Tietosuojavaltuutetun toimisto (Finland) - 7635/162/21: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto (Finland) |DPA_With_Country=Tietosuojavaltuutetun to...")
 
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 57: Line 57:
}}
}}


The Finnish DPA held that controller violated Article 6(1) and [[Article 10 GDPR|Article 10 GDPR]] by requiring potential foster parents to file an access request with the police, and ordered the controller should follow the procedure listed in Act 504/2002.
The Finnish DPA held that a social services entity violated [[Article 6 GDPR#1|Article 6(1)]] and [[Article 10 GDPR|Article 10 GDPR]] by requiring potential foster parents to provide criminal record certificates following the wrong national law procedure specifically established for this purpose.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The DPA carried out an investigation into controller’s processing on its own behalf, after receiving information from the police. Controller is the Kymenlaakso Joint Municipal Authority for Health and Social Services Kymsote. It assesses families that plan to be foster parents for their eligibility to become foster parents. During this procedure, controller requires parents to file an access request to the police pursuant to Section 23 of the (Finnish) Criminal Data Protection Act, to see if there is a criminal record or status report on (one of) the parents. Such a report would contain valuable information for controller’s assessment, for example whether someone has been arrested for drunk driving. Then, in the presence of the parents, controller’s coaches would check the reports for any absolute obstacles to becoming a foster parent. Controller claimed that this information is absolutely necessary for the assessment.
The DPA carried out an investigation into the controller’s processing on its own behalf, after receiving information from the police. The controller is the Kymenlaakso Joint Municipal Authority for Health and Social Services Kymsote. It assesses families that plan to be foster parents for their eligibility. During this procedure, the controller requires parents to file an access request to the police pursuant to Section 23 of the (Finnish) Criminal Data Protection Act, to see if there is a criminal record or status report on (one of) the parents. Such a report would contain valuable information for the controller’s assessment, for example whether someone has been arrested for drunk driving. Then, in the presence of the parents, the controller’s coaches would check the reports for any absolute obstacles to becoming a foster parent. The controller claimed that this information is absolutely necessary for the assessment.


The DPA assessed whether controller’s processing was in accordance with the GDPR.
The DPA assessed whether the controller’s processing was in accordance with the GDPR.


=== Holding ===
=== Holding ===
First, the DPA considered that the reports contain personal data relating to criminal convictions and offences, and therefore [[Article 10 GDPR|Article 10 GDPR]] applies. Moreover, it noted that controller carries out a task in the public interest, and controller can, in principle, rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. However, the DPA also considered that pursuant to [[Article 6 GDPR#2|Article 6(2) GDPR]], Finnish legislation contains a more detailed provision that regulates the processing of personal data pursuant to Article 10, in Section 2(1)(3) of the Act (504/2002) on Criminal Background Check of Persons Working with Children. Moreover, it found that this legislation creates a proportionate and appropriate procedure for checking the criminal background of persons working with children. Second, the DPA considered that the purpose of an access request is not to provide a public authority with information that the data subject obtained from it.  
First, the DPA considered that the reports contain personal data relating to criminal convictions and offences, and therefore [[Article 10 GDPR|Article 10 GDPR]] applies. Moreover, it noted that the controller carries out a task in the public interest, and the controller can, in principle, rely on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. However, the DPA also considered that pursuant to [[Article 6 GDPR#2|Article 6(2) GDPR]], Finnish legislation contains a more detailed provision that regulates the processing of personal data pursuant to [[Article 10 GDPR]], in Section 2(1)(3) of the Act (504/2002) on Criminal Background Check of Persons Working with Children. Moreover, it found that this legislation creates a proportionate and appropriate procedure for checking the criminal background of persons working with children. Second, the DPA considered that the purpose of a data subject's access request is not to provide a public authority with information that the data subject obtained from it. As stated, there was a proportionate and appropriate procedure in place to obtain this information.  


Hence, it found that controller’s procedure violates Article 6(1) and [[Article 10 GDPR|Article 10 GDPR]], since there is no lawful basis for the processing of the personal data in question, and the controller should just follow the procedure listed in the Act 504/2002. Consequently, the DPA issued a warning to controller pursuant to [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and ordered controller to bring its processing operations in compliance with the GDPR, pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]].  
Hence, it found that the controller’s procedure violates [[Article 6 GDPR#1|Article 6(1)]] and [[Article 10 GDPR|Article 10 GDPR]], since there is no lawful basis for the processing of the personal data in question, and the controller should just follow the procedure listed in the Act 504/2002. Consequently, the DPA issued a warning to the controller pursuant to [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and ordered the controller to bring its processing operations in compliance with the GDPR, pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]].  


== Comment ==
== Comment ==

Latest revision as of 17:30, 23 February 2022

Tietosuojavaltuutetun toimisto (Finland) - 7635/162/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 10 GDPR
Section 2(1)(3) of the Act (504/2002) on Criminal Background Check of Persons Working with Children.
Section 23 Data Protection Act in Criminal Matters
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.01.2022
Published: 13.01.2022
Fine: None
Parties: Social and Health Services in Kymenlaakso (Kymsote)
National Case Number/Name: 7635/162/21
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: finlex (in FI)
Initial Contributor: Giel Ritzen

The Finnish DPA held that a social services entity violated Article 6(1) and Article 10 GDPR by requiring potential foster parents to provide criminal record certificates following the wrong national law procedure specifically established for this purpose.

English Summary

Facts

The DPA carried out an investigation into the controller’s processing on its own behalf, after receiving information from the police. The controller is the Kymenlaakso Joint Municipal Authority for Health and Social Services Kymsote. It assesses families that plan to be foster parents for their eligibility. During this procedure, the controller requires parents to file an access request to the police pursuant to Section 23 of the (Finnish) Criminal Data Protection Act, to see if there is a criminal record or status report on (one of) the parents. Such a report would contain valuable information for the controller’s assessment, for example whether someone has been arrested for drunk driving. Then, in the presence of the parents, the controller’s coaches would check the reports for any absolute obstacles to becoming a foster parent. The controller claimed that this information is absolutely necessary for the assessment.

The DPA assessed whether the controller’s processing was in accordance with the GDPR.

Holding

First, the DPA considered that the reports contain personal data relating to criminal convictions and offences, and therefore Article 10 GDPR applies. Moreover, it noted that the controller carries out a task in the public interest, and the controller can, in principle, rely on Article 6(1)(e) GDPR. However, the DPA also considered that pursuant to Article 6(2) GDPR, Finnish legislation contains a more detailed provision that regulates the processing of personal data pursuant to Article 10 GDPR, in Section 2(1)(3) of the Act (504/2002) on Criminal Background Check of Persons Working with Children. Moreover, it found that this legislation creates a proportionate and appropriate procedure for checking the criminal background of persons working with children. Second, the DPA considered that the purpose of a data subject's access request is not to provide a public authority with information that the data subject obtained from it. As stated, there was a proportionate and appropriate procedure in place to obtain this information.

Hence, it found that the controller’s procedure violates Article 6(1) and Article 10 GDPR, since there is no lawful basis for the processing of the personal data in question, and the controller should just follow the procedure listed in the Act 504/2002. Consequently, the DPA issued a warning to the controller pursuant to Article 58(2)(b) GDPR and ordered the controller to bring its processing operations in compliance with the GDPR, pursuant to Article 58(2)(d) GDPR.

Comment

This decision is not final.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The data subject's right to inspect his data as a means of obtaining information from the authority

Keywords: right of inspection
criminal background

Legal basis: Decision in accordance with the EU General Data Protection Regulation

Diary number: 7635/162/21

Decision of the Assistant Supervisor

Thing

Exercising the data subject's right of inspection at the request of the controller with regard to the processing of personal data by the police

Initiator

Own initiative of the EDPS

Registrar

Kymsote, a consortium of social and health services in Kymenlaakso

Requirements for the data subject

According to information received from the police by the Office of the Data Protection Supervisor, the police have received numerous requests for the data subject's right of inspection under the Police Data Protection Act (1054/2018, hereinafter "the Criminal Data Protection Act") 23. According to information received from the police, the controller's social services have required persons seeking support for family or surrogate family activities to exercise the data subject's right to inspect the police's personal data and to submit the response to the controller.

Statement received from the controller

Pursuant to Article 58 (1) of Article 58 of the Data Protection Regulation (EU) 2016/679 and Article 18 of the Data Protection Act (1050/2018), the Office of the Data Protection Supervisor requested clarification from the controller on 20 September 2021, which was received on 13 December 2021. The report has been issued by the Director of Social Services.

In his report, the controller shall state:

The registrar informs the families planning the surrogacy that, before the coaching process begins, both parents of the family must themselves ask the police for the status information and present it to the registrar's PRIDE coaches. From these documents, the coaches check the family for possible absolute barriers to participating in PRIDE coaching and acting as a surrogate parent. After verification, the documents remain with the family itself. After reviewing the documents, the surrogate family coaching process can proceed. If the family does not want to request or present the police situation information documents needed to check the absolute obstacles to the coaches, the coaching process cannot proceed and the family cannot participate in the PRIDE coaching.

The procedure is instructed so that the family itself requests police situation information documents from the police. In the presence of the family, the coaches check the documents for any absolute obstacles to acting as a surrogate parent and return the documents to the family immediately after the review. Only two RRIDE coaching staff process / review the data. The data is not stored anywhere and the documents are handed back to the family immediately after the inspection.

It is absolutely important to check the background information of a family planning a surrogate parenting and participating in PRIDE coaching before starting coaching. For example, any drunk driving by a family parent or home alerts to the family are things that need to be able to be checked and brought to the attention of coaches before coaching begins. There is no other way to clarify these exemplary issues. However, these examples are matters that need to be known to the controller in order to be subject to a particularly careful assessment in order to act as surrogate parents for the family.

In the case of voluntary support staff and support family activities for children and young people, participants in the training and applicants for the activity will be asked for their prior written consent for the organizer of the training of the controller to order an extract from the criminal record. Reviewing the extract from the criminal record will only help to exclude convicted persons from working with children. Even if there are no entries in the extract at all, the data controller always makes the decision to recruit a volunteer independently. The processing of personal data concerning the volunteer complies with the provisions of the Data Protection Regulation and the Data Protection Act. The extract from the criminal record is not kept by the controller, but only in the resource of the information system it is marked as seen for the performance of the support relationship work and only for the duration of its operation.

For those applying for surrogate families, the criminal record and the instructions for retrieving police situation information are described in the Registrar's Code of Conduct for Family Care. We are also preparing clear guidelines for volunteering with regard to support staff and support family activities. We have realized that there have been different practices nationwide for requesting police situation information. However, this is not required by the controller for those involved in family support and support person activities.

Applicable provisions and assessment

The registrar has introduced a procedure in which both parents of families wishing to become foster parents must themselves request police status information from the police and present it to the registrar for verification. Family care in accordance with section 3 of the Family Care Act (263/2015) is intended for surrogacy.

The registrar says that this is a police situation. The legislation does not know what definition or procedure would be called to request police situation information. In practice, the controller has required that persons wishing to become family caretakers exercise the data subject's right to inspect the personal data of the police provided for in section 23 of the Data Protection Act and present the personal data received on the basis of the right to inspect to the controller's representative.

Article 4 (2) of Chapter 1 of the Data Protection Regulation defines the processing of personal data, the processing of personal data also requiring the controller to submit and verify documents containing personal data.

According to Article 10 of the Data Protection Regulation, the processing of personal data relating to criminal convictions and related security measures under Article 6 (1) shall be carried out only under the supervision of an authority or authorized by Union law or national law providing for appropriate safeguards to protect the data subject's rights and freedoms. A comprehensive criminal record is kept only under the supervision of a public authority.

The Data Protection Regulation is directly applicable law in the Member States. However, Article 6 (2) of the Data Protection Regulation allows for more detailed provisions to adapt the provisions of the Regulation where the processing of personal data is necessary to fulfill a data subject's legal obligation (Article 6 (1) (c)) or to exercise a public interest task or Article 6 (1). paragraph (e)). Article 6 (3) of the Data Protection Regulation requires that the basis for the processing of personal data in these situations be laid down in Union law or in the law of the Member State applicable to the controller. Such legislation may include provisions on, inter alia, the type of data to be processed, the data subjects, the persons to whom and the purposes for which the personal data may be disclosed.

Finnish national law contains an act within the meaning of Article 10 of the Data Protection Regulation concerning the processing of personal data relating to criminal convictions and criminal offenses in respect of family carers. The Act on Determining the Criminal Background of Those Working with Children (504/2002) applies to the review of the criminal background of a family caregiver, in accordance with section 2 (1) (3) of this Act. The legislation thus provides for a proportionate and appropriate procedure for verifying the criminal background of those working with children.

The purpose of the data subject's right of inspection is to enable the data subject to exercise that right in order to keep himself informed of the lawfulness of the processing and to verify it. The authority cannot require the data subject to provide himself with information obtained through the exercise of the data subject's right of inspection, and thus does not use the data subject's right of inspection as a means of obtaining information from the authority. Even if the controller considers that a wider acquisition of data and the processing of personal data would be justified, the controller may not introduce additional illegal procedures in addition to those provided for by law.

The conditions for the processing of personal data by public authorities shall be in accordance with Article 6 (1) (c) and (e) of the Data Protection Regulation and the national provisions adopted pursuant thereto. As regards criminal convictions and criminal offenses or related security measures, the provisions governing the operation of the authority must meet the conditions laid down in Article 10 of the Data Protection Regulation. By requiring those wishing to become caretakers to exercise their right of inspection under the Criminal Data Protection Act and processing personal data obtained under that right, the controller has infringed Articles 6 (1) and 10 of the Data Protection Regulation as there was no legal basis for processing the personal data in question.

The controller does not require the exercise of the right of inspection in respect of those involved in the activities of the support family and support staff. In the case of voluntary support person and support family activities for children and young people, the data controller shall request the prior written consent of the training provider to order an extract from the criminal record. Based on the report received, the procedure complies with the law on determining the criminal background of volunteers working with children (148/2014).

Note and order of the Assistant Data Protection Supervisor

I will issue a remark to the controller in accordance with Article 58 (2) (b) of the Data Protection Regulation, as the processing of the controller's personal data has been in breach of Articles 6 (1) and 10 of the Data Protection Regulation, as described above.

In accordance with Article 58 (2) (d) of the Data Protection Regulation, the controller shall order the processing of personal data to comply with the provisions of this Regulation within 30 days of notification of this Decision, unless it appeals against this Decision. Pursuant to this provision, the data controller shall terminate the procedure whereby persons wishing to become family caretakers are required to exercise the data subject's right to inspect the police personal registers and to transmit the personal data received from the police to the data controller. With regard to the verification of the criminal background of a family caregiver, the registrar shall apply the Act on the Determination of the Criminal Background of Those Working with Children (504/2002).

Appeal

Pursuant to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is lodged with the Administrative Court of Eastern Finland.

Service

The decision shall be served by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt.

The decision is not final.