller. The registrar has submitted his report on 27.5.2020.<br />
<br />
The report states that the controller owns a proportion of a plot of land on which a car park is located. The car park has a total of […] parking spaces. The registrar owns and manages […] designated parking spaces under the management sharing agreement, of which […] belong to the company-owned property at […] and […] to the company-owned property at […] as required by the town plan and building permit. In addition, the car park has parking spaces for six other properties in the area.<br />
<br />
The registrar shall require the user of the car park to display a parking permit sticker bearing the name of the registrar and […]. The report also states that, due to irregularities in the car park, the car park is monitored by a private car company. The car park has a total of eight different property parking spaces. However, the parking attendant must be able to distinguish whether the person who parked the vehicle in the parking lot was entitled to park the vehicle in the parking lot in question. The controller has considered that it would not be sufficient to indicate the name of the issuer of the parking permit on the parking permit. In this case, a resident of […] could park the vehicle in the parking spaces reserved for residents of the property located at […]. The parking attendant would have no means of detecting improper parking. The registrar has about […] objects of right of residence all over Finland. The alternative information content of the parking ticket presented above could also lead to a person holding a parking ticket being able to park the vehicle on any property owned by the registrar.<br />
<br />
In addition, the report states that the exact address of the person who rented the parking space is not indicated on the parking permit. The number of the residential apartment is not marked on the parking permit. Identification information B – C is marked on the parking permit tag. The property at […] is not exclusively owned by the controller. The registrar owns a fixed part of the property and owns and manages the B and C houses located on the property. The management agreement for the land in question indicates which […] parking spaces belong to the property at […] and which to the property at […]. The division of property agreement has been entered as a special right in the land in question in the law auction and mortgage register maintained by the National Land Survey of Finland. It is therefore a public document. Everyone thus has the opportunity to find out at which address for each parking space the person who parked the vehicle lives or does business, even without a parking permit.<br />
<br />
It is not required to display a parking permit sticker other than when parking at the parking facility in question. It is the parking lot user's own decision to leave the parking permit tag visible when parking elsewhere. The registrar has considered that displaying a parking ticket in a car park does not cause undue inconvenience to the user of the car park, especially given that in most car parks parking requires at least the start time, for example by displaying a parking disc, and forgetting this will result in a parking error.<br />
<br />
The report provided states that the controller has not received much feedback from other car park users regarding the questioning. In the view of the registrar, the lack of feedback means that, in most cases, the address information of the car owner or keeper can be easily ascertained using the registration number. The report also states that if a car park user has concealed his address and it is important for him, for example, to keep his address information confidential, he must ensure that he does not keep a parking ticket in his vehicle when parked outside the car park in question.<br />
<br />
For the reasons set out above, the controller has considered that its activities have not been disproportionate to the provisions of the General Data Protection Regulation - such as the principle of data minimization. However, the report states that if the company's operations are considered to be in breach of the information minimization principle, the company is prepared to replace the address of the property entered on the parking permit tags with an identification code consisting of numbers. Finally, the report emphasizes that, nevertheless, the address details of the holder of the vehicle parked in the car park could still be ascertained, as mentioned above, due to the public nature of the sharing agreement. It is also possible at this time for the user of the parking space to remove the parking permit tag from view when parking elsewhere.<br />
<br />
Applicant 's reply<br />
<br />
No reply has been requested from the applicant. In accordance with section 34 (2) (5) of the Administrative Procedure Act (434/2003), the hearing has been considered manifestly unnecessary. In the document of initiation, the applicant has questioned the necessity of the information marked on the parking permit. A wider consultation of the applicant would not have affected the outcome of the case.<br />
<br />
Applicable law<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a law directly applicable in the Member States. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).<br />
<br />
Legal issue<br />
<br />
The Assistant Data Protection Officer assesses and decides the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).<br />
<br />
The matter must be resolved:<br />
<br />
(1) whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation in the processing of personal data in connection with parking permits; and<br />
<br />
(2) whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations into line with the provisions of the General Data Protection Regulation.<br />
<br />
DECISION OF THE ASSISTANT DATA PROTECTION SUPERVISOR<br />
<br />
The Assistant Data Protection Officer shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation in the processing of personal data in connection with parking permits.<br />
<br />
The Assistant EDPS shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data carried out in connection with parking permits in accordance with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation.<br />
<br />
The registrar shall ensure that the address or transaction information of the holder of the permit no longer appears on the parking permit tickets.<br />
<br />
Reasoning<br />
<br />
The principle of data minimization<br />
<br />
Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.<br />
<br />
As mentioned above, the personal data processed must be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and not limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may be processed only if<br />
<br />
As mentioned above, this is a matter of the principle of data minimization, a principle which the European Data Protection Board has also issued practical guidelines in the context of its guidelines (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 13.11.2019). According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be if the purpose of the processing cannot be achieved by other means. (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (issued 13.11.2019), p. 19.) In practice, therefore, as little personal data as possible should be collected in each situation.<br />
<br />
In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.<br />
<br />
On the present case<br />
<br />
The report states that, due to irregularities in the car park, the parking of the car park has been entrusted to a private car park company. The car park has a total of eight different property parking spaces. However, the parking attendant must be able to distinguish whether the person who parked the vehicle in the parking lot was entitled to park the vehicle in the parking lot in question. The registrar has considered that it would not be sufficient to indicate the name of the issuer of the parking permit on the parking permit. In this case, a resident of […] could park the vehicle at […]parking spaces for residents of the property. The parking attendant would have no means of detecting improper parking. The registrar has hundreds of right-of-occupancy properties all over Finland. The alternative information content of the parking ticket presented above could also lead to a person holding a parking ticket being able to park the vehicle on any property owned by the registrar.<br />
<br />
In its report, the controller has emphasized that the address information of the holder of the vehicle parked in the parking lot can otherwise be ascertained due to the publicity of the management sharing agreement.<br />
<br />
It should be noted that no evidence has been adduced to show that the address information is necessary to ensure that the person who parked the vehicle in the car park was entitled to park the vehicle in the car park in question. The controller himself has stated that the current practice could be replaced by, for example, identification data consisting of numbers. The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided.<br />
<br />
For the sake of clarity, whether this information is public or otherwise available, this fact does not remove the obligation to comply with the principle of data minimization laid down in Article 5 (1) (c) of the General Data Protection Regulation.<br />
<br />
For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data carried out in connection with parking permits in accordance with the General Data Protection Regulation.<br />
<br />
Applicable law<br />
<br />
Mentioned in the explanatory memorandum.<br />
<br />
The decision is not final.<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_3818/161/2020&diff=10552Tietosuojavaltuutetun toimisto (Finland) - 3818/161/20202020-06-15T21:40:33Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=3818/161/2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuojavaltuutetun Toimisto<br />
|Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/22406974/Henkil%C3%B6tietojen+k%C3%A4sittelyn+l%C3%A4pin%C3%A4kyvyys+ja+rekister%C3%B6idylle+toimitettavat+tiedot.pdf/b869b7ba-1a05-572e-d97a-9c8a56998fc1/Henkil%C3%B6tietojen+k%C3%A4sittelyn+l%C3%A4pin%C3%A4kyvyys+ja+rekister%C3%B6idylle+toimitettavat+tiedot.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=100000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 12(1) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#1<br />
|GDPR_Article_3=Article 13(1)(d) GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR#1d<br />
|GDPR_Article_4=Article 13(2)(b) GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR#2b<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA holds that Posti was not transparent in accordance with Article 5 GDPR as data subjects were not informed about their right to object to direct marketing. Posti was fined €100,000 for transparency violations. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Finnish DPA received multiple complaints regarding Posti’s (the national postal company) change-of-address notifications data processing activities. Several data subjects received direct marketing communications from different companies after submitting a change-of-address notification to the controller. <br />
Data subjects were not informed of their right to object to the marketing when submitting a change-of-address notification.<br />
<br />
=== Dispute ===<br />
There were two legal questions:<br />
1) Whether the processing of personal data in connection with change-of-address notification was transparent and in accordance with Article 5(1)(a) and Article 12(1) GDPR.<br />
2) Whether the controller has provided the data subject with adequate information under Article 13(1)(d) and 2(b) GDPR in connection with the change-of-address notifications.<br />
<br />
=== Holding ===<br />
As per Article 13 GDPR, the controller must provide information to the data subject at the time of data processing. This Article applies to online forms that the data subject fills in when submitting a change-of-address notification. As per subsection 1 (d), the data subject must be informed of all recipients that may receive the data and consequently, the data subject must also be informed of their right to object for this type of processing. <br />
<br />
The Finnish DPA held that the controller had not been transparent in accordance with Article 5(1)(a) and 12(1) GDPR, and that the information regarding the data recipients and the data subjects’ right to object was not provided to all data subjects in a timely manner at the point of data collection. <br />
<br />
<br />
== Comment ==<br />
<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_137/161/20&diff=10551Tietosuojavaltuutetun toimisto (Finland) - 137/161/202020-06-15T20:39:06Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=137/161/20<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuojavaltuutetun toimisto<br />
|Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/22406974/Ty%C3%B6nhakijoiden+henkil%C3%B6tietojen+ker%C3%A4%C3%A4minen+tarpeettomasti.pdf/6cedce13-60cd-c6f9-60cf-b9c8e17db10a/Ty%C3%B6nhakijoiden+henkil%C3%B6tietojen+ker%C3%A4%C3%A4minen+tarpeettomasti.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=125000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 9(1) GDPR<br />
|GDPR_Article_Link_4=Article 9 GDPR#1<br />
<br />
<br />
|National_Law_Name_1=Finnish Act on the Protection of Privacy in Working Life <br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members. <br />
<br />
=== Dispute ===<br />
Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR?<br />
<br />
=== Holding ===<br />
The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions.<br />
<br />
As some of the data processed was not directly necessary for the employment relationship, this in turn violated the GDPR’s lawfulness and data minimization principles (Article 5(1)(a) and (c)) and also Article 6(1).<br />
<br />
Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR.<br />
<br />
== Comment ==<br />
The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR.<br />
<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_531/161/20&diff=10550Tietosuojavaltuutetun toimisto (Finland) - 531/161/202020-06-15T18:38:16Z<p>Ilkku: removed national law that was not relevant</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=531/161/20<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuojavaltuutetun toimisto<br />
|Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/22406974/Ty%C3%B6ntekij%C3%B6iden+sijaintitietojen+k%C3%A4sittely+ja+vaikutustenarviointi.pdf/2d04e545-d427-8a0d-3f4d-967de7b428ac/Ty%C3%B6ntekij%C3%B6iden+sijaintitietojen+k%C3%A4sittely+ja+vaikutustenarviointi.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=16000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 25 GDPR<br />
|GDPR_Article_Link_1=Article 25 GDPR<br />
|GDPR_Article_2=Article 35 GDPR<br />
|GDPR_Article_Link_2=Article 35 GDPR<br />
<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A company monitored employees’ working hours by using location data from vehicle information systems. <br />
The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment. <br />
<br />
<br />
===Dispute===<br />
The main legal arguments were as follows: <br />
1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA?<br />
2. If yes, has the controller complied with its obligations under Article 35 GPDPR?<br />
3. Has the controller taken adequate organisational and/or technical measures in accordance with Article 25 GDPR.<br />
<br />
<br />
===Holding===<br />
The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored.<br />
Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations. <br />
<br />
<br />
==Comment==<br />
<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_531/161/20&diff=10549Tietosuojavaltuutetun toimisto (Finland) - 531/161/202020-06-15T17:29:42Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=531/161/20<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuojavaltuutetun toimisto<br />
|Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/22406974/Ty%C3%B6ntekij%C3%B6iden+sijaintitietojen+k%C3%A4sittely+ja+vaikutustenarviointi.pdf/2d04e545-d427-8a0d-3f4d-967de7b428ac/Ty%C3%B6ntekij%C3%B6iden+sijaintitietojen+k%C3%A4sittely+ja+vaikutustenarviointi.pdf<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=16000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 25 GDPR<br />
|GDPR_Article_Link_1=Article 25 GDPR<br />
|GDPR_Article_2=Article 35 GDPR<br />
|GDPR_Article_Link_2=Article 35 GDPR<br />
<br />
<br />
|National_Law_Name_1=2004/759<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A company monitored employees’ working hours by using location data from vehicle information systems. <br />
The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment. <br />
<br />
<br />
=== Dispute ===<br />
The main legal arguments were as follows: <br />
1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA?<br />
2. If yes, has the controller complied with its obligations under Article 35 GPDPR?<br />
3. Has the controller taken adequate organisational and/or technical measures in accordance with Article 25 GDPR.<br />
<br />
<br />
=== Holding ===<br />
The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored.<br />
Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations. <br />
<br />
<br />
== Comment ==<br />
<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_8040/163/2019&diff=10288Tietosuojavaltuutetun toimisto (Finland) - 8040/163/20192020-05-24T19:20:39Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=8040/163/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200561<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 7 GDPR<br />
|GDPR_Article_Link_3=Article 7 GDPR<br />
|GDPR_Article_4=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#2d<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish DPA holds that the controller’s method of obtaining consent for the storage and use of cookies on their website was contrary to Art 4 (11) GDPR. Finnish DPA also holds that withdrawing and refusing consent should be as easy as giving consent.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Data subject filed a complaint with the Finnish DPA regarding a company’s website cookie consent banner. According to the data subject, the banner made the refusal of cookie storage and use difficult. Cookies were used for, inter alia, targeted advertising.<br />
<br />
The cookie banner stated that the website visitor accepts cookies by continuing to use the website. The banner had two options: “OK” and “additional information”. The latter took the website visitor to the website’s privacy statement, where the visitor was informed that cookies could be blocked by adjusting their browser settings and that third parties’ cookies could be blocked via the third parties’ websites.<br />
<br />
<br />
=== Dispute ===<br />
1. Whether controller’s method of obtaining consent for cookie storage was in accordance with Art 4(11) GDPR. <br />
2. Whether the obtained consent fulfils the conditions under Art 7 GDPR, especially the conditions for withdrawing consent under section 3.<br />
<br />
=== Holding ===<br />
The Finnish DPA ruled that the consent obtained through the cookie banner cannot be considered as voluntary under Article 4 (11) GDPR. Consent is not voluntary if it cannot be refused or withdrawn without prejudice. The cookie banner had no option for the data subject to refuse the storage and the use of cookies. Also, data subject’s ability to withdraw consent was not seen as easy as giving consent. <br />
Furthermore, consent must always be active and cannot be given through, silence, pre-ticked boxes or inactivity. Informing data subjects that cookies could be blocked by changing browser settings is not in accordance with the ‘affirmative action’ requirement under Art 4 (11) GDPR.<br />
<br />
In accordance with Art 58(2)(d), the Finnish DPA instructs the controller to align its process to obtain consent with the GDPR provisions.<br />
<br />
The decision is not final, and can be appealed in the Finnish administrative courts.<br />
<br />
== Comment ==<br />
The controller argued that it followed Finnish Transport and Communications Agency's (Traficom) instructions for cookie consent banners. In Traficom's consent guide, it is possible to consent to non-essential cookies by changing browser settings.<br />
<br />
The Finnish DPA decision goes against Traficom's cookie consent guidelines.<br />
<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
THING<br />
<br />
Applicant 's claims and reasons<br />
<br />
The applicant has contacted the Office of the Data Protection Officer because the applicant considers that the ban on cookies on the controller's website has been made very difficult.<br />
<br />
Statement received from the controller<br />
<br />
In addition to the applicant's complaint, the EDPS deals with a number of other complaints concerning the controller's activities, in which the applicants consider that the consent obtained by the controller for the storage and use of cookies does not meet the conditions of the General Data Protection Regulation. As a result of the complaints, the Office of the Data Protection Commissioner has requested clarification from the data controller with a request for clarification dated 26 November 2019. The registrar has submitted his report on 19 December 2019.<br />
<br />
According to the statement provided by the registrar, it follows Traficom's instructions regarding the consent to be given to cookies. According to this guide, consent to non-essential cookies can be given using your browser settings. The registrar informs users about the use of cookies and the possibility of influencing them through browser settings in their privacy statement.<br />
<br />
In addition, the data controller states that he has introduced a so-called cookie banner, the purpose of which is to increase the transparency related to the use of cookies and to make the use of influence as easy as possible. By clicking on the “More information” section of the banner, the user can access the privacy statement, which contains information about cookies and the potential impact on them.<br />
<br />
Applicant 's reply<br />
<br />
No reply has been requested from the applicant, as it has been considered manifestly unnecessary within the meaning of section 34 (2) (5) of the Administrative Procedure Act (434/2003). Obtaining a response would not change the way the matter is resolved. The matter may be resolved on the basis of the contact of the Office of the Data Protection Officer and any other information received on the matter.<br />
<br />
On cross - border assessment<br />
<br />
The controller is part of an international group, which is why it has been assessed whether the data protection officer or the data protection authority of another country is the competent supervisory authority. In its report, the registrar has stated that decisions concerning the purposes and means of processing personal data are made in Finland. The EDPS Office has also read the controller 's privacy statement to ensure that the controller defines the purposes and means of the processing himself.<br />
<br />
On the basis of the report, the Assistant EDPS considers that he is competent to deal with the matter in accordance with Article 55 of the General Data Protection Regulation.<br />
<br />
Powers of the EDPS and applicable law<br />
<br />
Cookies and other data stored on a subscriber's or user's terminal equipment and their use are covered by the so-called Electronic Communications Data Protection Directive (Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and privacy in the electronic communications sector). That Directive has been amended by Directive 2009/136 / EC (Directive 2009/136 / EC of the European Parliament and of the Council of 25 November 2009 on universal service and users' rights relating to electronic communications networks and services),<br />
<br />
According to Article 5 (3) of the ePrivacy Directive, Member States shall ensure that the storage of data or the use of data stored on a subscriber's or user's terminal is permitted only with the consent of the subscriber or user. In accordance with the EC. This shall not preclude technical storage or use the sole purpose of which is the transmission of communications on electronic communications networks or which is strictly necessary for the provision of a service to the information society service specifically requested by the subscriber or user.<br />
<br />
Article 2 (2) (f) of the ePrivacy Directive defines the consent of the user or subscriber. Consent in the ePrivacy Directive has the same meaning as the data subject's consent in Directive 95/46 / EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Personal Data Directive). The Personal Data Directive has been repealed by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC).<br />
<br />
The Court of Justice of the European Union has on 1 October 2019, among other things, the so-called In paragraphs 42 and 63 of its judgment in the Planet49 case (Planet49 GmbH, C-673/17, EU: C: 2019: 246 (judgment of 1.10.2019, EU: C: 2019: 801)), the Electronic Communications Data Protection Directive and the General Data Protection Directive the conditions for the consent of the Regulation must be read together and that references in the ePrivacy Directive to Directive 95/46 must be construed as references to the General Data Protection Regulation.<br />
<br />
According to Article 4 (11) of the General Data Protection Regulation, the consent of the data subject is any voluntary, specific, informed and unambiguous expression of intent by which the data subject consents to the processing of his or her personal data by giving a statement of consent or by taking an explicit consent.<br />
<br />
Article 6 of the General Data Protection Regulation contains an exhaustive list of situations in which the processing of personal data may be considered lawful. According to paragraph 1 (a) of that Article, one of those situations is that the data subject has consented to the processing of his or her personal data for one or more specific purposes.<br />
<br />
The conditions for consent are set out in Article 7 of the General Data Protection Regulation. According to paragraph 1 of that Article, where the processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data. Under Article 7 (3) of the General Data Protection Regulation, the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent must be as easy as giving it.<br />
<br />
Pursuant to Article 5 (3) of the ePrivacy Directive, the storage and use of cookies requires the consent of the subscriber or user. This requirement has been enforced in Finland by providing for the matter in section 205 of the Act on Electronic Communications Services (7 November 2014/917). According to the Act on Electronic Communications Services, this provision is supervised by the Finnish Transport and Communications Agency Traficom.<br />
<br />
The ePrivacy Directives (2002/58 / EC and 2009/136 / EC) were transposed nationally by placing the storage and use of cookies under the control of the then FICORA, now Traficom. The provision on cookies was incorporated into national law at that time as part of the confidentiality of communications. This solution was made possible by the possibility provided for in those directives to implement them in the manner desired at national level.<br />
<br />
The General Data Protection Regulation came into force on 25 May 2018. In that case, no changes were made to section 205 of the Act on Electronic Communications Services. It should be noted, however, that the General Data Protection Regulation as such is the applicable law insofar as it does not involve national discretion. Articles 4 (11) and 7 of the General Data Protection Regulation on consent are provisions which do not contain national discretion and therefore cannot be subject to national regulation.<br />
<br />
It follows from the primacy of EU law that, in this case, consent must be interpreted in accordance with the General Data Protection Regulation.<br />
<br />
According to section 8 of the Data Protection Act (5 December 2018/10), the data protection commissioner is the national supervisory authority referred to in the Data Protection Decree. The tasks and powers of the EDPS are set out in Articles 55-59 of the General Data Protection Regulation. In accordance with Article 55, each supervisory authority shall have the powers to carry out the tasks and exercise the powers conferred on it under this Regulation in the territory of its own Member State. Under Article 57, each supervisory authority must, inter alia, monitor and enforce the application of this Regulation in its territory, promote the knowledge of controllers and processors of their obligations under this Regulation and deal with complaints from the data subject.<br />
<br />
In view of the above and the fact that the present case concerns the assessment of whether the consent requested by the controller for the storage and use of cookies complies with the General Data Protection Regulation and the fact that the EDPS is the only national supervisory authority supervising the General Data Protection Regulation in Finland, considers itself competent to deal with the matter and to exercise the powers defined in Article 58 of the General Data Protection Regulation. The Assistant EDPS notes that Traficom still has the competence to supervise Article 205 of the Electronic Communications Services Act, which, however, will not apply in this decision outside the competence of the EDPS.<br />
<br />
In addition to the above, the EDPS draws attention to paragraph 71 of the judgment of the Court of Justice of the European Union in Planet49, according to which Articles 2 (f) and 5 (3) of Directive 2002/58, read in conjunction with Article 2 (h) of Directive 95/46 and Regulation 2016/679 4 Article 6 (11) and Article 6 (1) (a) do not have to be interpreted differently depending on whether or not the data stored on or retrieved from the user terminal of the website constitute personal data within the meaning of Directive 95/46 and Regulation 2016/679.<br />
<br />
Legal question<br />
<br />
The question is whether the applicant has been asked to consent to the storage of cookies and the use of the data stored on his terminal in accordance with Article 4 (11) of the General Data Protection Regulation, ie whether the applicant's consent can be by giving a statement of consent or by taking a clear act of consent. In addition, the question is whether the consent given by the applicant fulfills the conditions of Article 7 of the General Data Protection Regulation, and in particular the conditions for withdrawal of consent in paragraph 3 of that Article.<br />
<br />
The Assistant EDPS shall decide whether an order should be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing operations in line with the provisions of the General Data Protection Regulation. In addition, the Assistant EDPS will assess whether other powers of the EDPS should be exercised.<br />
<br />
DECISION<br />
<br />
Regulation<br />
<br />
The Assistant EDPS shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to amend its processing operations in order to obtain consent in accordance with the provisions of the General Data Protection Regulation.<br />
<br />
The Assistant Data Protection Officer will leave the appropriate measures to the discretion of the controller, but will order a report on the measures taken to be submitted to the Data Protection Supervisor's office by 1.9.2020.<br />
<br />
Assessment of the validity of consent<br />
<br />
Article 4 (11) of the General Data Protection Regulation defines the data subject's consent. It means any voluntary, individualized, informed and unambiguous expression of intent by which the data subject consents to the processing of his or her personal data by giving a statement of consent or by taking a clear act of consent.<br />
<br />
According to recital 32 of the General Data Protection Regulation, consent should be given by means of an explicit consent, such as a written, including electronic, or oral statement indicating the data subject's voluntary, specific, informed and unambiguous consent to the processing of his or her personal data. An action could be, for example, for the data subject to tick the box when visiting a website, to choose the technical settings for information society services or to make any other statement or act in a way that clearly indicates in this context that he or she agrees to the processing of his or her personal data. Consent should therefore not be given by silence, pre-ticked boxes or omission.<br />
<br />
The Data Protection Working Party WP29, which preceded the European Data Protection Board (EDPS), has issued the Guidance on Consent “Guidelines on Consent under Regulation 2016/679, WP259 rev. 01”, which has been endorsed by the European Data Protection Board. On 4 May 2020, the European Data Protection Board has published an updated version of this Guideline “Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.0, Adopted on 4 May 2020”, hereinafter the Guideline on the consent of the EDPB.<br />
<br />
In its Guidance on Consent, EDPB states that consent can only be an appropriate legal basis if the data subject is given the opportunity to control the use of his data and a genuine opportunity to freely choose whether or not to accept the conditions offered and not to his detriment. Requests for consent to the processing of a person should be subject to strict requirements, as this is a fundamental right of data subjects and because the controller wants to carry out a processing operation that would be illegal without the data subject's consent.<br />
<br />
According to the EDPB Consent Guidance, in order for consent to be considered voluntary, this presupposes a real possibility of free choice and control for data subjects. The General Data Protection Regulation generally provides that consent is not valid if the data subject does not have a real freedom of choice, if he or she feels compelled to give his or her consent or if he or she has the negative consequences of not giving his or her consent. Consent shall not be considered voluntary if the data subject cannot refuse or withdraw his consent without prejudice.<br />
<br />
Article 7 of the General Data Protection Regulation defines the conditions for consent. According to Article 7 (1), where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of personal data. According to paragraph 3 of that Article, the data subject has the right to withdraw his consent at any time. The data subject must be informed before consent is given. Withdrawal of consent must be as easy as giving it.<br />
<br />
In its Guidance on Consent, the EDPS emphasizes that the condition of easy withdrawal of consent is considered in the General Data Protection Regulation to be a necessary element of a valid consent. However, when consent is obtained electronically with just one mouse click, screen swipe or keystroke, data subjects must be able to withdraw their consent with equal ease. In addition, the data subject should be able to withdraw his consent without prejudice. This means, among other things, that the controller must be able to withdraw consent free of charge or without reducing the level of service.<br />
<br />
In the present case, the consent referred to by the controller is collected, first, through a box on its website, known as a banner. The following text reads on the screen: “In order to make the use of the website smooth and interesting to you, the registrar and his partners use cookies on the website. By continuing, you accept the use of cookies. ” The screen contains a “OK” button on the green and a “More Information” button. Selecting “More Information” opens the Privacy Statement for the controller and its website.<br />
<br />
The section on cookies in the privacy statement states, inter alia:<br />
<br />
We may use cookies to collect information about a user's terminal. Cookies are used, among other things, to develop services and to target marketing and advertising. In addition, third parties set cookies on the service. If you do not want to receive cookies, you can change your browser settings.<br />
<br />
Next, the privacy statement on the controller's website states, inter alia:<br />
<br />
Third parties may set cookies on the user's terminal, for example, to provide the user with targeted advertising. You can learn more from the links below and you can opt out of targeted advertising by visiting their sites.<br />
<br />
The Privacy Statement then includes a list of the registrar's partners and links to the privacy sites and advertising choices of those partners. There are a total of 11 affiliates listed.<br />
<br />
As stated above, consent does not have to be considered valid and voluntary unless the data subject has been offered a genuine opportunity to freely choose whether to accept or reject the terms offered. Consent shall not be considered valid if the data subject does not have a real freedom of choice, if he / she feels compelled to give his / her consent or if he / she has the negative consequences of not giving his / her consent. The consent procedure shall not be considered valid and in accordance with the General Data Protection Regulation, even if the right to withdraw the consent does not meet the requirements of the General Data Protection Regulation and the withdrawal of the consent is not as easy as giving it.<br />
<br />
As indicated above, the Office of the EDPS is competent to take a position on the consent based on the exercise of informed sovereignty under the General Data Protection Regulation.<br />
<br />
In this case, the registrar obtains consent to the storage and use of cookies by the user clicking the OK button on the so-called banner. However, the banner does not offer the possibility to refuse the storage and use of cookies. For example, in order to refuse third-party cookies, the user must, as described in the registrar's privacy statement, visit the website of each partner mentioned in that statement and prohibit the use of cookies for each partner individually. In this respect, the EDPS also draws attention to the fact that that by doing so, the controller does not allow the user to consent or refuse or withdraw his consent to the use of cookies on the controller's website in the controller's own service. In addition, the Privacy Statement leaves it unclear which third party cookies other than designated partners may be used on the registrar's website and how these cookies may be refused.<br />
<br />
In view of the above, the EDPS considers that the consent requested from the applicant through the so-called banner should not be considered as voluntary under Article 4 (11) of the General Data Protection Regulation, nor can the consent be considered as Article 7 (3) of the General Data Protection Regulation. is not as easy as administering it as described above.<br />
<br />
In addition to the consent collected through the so-called banner, the registrar states that it complies with Traficom's instructions regarding the consent to be given to cookies, according to which the consent can be given by means of browser settings. The data protection statement of the controller is worded as follows:<br />
<br />
“If you do not want to receive cookies when using our services, you can change your browser settings. However, please note that if you block the use of cookies, you may not be able to fully use the services or all of their features. For apps, you can reset the ad tag or restrict ad tracking from device settings. ”<br />
<br />
As stated above, according to recital 32 of the General Data Protection Regulation, consent should be given in the form of an explicit consent, indicating the voluntary, specific, informed and unambiguous expression of intent of the data subject to consent to the processing of his or her personal data. An action could be, for example, for the data subject to tick the box when visiting a website, to choose the technical settings for information society services or to make any other statement or act in a way that clearly indicates in this context that he or she agrees to the processing of his or her personal data. Consent should therefore not be given by silence, pre-ticked boxes or omission.<br />
<br />
The conditions for consent have also been assessed in the Planet49 judgment, which concerned, inter alia, the assessment of the validity of consent to the storage and use of cookies. In paragraph 63 of the judgment, the Court held that consent within the meaning of Articles 2 (f) and 5 (3) of Directive 2002/58, read in conjunction with Articles 4 (11) and 6 (1) (a) of Regulation 2016/679, was not valid where: permission to save the data or to use the data already stored on the website user 's terminal is given in a pre - ticked box, from which the user must uncheck to refuse consent. The Court explicitly refers in this respect to recital 32 of the General Data Protection Regulation, which excludes the possibility that<br />
<br />
According to Article 7 (1) of the General Data Protection Regulation, where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data. According to the EDPB Consent Guidance, it is the controller's responsibility to demonstrate that valid consent has been obtained from the data subject. The controller must be able to demonstrate that the data subject was provided with the necessary information and that the controller 's workflow met all relevant criteria for valid consent. Underlying this obligation under the General Data Protection Regulation is that controllers must be responsible for obtaining valid consent from data subjects as well as the consent procedures they have put in place.<br />
<br />
The EDPS considers that the current approach of the controller to modifying browser settings by referring to the requirements of Article 4 (11) and Article 6 (1) (a) of the General Data Protection Regulation does not meet.<br />
<br />
The registrar's privacy statement states that the user can refuse the use of cookies by changing their browser settings. However, consent that fulfills the conditions of the General Data Protection Regulation means an act of consent which expresses an expression of intent by which he or she expressly consents to the use of his or her personal data. The fact that the controller states how the user may refuse to store or use cookies shall in no way be construed as a voluntary, specific, informed and unambiguous expression of intent by which he or she consents to the storage and use of cookies. It should also be noted that consent cannot be given by failing to take any action. Thus,<br />
<br />
If the controller wishes to use browser settings to request consent, it must take care and be able to demonstrate that all the conditions for giving consent under the General Data Protection Regulation are met. In its consent guide, the EDPB has also opted for obtaining the consent of Internet users through their browser settings. According to the EDPS, the development of such regulations should take into account the conditions for valid consent set out in the General Data Protection Regulation, such as the need for explicit consent for each intended purpose and the designation of controllers in the information provided.<br />
<br />
The EDPS further notes that according to Article 95 of the General Data Protection Regulation, the General Data Protection Regulation does not impose additional obligations on processing related to the provision of publicly available electronic communications services in public communications networks in the Union in relation to the provisions of the 2002 58 / EC with the same objective. Recital 173 of the General Data Protection Regulation states that the Data Protection Regulation should apply to all aspects of the protection of fundamental rights and freedoms with regard to the processing of personal data which are not subject to the specific obligations laid down in the ePrivacy Directive, having the same purpose, including the obligations of the controller and the rights of natural persons. The General Data Protection Regulation will therefore in principle apply in so far as the Electronic Communications Data Protection Directive does not provide for this.<br />
<br />
In the light of the above, the EDPS notes that the EDPS has explicitly stated in its consent instructions that the consent requirements of the General Data Protection Regulation are not considered as "additional obligations" but rather as conditions for lawful data processing. situations covered by the ePrivacy Directive.<br />
<br />
In the light of the above, the Assistant EDPS instructs the controller to modify its procedures for requesting consent in accordance with Articles 4 (11), 6 (1) (a) and 7 of the General Data Protection Regulation.<br />
<br />
Order for the collection of consent contrary to the conditions of the General Data Protection Regulation<br />
<br />
The EDPS considers that, although the controller's conduct in breach of the provisions of the General Data Protection Regulation is in itself reprehensible, the infringement as a whole does not, at this stage, require a heavier sanction than the remark, as the legal situation was not clear since the General Data Protection Regulation came into force. However, it must be borne in mind that the shortcomings described above have affected the rights of several data subjects. There are several similar complaints pending in the Office of the EDPS.<br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_6722/154/2018&diff=10232Tietosuojavaltuutetun toimisto (Finland) - 6722/154/20182020-05-15T08:05:17Z<p>Ilkku: clarified the link between national law and the case verdict in the 'holding' section</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=6722/154/2018<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200545<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 17(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1c<br />
|GDPR_Article_2=Article 21(1) GDPR<br />
|GDPR_Article_Link_2=Article 21 GDPR#1<br />
|GDPR_Article_3=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2c<br />
|GDPR_Article_4=Article 87 GDPR<br />
|GDPR_Article_Link_4=Article 87 GDPR<br />
<br />
<br />
|National_Law_Name_1=Data Protection Act (1050/2018) <br />
|National_Law_Link_1=https://www.finlex.fi/en/laki/kaannokset/2018/en20181050<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish Deputy Data Protection Ombudsman holds that pursuant to Article 17 GDPR, Google LLC must delist a search result link that leads to a website containing the data subject’s social security number. Legitimate interest is not a valid legal ground for processing social security numbers under national law.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The data subject requested Google to delist a link that leads to a website with information about the data subject’s criminal convictions and social security number. Google refused, on the grounds that access to the criminal conviction data is within public interest.<br />
<br />
===Dispute===<br />
Can the Deputy Data Protection Ombudsman instruct Google to comply with the data subject's request to remove the search result link as per Article 58(2)(c) GDPR?<br />
<br />
===Holding===<br />
Article 87 GDPR gives Member States the right to specify conditions for processing social security numbers. According to Article 29 of the Finnish Data Protection Act, the social security number may be only processed with the consent of the data subject or if provided by law. Because the data subject did not give his consent, nor was there a legal requirement to process the social security number, the Deputy Data Protection Ombudsman accepted the data subject’s claims and instructs Google LLC to comply with the data subject’s request to remove the search link under Article 58 (2)(c) GDPR. <br />
<br />
==Comment==<br />
<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
<br />
The applicant has filed a lawsuit with the Office of the Data Protection Officer regarding the removal of one of the url search results links from the Google Search service.<br />
<br />
The url search result link leads to online content stating that in 2016, the applicant had been sentenced to one year and ten months of absolute imprisonment for multiple child sexual abuse. The exploitation of one victim had met the hallmarks of a felony. […] Information about the applicant's personal identity number can also be found behind the search result link.<br />
<br />
The applicant has justified his request for deletion, inter alia, by the fact that information about his personal identity can be found behind the url search result link requested for deletion. According to the applicant, this information is not publicly available elsewhere. The applicant has emphasized that the personal identification number is confidential information identifying a natural person issued by the authority. According to the applicant, the availability of such information can lead to, for example, identity theft. The applicant has also referred to Google Search's own removal policies. The applicant has received an acknowledgment requesting, inter alia, “your social security or similar government ID number”.<br />
<br />
<br />
Statement received from the controller<br />
<br />
The applicant has submitted a request to the controller himself for the removal of the search results links and received a negative reply to his request. The controller has also been asked for clarification by the Office of the Data Protection Officer. The registrar has submitted his report on 11.3.2020.<br />
<br />
The report states that Google LLC has reconsidered the matter. Google LLC has decided to stay with its original decision. It has been argued that the information available relates to the applicant's recent conviction for serious crimes. There had been several sexual exploitations, one of which had met the characteristics of a felony. The act had also included sexual intercourse with a minor.<br />
<br />
Google LLC has also invoked the guidance of the Article 29 Data Protection Working Party that, in the context of crime, data protection authorities are more likely to consider removing search results for relatively minor and long-standing offenses and less likely to remove results for serious and recent offenses.<br />
<br />
The report also found that in this case, the information describes criminal behavior. The availability of the information has been considered to be strongly justified in order to ensure the safety of the persons dealing with the applicant.<br />
<br />
Google LLC has determined that the information available to it does not constitute inaccurate or out-of-date information. Therefore, and given the seriousness and nature of the offenses, the controller has considered that access to the data is still justified by a legitimate interest.<br />
<br />
<br />
Legal question<br />
<br />
The Assistant Data Protection Officer assesses and decides on the applicant's case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). In deciding the case, the EDPS will also take into account the European Data Protection Board's right to be forgotten in Guideline 5/2019 of 2 December 2019 on the criteria for the Right to be Forgotten in the search engines cases under the GDPR -131/12 and C-136/17 and, where applicable, the Article 29 Working Party on the interpretation of the above-mentioned judgment C-131/12 of 26 November 2014 Guidelines on the implementation of the Court of Justice of the European Union judgment is “Google Spain and Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González 'C-131/12 (later the Interpretation Guide of the Article 29 Data Protection Working Party).<br />
<br />
The EDPS shall decide whether the controller should be instructed in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the data subject's request to remove the url search result link in question.<br />
<br />
In this decision, the Assistant Data Protection Officer will assess the applicant's case in terms of the processing of personal data by the controller and the online service it provides. The decision does not comment on whether the other actor involved, ie the original publisher of the data, has the right to keep the data available on its own website.<br />
<br />
<br />
DECISION<br />
<br />
For the reasons set out below, I accept the applicant's claims and instruct Google LLC, pursuant to Article 58 (2) (c) of the General Data Protection Regulation, to comply with the applicant's request to remove the url search link in question.<br />
<br />
Under Article 17 of the General Data Protection Regulation, the data subject has the right, if the conditions listed in that article are met, to have the controller delete personal data concerning the data subject without undue delay. The data subject may request the deletion of data on more than one of the grounds mentioned in this Article. The European Data Protection Board has taken a position on the application of the conditions set out in Article 17 (1) of the General Data Protection Regulation to internet search engines in the above-mentioned Interpretative Guideline 5/2019 on the criteria for the Right to be Forgotten in search engines cases under the GDPR.<br />
<br />
Judgments C-131/12 and C-136/17 of the European Court of Justice have stated that the processing of personal data by Internet search engines when a search is performed in the name of the data subject can have a significant impact on the data subject's privacy rights.<br />
<br />
Those judgments also state that the information published on a given individual website and its availability in the search results of internet search engines is always linked to two independent actors: 1) the website operator, the so-called original publisher, and 2) the internet search service operator. Judgment C-131/12 states that an internet search engine is an independent controller of the processing of personal data carried out by a search engine in order to provide url search results (see paragraphs 35 to 41, 82 to 83 and 88 of the judgment). The two separate actors mentioned above do not, in principle, process personal data on the same basis. In the judgment of the European Court of Human Rights M.L. and W.W. vs Germany (dated 28 June 2018), on the other hand, states that the balance of interests may lead to different results depending on the case (i) the original publisher's activities can be seen as at the heart of freedom of expression and expression, while (ii) the was not to publish the information in question per se, but to compile any information on the data subject in one place, thus enabling the creation of a profile of the data subject.<br />
<br />
Judgment C-131/12 further states that a person's public or parastatal status is a factor which may lead to the so-called general public having the right to obtain personal data about him from an internet search engine. The judgment states, inter alia, that a data subject may, in respect of his fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, demand that the information in question no longer be made available to the general public by including it in such a search result list; It is clear from paragraph 81 that those rights in principle supersede not only the financial interest of the search engine operator but also the interest of the general public in finding that information when searching under the name of the data subject. However, that would not be the case if it appeared that, for specific reasons such as the data subject's public status, the interference with the data subject's fundamental rights was justified by the overriding public interest in obtaining that information as a result of that inclusion (see paragraph 97).<br />
<br />
Judgment C-136/17 of the European Court of Justice, for its part, states that the right to the protection of personal data is not an absolute right but must be seen in the light of its role in society and, in accordance with the principle of proportionality, proportionate to other fundamental rights. It is further noted that, in particular, Article 17 (3) (a) of the Data Protection Regulation explicitly requires a balance between the fundamental rights to privacy and the protection of personal data enshrined in Articles 7 and 8 of the Charter and the freedom to provide information guaranteed by Article 11 of the Charter.<br />
<br />
The abovementioned judgments have thus held that the data subject's rights in principle supersede not only the financial interest of the search engine operator but also the interest of the general public in obtaining access to the information in question by searching in the name of the data subject. However, the European Court of Justice has identified a number of factors that need to be taken into account in the assessment. These include, but are not limited to, the nature or sensitivity of the information in question, and in particular the interests of Internet users in obtaining information, which must be assessed in the light of, inter alia, the data subject's possible public or similar status.<br />
<br />
The above-mentioned interpretation guide of the Article 29 Working Party defines the concept of public status. According to this interpretative guideline, a public position or a public person means that a person is, at least to some extent, subject to so-called media exposure through his or her actions or commitments. If a person has a public status, then there is a reason why the general public should be able to search the Internet search engine for information that is relevant to the person's public or similar role (see pages 13-14 of the 29th Data Protection Working Party's interpretative guide).<br />
<br />
Assessment of the applicant 's case<br />
<br />
The commission and conviction of a criminal act in principle gives a person a public position in society and exposes him or her to so-called media exposure for that act. The premise is that a person who has committed a criminal offense cannot, after his or her act, have the same reasonable presumption as to the extent of the protection of his or her privacy as a person who has not committed an offense.<br />
<br />
The above principle is reflected, inter alia, in the judgment of the European Court of Human Rights in Sidabras and Džiautas v. Lithuania (2004, paragraph 49), which states that Article 8 of the ECHR does not protect against loss of reputation committing an offense. The judgment of the European Court of Human Rights in Axel Springer Ag v. Germany (2012, paragraph 83) also confirms the same line.<br />
<br />
However, the above does not mean that the offender does not have any protection of privacy at all. Notwithstanding the criminal offense and the punishment received for it, part of the personal data of the person concerned remains covered by the protection of his or her private life and his or her fundamental right to privacy.<br />
<br />
It is common ground in the applicant's case that he has been sentenced to several years and ten months' absolute imprisonment for the sexual exploitation of a child. I consider that the applicant has thus acquired a public or parastatal status within the meaning of Case C-131/12. Hereinafter, I will use the term “public status”. That public position gives, in principle, a legitimate interest to the general public in obtaining personal data concerning the applicant from the Google Search service, as outlined in Case C-131/12 (see paragraph 97 of the judgment). It should also be noted that, according to the Journalists' instructions, the name, image or other identifying information of a person convicted of a crime may be published, unless it is clearly unreasonable in relation to the convicted person's position or act.<br />
<br />
Judgments C-131/12 of the European Court of Justice have specifically outlined the deletion of personal data (url search results) from an internet search engine. In assessing the need to delete personal data related to public status, an interest weighing must be carried out, which also takes into account the rights of other persons to obtain information about the data subject through url search results from the Google Search service. The balance of interests shall seek to strike a fair balance between the general public's interest in obtaining information and the fundamental rights of the data subject under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Although the data subject's rights protected by those articles supersede, as a general rule, the interest of internet users, the balance may depend on the nature and sensitivity of the data subject's privacy in specific cases and the public's interest in having access to such data. (cf. paragraphs 73-74, 81, 97, 99 of the ECJ judgment and Articles 6 and 8 (1) (8) of the Personal Data Act).<br />
<br />
Furthermore, in the Interpretation Guide of the Article 29 Working Party, personal data processed in the context of a search engine operation are divided into both factual information (facts) and opinions / views that individuals have on a particular issue or person. The assessment of the inaccuracy / inaccuracy of personal data must take into account whether the matter is a fact whose accuracy cannot be disputed or whether it is a subjective opinion or view. The Interpretative Guidance states that DPAs are more likely to consider deleting search results that are objectively observable and therefore give an incorrect, incomplete or misleading picture of the person (see pages 15 and 17 of the Article 29 Working Party's Interpretative Guide).<br />
<br />
The applicant has not denied that he has been convicted of several sexual exploitations of a child with an absolute term of imprisonment of one year and ten months. It is therefore not a question of having information behind the url search results in question that contains information about the applicant which is not true.<br />
<br />
The assessment provided for in Article 17 (1) (c) of the General Data Protection Regulation must also be taken into account. According to the General Data Protection Regulation 21 (1), the data subject has the right at any time to object to the processing of personal data concerning him or her based on Article 6 (1) (e) or (f) on the basis of his or her specific personal situation. The controller shall no longer process personal data unless the controller can demonstrate that there is an overriding and justified reason for the processing which overrides the data subject's interests, rights and freedoms or is necessary for the preparation, presentation or defense of the legal claim. The EDPS Interpretative Guide states that, for example, any of the processing criteria set out in Article 17 (3) of the General Data Protection Regulation may constitute a significant and legitimate reason to override the data subject's interests, rights and freedoms (see page 7 of the EDPS Interpretative Guide).<br />
<br />
<br />
In assessing the present case, notwithstanding the above, it must be borne in mind that the applicant's personal identity number is available behind the url search result link in question. Article 87 of the General Data Protection Regulation provides that Member States may further specify the specific conditions for the processing of a national personal number or other public identifier.<br />
<br />
Section 29 of the Data Protection Act provides for the processing of personal identity numbers. The personal identity number may be processed with the consent of the data subject or if the processing is provided by law. In addition, the personal identity number may be processed if the unambiguous identification of the data subject is important, inter alia, for the exercise of the rights and obligations of the data subject or the controller. It is noteworthy that the processing of personal identification is not allowed to carry out the legitimate third party interest. The processing is not even allowed in order to fulfill the legitimate interests of the controller himself, but only to fulfill the rights and obligations of the controller.<br />
<br />
Google LLC has determined that access to the information is justified to ensure the safety of those dealing with the applicant. Google LLC continues to believe that access to the information is justified by a legitimate interest. However, as stated above, the processing of a personal identity number is not permitted on the above grounds.<br />
<br />
In the light of the above, I instruct Google LLC, pursuant to Article 58 (2) (c) of the General Data Protection Regulation, to comply with the applicant's request to remove the url search link in question.<br />
<br />
The decision is not yet final.<br />
<br />
</pre></div>Ilkkuhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_6722/154/2018&diff=10231Tietosuojavaltuutetun toimisto (Finland) - 6722/154/20182020-05-14T22:15:11Z<p>Ilkku: Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=6722/154/2018<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2020/20200545<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 17(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1c<br />
|GDPR_Article_2=Article 21(1) GDPR<br />
|GDPR_Article_Link_2=Article 21 GDPR#1<br />
|GDPR_Article_3=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2c<br />
|GDPR_Article_4=Article 87 GDPR<br />
|GDPR_Article_Link_4=Article 87 GDPR<br />
<br />
<br />
|National_Law_Name_1=Data Protection Act (1050/2018) <br />
|National_Law_Link_1=https://www.finlex.fi/en/laki/kaannokset/2018/en20181050<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Finnish Deputy Data Protection Ombudsman holds that pursuant to Article 17 GDPR, Google LLC must delist a search result link that leads to a website containing the data subject’s social security number. Legitimate interest is not a valid legal ground for processing social security numbers under national law.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject requested Google to delist a link that leads to a website with information about the data subject’s criminal convictions and social security number. Google refused, on the grounds that access to the criminal conviction data is within public interest.<br />
<br />
=== Dispute ===<br />
Can the Deputy Data Protection Ombudsman instruct Google to comply with the data subject's request to remove the search result link as per Article 58(2)(c) GDPR?<br />
<br />
=== Holding ===<br />
Article 87 GDPR gives Member States the right to specify conditions for processing social security numbers. According to Article 29 of the Finnish Data Protection Act, the social security number may be only processed with the consent of the data subject or if provided by law. Because of this, the Deputy Data Protection Ombudsman accepted the data subject’s claims and instructs Google LLC to comply with the data subject’s request to remove the search link under Article 58 (2)(c) GDPR. <br />
<br />
== Comment ==<br />
<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
<br />
<br />
The applicant has filed a lawsuit with the Office of the Data Protection Officer regarding the removal of one of the url search results links from the Google Search service.<br />
<br />
The url search result link leads to online content stating that in 2016, the applicant had been sentenced to one year and ten months of absolute imprisonment for multiple child sexual abuse. The exploitation of one victim had met the hallmarks of a felony. […] Information about the applicant's personal identity number can also be found behind the search result link.<br />
<br />
The applicant has justified his request for deletion, inter alia, by the fact that information about his personal identity can be found behind the url search result link requested for deletion. According to the applicant, this information is not publicly available elsewhere. The applicant has emphasized that the personal identification number is confidential information identifying a natural person issued by the authority. According to the applicant, the availability of such information can lead to, for example, identity theft. The applicant has also referred to Google Search's own removal policies. The applicant has received an acknowledgment requesting, inter alia, “your social security or similar government ID number”.<br />
<br />
<br />
Statement received from the controller<br />
<br />
The applicant has submitted a request to the controller himself for the removal of the search results links and received a negative reply to his request. The controller has also been asked for clarification by the Office of the Data Protection Officer. The registrar has submitted his report on 11.3.2020.<br />
<br />
The report states that Google LLC has reconsidered the matter. Google LLC has decided to stay with its original decision. It has been argued that the information available relates to the applicant's recent conviction for serious crimes. There had been several sexual exploitations, one of which had met the characteristics of a felony. The act had also included sexual intercourse with a minor.<br />
<br />
Google LLC has also invoked the guidance of the Article 29 Data Protection Working Party that, in the context of crime, data protection authorities are more likely to consider removing search results for relatively minor and long-standing offenses and less likely to remove results for serious and recent offenses.<br />
<br />
The report also found that in this case, the information describes criminal behavior. The availability of the information has been considered to be strongly justified in order to ensure the safety of the persons dealing with the applicant.<br />
<br />
Google LLC has determined that the information available to it does not constitute inaccurate or out-of-date information. Therefore, and given the seriousness and nature of the offenses, the controller has considered that access to the data is still justified by a legitimate interest.<br />
<br />
<br />
Legal question<br />
<br />
The Assistant Data Protection Officer assesses and decides on the applicant's case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). In deciding the case, the EDPS will also take into account the European Data Protection Board's right to be forgotten in Guideline 5/2019 of 2 December 2019 on the criteria for the Right to be Forgotten in the search engines cases under the GDPR -131/12 and C-136/17 and, where applicable, the Article 29 Working Party on the interpretation of the above-mentioned judgment C-131/12 of 26 November 2014 Guidelines on the implementation of the Court of Justice of the European Union judgment is “Google Spain and Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González 'C-131/12 (later the Interpretation Guide of the Article 29 Data Protection Working Party).<br />
<br />
The EDPS shall decide whether the controller should be instructed in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the data subject's request to remove the url search result link in question.<br />
<br />
In this decision, the Assistant Data Protection Officer will assess the applicant's case in terms of the processing of personal data by the controller and the online service it provides. The decision does not comment on whether the other actor involved, ie the original publisher of the data, has the right to keep the data available on its own website.<br />
<br />
<br />
DECISION<br />
<br />
For the reasons set out below, I accept the applicant's claims and instruct Google LLC, pursuant to Article 58 (2) (c) of the General Data Protection Regulation, to comply with the applicant's request to remove the url search link in question.<br />
<br />
Under Article 17 of the General Data Protection Regulation, the data subject has the right, if the conditions listed in that article are met, to have the controller delete personal data concerning the data subject without undue delay. The data subject may request the deletion of data on more than one of the grounds mentioned in this Article. The European Data Protection Board has taken a position on the application of the conditions set out in Article 17 (1) of the General Data Protection Regulation to internet search engines in the above-mentioned Interpretative Guideline 5/2019 on the criteria for the Right to be Forgotten in search engines cases under the GDPR.<br />
<br />
Judgments C-131/12 and C-136/17 of the European Court of Justice have stated that the processing of personal data by Internet search engines when a search is performed in the name of the data subject can have a significant impact on the data subject's privacy rights.<br />
<br />
Those judgments also state that the information published on a given individual website and its availability in the search results of internet search engines is always linked to two independent actors: 1) the website operator, the so-called original publisher, and 2) the internet search service operator. Judgment C-131/12 states that an internet search engine is an independent controller of the processing of personal data carried out by a search engine in order to provide url search results (see paragraphs 35 to 41, 82 to 83 and 88 of the judgment). The two separate actors mentioned above do not, in principle, process personal data on the same basis. In the judgment of the European Court of Human Rights M.L. and W.W. vs Germany (dated 28 June 2018), on the other hand, states that the balance of interests may lead to different results depending on the case (i) the original publisher's activities can be seen as at the heart of freedom of expression and expression, while (ii) the was not to publish the information in question per se, but to compile any information on the data subject in one place, thus enabling the creation of a profile of the data subject.<br />
<br />
Judgment C-131/12 further states that a person's public or parastatal status is a factor which may lead to the so-called general public having the right to obtain personal data about him from an internet search engine. The judgment states, inter alia, that a data subject may, in respect of his fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, demand that the information in question no longer be made available to the general public by including it in such a search result list; It is clear from paragraph 81 that those rights in principle supersede not only the financial interest of the search engine operator but also the interest of the general public in finding that information when searching under the name of the data subject. However, that would not be the case if it appeared that, for specific reasons such as the data subject's public status, the interference with the data subject's fundamental rights was justified by the overriding public interest in obtaining that information as a result of that inclusion (see paragraph 97).<br />
<br />
Judgment C-136/17 of the European Court of Justice, for its part, states that the right to the protection of personal data is not an absolute right but must be seen in the light of its role in society and, in accordance with the principle of proportionality, proportionate to other fundamental rights. It is further noted that, in particular, Article 17 (3) (a) of the Data Protection Regulation explicitly requires a balance between the fundamental rights to privacy and the protection of personal data enshrined in Articles 7 and 8 of the Charter and the freedom to provide information guaranteed by Article 11 of the Charter.<br />
<br />
The abovementioned judgments have thus held that the data subject's rights in principle supersede not only the financial interest of the search engine operator but also the interest of the general public in obtaining access to the information in question by searching in the name of the data subject. However, the European Court of Justice has identified a number of factors that need to be taken into account in the assessment. These include, but are not limited to, the nature or sensitivity of the information in question, and in particular the interests of Internet users in obtaining information, which must be assessed in the light of, inter alia, the data subject's possible public or similar status.<br />
<br />
The above-mentioned interpretation guide of the Article 29 Working Party defines the concept of public status. According to this interpretative guideline, a public position or a public person means that a person is, at least to some extent, subject to so-called media exposure through his or her actions or commitments. If a person has a public status, then there is a reason why the general public should be able to search the Internet search engine for information that is relevant to the person's public or similar role (see pages 13-14 of the 29th Data Protection Working Party's interpretative guide).<br />
<br />
Assessment of the applicant 's case<br />
<br />
The commission and conviction of a criminal act in principle gives a person a public position in society and exposes him or her to so-called media exposure for that act. The premise is that a person who has committed a criminal offense cannot, after his or her act, have the same reasonable presumption as to the extent of the protection of his or her privacy as a person who has not committed an offense.<br />
<br />
The above principle is reflected, inter alia, in the judgment of the European Court of Human Rights in Sidabras and Džiautas v. Lithuania (2004, paragraph 49), which states that Article 8 of the ECHR does not protect against loss of reputation committing an offense. The judgment of the European Court of Human Rights in Axel Springer Ag v. Germany (2012, paragraph 83) also confirms the same line.<br />
<br />
However, the above does not mean that the offender does not have any protection of privacy at all. Notwithstanding the criminal offense and the punishment received for it, part of the personal data of the person concerned remains covered by the protection of his or her private life and his or her fundamental right to privacy.<br />
<br />
It is common ground in the applicant's case that he has been sentenced to several years and ten months' absolute imprisonment for the sexual exploitation of a child. I consider that the applicant has thus acquired a public or parastatal status within the meaning of Case C-131/12. Hereinafter, I will use the term “public status”. That public position gives, in principle, a legitimate interest to the general public in obtaining personal data concerning the applicant from the Google Search service, as outlined in Case C-131/12 (see paragraph 97 of the judgment). It should also be noted that, according to the Journalists' instructions, the name, image or other identifying information of a person convicted of a crime may be published, unless it is clearly unreasonable in relation to the convicted person's position or act.<br />
<br />
Judgments C-131/12 of the European Court of Justice have specifically outlined the deletion of personal data (url search results) from an internet search engine. In assessing the need to delete personal data related to public status, an interest weighing must be carried out, which also takes into account the rights of other persons to obtain information about the data subject through url search results from the Google Search service. The balance of interests shall seek to strike a fair balance between the general public's interest in obtaining information and the fundamental rights of the data subject under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Although the data subject's rights protected by those articles supersede, as a general rule, the interest of internet users, the balance may depend on the nature and sensitivity of the data subject's privacy in specific cases and the public's interest in having access to such data. (cf. paragraphs 73-74, 81, 97, 99 of the ECJ judgment and Articles 6 and 8 (1) (8) of the Personal Data Act).<br />
<br />
Furthermore, in the Interpretation Guide of the Article 29 Working Party, personal data processed in the context of a search engine operation are divided into both factual information (facts) and opinions / views that individuals have on a particular issue or person. The assessment of the inaccuracy / inaccuracy of personal data must take into account whether the matter is a fact whose accuracy cannot be disputed or whether it is a subjective opinion or view. The Interpretative Guidance states that DPAs are more likely to consider deleting search results that are objectively observable and therefore give an incorrect, incomplete or misleading picture of the person (see pages 15 and 17 of the Article 29 Working Party's Interpretative Guide).<br />
<br />
The applicant has not denied that he has been convicted of several sexual exploitations of a child with an absolute term of imprisonment of one year and ten months. It is therefore not a question of having information behind the url search results in question that contains information about the applicant which is not true.<br />
<br />
The assessment provided for in Article 17 (1) (c) of the General Data Protection Regulation must also be taken into account. According to the General Data Protection Regulation 21 (1), the data subject has the right at any time to object to the processing of personal data concerning him or her based on Article 6 (1) (e) or (f) on the basis of his or her specific personal situation. The controller shall no longer process personal data unless the controller can demonstrate that there is an overriding and justified reason for the processing which overrides the data subject's interests, rights and freedoms or is necessary for the preparation, presentation or defense of the legal claim. The EDPS Interpretative Guide states that, for example, any of the processing criteria set out in Article 17 (3) of the General Data Protection Regulation may constitute a significant and legitimate reason to override the data subject's interests, rights and freedoms (see page 7 of the EDPS Interpretative Guide).<br />
<br />
<br />
In assessing the present case, notwithstanding the above, it must be borne in mind that the applicant's personal identity number is available behind the url search result link in question. Article 87 of the General Data Protection Regulation provides that Member States may further specify the specific conditions for the processing of a national personal number or other public identifier.<br />
<br />
Section 29 of the Data Protection Act provides for the processing of personal identity numbers. The personal identity number may be processed with the consent of the data subject or if the processing is provided by law. In addition, the personal identity number may be processed if the unambiguous identification of the data subject is important, inter alia, for the exercise of the rights and obligations of the data subject or the controller. It is noteworthy that the processing of personal identification is not allowed to carry out the legitimate third party interest. The processing is not even allowed in order to fulfill the legitimate interests of the controller himself, but only to fulfill the rights and obligations of the controller.<br />
<br />
Google LLC has determined that access to the information is justified to ensure the safety of those dealing with the applicant. Google LLC continues to believe that access to the information is justified by a legitimate interest. However, as stated above, the processing of a personal identity number is not permitted on the above grounds.<br />
<br />
In the light of the above, I instruct Google LLC, pursuant to Article 58 (2) (c) of the General Data Protection Regulation, to comply with the applicant's request to remove the url search link in question.<br />
<br />
The decision is not yet final.<br />
<br />
</pre></div>Ilkku