Korkein hallinto-oikeus (Finland) - KHO:2023:56: Difference between revisions
No edit summary |
No edit summary |
||
Line 84: | Line 84: | ||
The Supreme Administrative Court noted that the initial decision of the DPA did not address [[Article 6 GDPR]]. Therefore, the Supreme Administrative Court did not address the question of whether the controller had a legal basis within the meaning of [[Article 6 GDPR]]. The Supreme Administrative court focused on assessing on whether the controller’s collection of personal data of the children complies with the data minimisation requirement set out in [[Article 5 GDPR|Article 5(1)(c) GDPR]]. | The Supreme Administrative Court noted that the initial decision of the DPA did not address [[Article 6 GDPR]]. Therefore, the Supreme Administrative Court did not address the question of whether the controller had a legal basis within the meaning of [[Article 6 GDPR]]. The Supreme Administrative court focused on assessing on whether the controller’s collection of personal data of the children complies with the data minimisation requirement set out in [[Article 5 GDPR|Article 5(1)(c) GDPR]]. | ||
Initially, the Supreme Administrative Court repeated the DPA’s view that the existence of a legal basis for processing does not in itself make the processing lawful. The processing of personal data must also comply with the requirements laid down in [[Article 5 GDPR]], including the principle of minimisation pursuant to Article 5(1)(c). It was stated by the Supreme Administrative Court that in assessing whether personal data are limited to what is necessary, account shall be taken of the purposes for which the data are to be used. Furthermore, [[Recital 39|recital 39 GDPR]] states, inter alia, that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed and that personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. | Initially, the Supreme Administrative Court repeated the DPA’s view that the existence of a legal basis for processing does not in itself make the processing lawful. The processing of personal data must also comply with the requirements laid down in [[Article 5 GDPR]], including the principle of minimisation pursuant to [[Article 5 GDPR|Article 5(1)(c) GDPR]]. It was stated by the Supreme Administrative Court that in assessing whether personal data are limited to what is necessary, account shall be taken of the purposes for which the data are to be used. Furthermore, [[Recital 39|recital 39 GDPR]] states, inter alia, that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed and that personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. | ||
The Supreme Administrative Court also noted that [[Article 87 GDPR]] allows for the conditions for processing a national personal identification number to be laid down in national law. In this perspective, [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Article 29 of the Finnish Data Protection Act], allows for the processing of personal identification numbers in the context of rental activities. However, the Supreme Administrative Court emphasized that the processing must also comply with the principles laid down in [[Article 5 GDPR]]. | The Supreme Administrative Court also noted that [[Article 87 GDPR]] allows for the conditions for processing a national personal identification number to be laid down in national law. In this perspective, [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Article 29 of the Finnish Data Protection Act], allows for the processing of personal identification numbers in the context of rental activities. However, the Supreme Administrative Court emphasized that the processing must also comply with the principles laid down in [[Article 5 GDPR]]. |
Revision as of 16:01, 7 June 2023
KHO - KHO:2023:56 | |
---|---|
Court: | KHO (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 5(1)(c) GDPR Article 6 GDPR Article 25 GDPR Article 87 GDPR Tietosuojalaki (1050/2018) 29 § |
Decided: | 05.06.2023 |
Published: | 05.06.2023 |
Parties: | |
National Case Number/Name: | KHO:2023:56 |
European Case Law Identifier: | |
Appeal from: | Pohjois-Suomen hallinto-oikeus (Finland) 1036/2022 |
Appeal to: | |
Original Language(s): | Finnish |
Original Source: | Korkein hallinto-oikeus (in Finnish) |
Initial Contributor: | n/a |
In a case concerning unnecessary collection of children persona data, the Finnish Supreme Administrative Court recalled the importance of the principle of minimisation under Article 5(1)(c) GDPR. Alleged technical difficulties are not grounded. Such principle must be implemented since the beginning of the processing under Article 25 GDPR.
English Summary
Facts
The rental company A Oy (the controller) regularly collected the personal identity numbers of minor children of families living in or applying for accommodation in rented accommodation.
The Finnish DPA had ordered the controller to bring the processing operations regarding collection of the children's personal data into compliance with the GDPR, and to delete the collected personal identity numbers of minor children to the extent that there was no appropriate legal basis for their collection. In its decision, the DPA found that it was not necessary for the controller to, as a rule, collect the children’s personal data in light of the data minimisation principle stipulated in Article 5(1)(c) GDPR.
The controller appealed the decision with the Administrative Court of Northern Finland which annulled the DPA’s decision. The Administrative Court viewed, inter alia, that the controller had a legitimate interest pursuant to Article 6(1)(f) GDPR for processing personal data of children for the purpose of its rental activities.
Thereafter, the DPA challenged the court’s decision and appealed it with the Supreme Administrative Court in Finland. The DPA argued that the previous Court was incorrect to conclude that the processing in question was lawful because the controller had a legal basis under Article 6 GDPR. The DPA established that notwithstanding that the controller has a legal basis for processing, processing is still in breach of the GDPR when personal personal data are unnecessary for the specific purpose. In the view of the DPA, the court had failed to apply the principle of minimisation.
Holding
The Supreme Administrative Court noted that the initial decision of the DPA did not address Article 6 GDPR. Therefore, the Supreme Administrative Court did not address the question of whether the controller had a legal basis within the meaning of Article 6 GDPR. The Supreme Administrative court focused on assessing on whether the controller’s collection of personal data of the children complies with the data minimisation requirement set out in Article 5(1)(c) GDPR.
Initially, the Supreme Administrative Court repeated the DPA’s view that the existence of a legal basis for processing does not in itself make the processing lawful. The processing of personal data must also comply with the requirements laid down in Article 5 GDPR, including the principle of minimisation pursuant to Article 5(1)(c) GDPR. It was stated by the Supreme Administrative Court that in assessing whether personal data are limited to what is necessary, account shall be taken of the purposes for which the data are to be used. Furthermore, recital 39 GDPR states, inter alia, that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed and that personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means.
The Supreme Administrative Court also noted that Article 87 GDPR allows for the conditions for processing a national personal identification number to be laid down in national law. In this perspective, Article 29 of the Finnish Data Protection Act, allows for the processing of personal identification numbers in the context of rental activities. However, the Supreme Administrative Court emphasized that the processing must also comply with the principles laid down in Article 5 GDPR.
It was noted by the Supreme Administrative Court that in some situations it is necessary to process the personal identification number of a minor. This may be if the minor is a party to the rental contract or an applicant for rental accommodation. However, the ruling highlighted that these situations do not constitute a need to collect personal identification numbers, as a rule, from all minor children of tenants or applicants for accommodation.
The Supreme Administrative Court also applied Article 25 GDPR. It was held that the controller cannot justify the necessity of processing personal data on the basis of the technical requirements of the information system it uses. Information systems must be designed in such a way that they do not require the processing of otherwise unnecessary personal data. Therefore, the reasons put forward by the controller relating to the functionalities of the information system could not be considered as grounds for considering the processing of personal data to be necessary within the meaning of Article 5(1)(c) GDPR.
Eventually, the Supreme Administrative Court annulled the Administrative Court’s ruling. The Supreme Administrative Court found that the controller had not submitted any evidence that would allow it to be considered that the regular collection of the personal identification numbers of all minor children living with their parents in a rented accommodation or applying for accommodation would be necessary within the meaning of Article 5(1)(c) GDPR for the purposes notified by the company.
However, it was also noted that the provision does not prevent the controller from continuing to collect such data in situations where there is a justification and need for the processing under the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
ewogICJzcGVjdHJ1bS5zaG93QnV0dG9ucyIgOiAiZmFsc2UiLAogICJidXR0b24ucGFnZSIgOiAiZmFsc2UiLAogICJpMThuLm9ubHkudGhlLmFscGhhYmV0LmFsbG93ZWQubm8uc2NhbmRpbmF2aWFuLmNoYXJhY3RlcnMiIDogIlZhaW4gYWFra29zZXQgc2FsbGl0dWphIChlaSDDpMOka2vDtnNpw6QpIiwKICAiYnV0dG9uLmluZGVudCIgOiAidHJ1ZSIsCiAgImkxOG4uYWx0LnRleHQiIDogIkFsdC10ZWtzdGkiLAogICJHVUlEIiA6ICIiLAogICJpMThuLnNlbGVjdC52YXJpYWJsZSIgOiAiVmFsaXRzZSBtdXV0dHVqYSIsCiAgImVsZW1lbnQucHJlcm9vdCIgOiAidHJ1ZSIsCiAgImkxOG4uY29kZS5lZGl0b3IiIDogIktvb2RpZWRpdG9yaSIsCiAgImkxOG4udGV4dC5iYWNrZ3JvdW5kLmNvbG9yIiA6ICJUZWtzdGluIHRhdXN0YXbDpHJpIiwKICAiYnV0dG9uLmRlbGV0ZXJvdyIgOiAidHJ1ZSIsCiAgImVsZW1lbnQiIDogIm9oLWludGVybmV0LXNpc2FsbG9uaGFsbGludGEvc2lzYWx0b2VkaXRvcmkvdGV4dCIsCiAgImkxOG4uaW1wb3J0Lm9yLnBhc3RlLmNvbnRlbnQiIDogIlR1byAvIExpaXTDpCBzaXPDpGx0w7YiLAogICJpMThuLmNob29zZS50ZXh0LmFsaWduIiA6ICJWYWxpdHNlIHRla3N0aW4gdGFzYXVzIiwKICAiZWxlbWVudC5wYXRoIiA6ICJvaC1pbnRlcm5ldC1zaXNhbGxvbmhhbGxpbnRhL3Npc2FsdG9lZGl0b3JpL3RleHQiLAogICJidXR0b24uYWxpZ24iIDogInRydWUiLAogICJpMThuLmNsb3NlIiA6ICJTdWxqZSIsCiAgImltcG9ydHBhdGgiIDogIi93ZWJjb21wb25lbnRzL29oLWludGVybmV0LXNpc2FsbG9uaGFsbGludGEvc2lzYWx0b2VkaXRvcmkvdGV4dCIsCiAgImJ1dHRvbi5wIiA6ICJ0cnVlIiwKICAiaTE4bi5lbmdsaXNoIiA6ICJlbmdsYW50aSIsCiAgImkxOG4uZWRpdGFibGUuaW5wdXQuZmllbGQiIDogIk11b2thdHRhdmEgc3nDtnR0w7ZrZW50dMOkIiwKICAiaTE4bi5vcmlnaW5hbCIgOiAiQWxrdXBlcsOkaW5lbiIsCiAgInB1YmxpY3VybCIgOiAiL2VsZW1lbnQuaHRtbC5zdHgiLAogICJlbGVtZW50LmJhc2UiIDogImNvbnRlbnQvdGV4dCIsCiAgImJ1dHRvbi5pbWFnZSIgOiAidHJ1ZSIsCiAgInRhYmxlLWVkaXRvciIgOiAic3RhdG8vYXJ0aWNsZXMvYXJ0aWNsZS9jb250ZW50ZWRpdG9yL3RhYmxlIiwKICAiaTE4bi5hZGQubGluayIgOiAiTGlzw6TDpCBsaW5ra2kiLAogICJDVVJSRU5UUEFUSCIgOiAiL0tITy92dW9zaWtpcmphcGFhdG9zL0tITy92dW9zaWtpcmphcGFhdG9zL29oLWludGVybmV0LXNpc2FsbG9uaGFsbGludGEvc2lzYWx0b2VkaXRvcmkvdGV4dC9vaC1pbnRlcm5ldC1zaXNhbGxvbmhhbGxpbnRhL3Npc2FsdG9lZGl0b3JpL3RleHQvIiwKICAiaTE4bi52YXJpYWJsZS5kb2VzbnQuaGF2ZS52YWx1ZS5pbi5jaG9zZW4ubGFuZ3VhZ2UiIDogIk11dXR0dWphbGxhIGVpIG9sZSBhcnZvYSB2YWxpdHNlbWFzc2FzaSBraWVsZXNzw6QuIiwKICAiaTE4bi5ob3Jpem9udGFsLnJ1bGVyIiA6ICJFcm90aW52aWl2YSIsCiAgImkxOG4uaW5wdXQudmFyaWFibGUiIDogIk11b2thdHRhdmEgdGVrc3RpIiwKICAiaTE4bi5oaWdobGlnaHRlZC5wYXJhZ3JhcGgiIDogIktvcm9zdGV0dHUgbGVpcMOkdGVrc3RpIiwKICAiYnV0dG9uLmFuY2hvciIgOiAiZmFsc2UiLAogICJjYXJkY2hhbm5lbCIgOiAicHVibGljIiwKICAiaTE4bi5yZW1vdmUubGluayIgOiAiUG9pc3RhIGxpbmtraSIsCiAgImFsbG93X25lc3RlZF9ibG9ja3MiIDogImZhbHNlIiwKICAiaTE4bi5oZWFkaW5nLjYiIDogIk90c2lra28gNiIsCiAgImkxOG4udXNlLm9ubHkudGhlLmFscGhhYmV0IiA6ICJLw6R5dMOkIHZhaW4gYWFra29zaWEiLAogICJpMThuLmhlYWRpbmcuNSIgOiAiT3RzaWtrbyA1IiwKICAiaTE4bi5oZWFkaW5nLjQiIDogIk90c2lra28gNCIsCiAgImJ1dHRvbi5sYW5ndWFnZXMiIDogIiIsCiAgImkxOG4uaGVhZGluZy4zIiA6ICJPdHNpa2tvIDMiLAogICJpMThuLmhlYWRpbmcuMiIgOiAiT3RzaWtrbyAyIiwKICAiaTE4bi5oZWFkaW5nLjEiIDogIk90c2lra28gMSIsCiAgImVsZW1lbnQubGFuZ3VhZ2UiIDogImZpIiwKICAiYnV0dG9uLnZpZGVvIiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5vbCIgOiAidHJ1ZSIsCiAgImkxOG4ucmVtb3ZlLmZvcm1hdCIgOiAiUG9pc3RhIG11b3RvaWx1IiwKICAiaTE4bi5oeXBoZW5hdGUiIDogIlRhdnV0YSBzaXPDpGx0w7Ygc3VvbWVrc2kiLAogICJpbnNpZGVOZXdFZGl0b3IiIDogInRydWUiLAogICJidXR0b24udW5kZXJsaW5lIiA6ICJmYWxzZSIsCiAgImVsZW1lbnRfcGF0aCIgOiAib2gtaW50ZXJuZXQtc2lzYWxsb25oYWxsaW50YS9zaXNhbHRvZWRpdG9yaS90ZXh0IiwKICAiaTE4bi5zZWFyY2gudmFyaWFibGVzIiA6ICJIYWUgbXV1dHR1amlhIiwKICAiaTE4bi5maW5uaXNoIiA6ICJzdW9taSIsCiAgInRleHQtZWRpdG9yIiA6ICJzdGF0by9hcnRpY2xlcy9hcnRpY2xlL2NvbnRlbnRlZGl0b3IvdGV4dCIsCiAgImVkaXRtb2RlIiA6ICJlZGl0IiwKICAidXJsZXhlY3V0ZXBhdGgiIDogIi9jaGFubmVscy9wdWJsaWMvd3d3L2toby9maS9pbmRleC9wYWF0b2tzaWEvdnVvc2lraXJqYXBhYXRva3NldC9PMzVWSTNEN2MiLAogICJzcGVjdHJ1bS5zaG93SW5pdGlhbCIgOiAiZmFsc2UiLAogICJpMThuLnBhcmFncmFwaC52YXJpYWJsZSIgOiAiS2FwcGFsZW11dXR0dWphIiwKICAiaTE4bi50ZXh0LmNvbG9yIiA6ICJUZWtzdGluIHbDpHJpIiwKICAiZWxlbWVudC53b3JrZXJwYXJzZSIgOiAiZmFsc2UiLAogICJpMThuLmNhcHRpb24iIDogIkt1dmF0ZWtzdGkiLAogICJhcHBlbmRDbGFzcyIgOiAiZC1ibG9jayIsCiAgImkxOG4ub2suYnV0dG9uLnRleHQiIDogIk9rIiwKICAiZGJzYWZlZW1vamlzIiA6ICJmYWxzZSIsCiAgImkxOG4uYmFzZSIgOiAib2gtaW50ZXJuZXQtc2lzYWxsb25oYWxsaW50YS9zaXNhbHRvZWRpdG9yaS90ZXh0IiwKICAiaTE4bi5tZWRpdW0iIDogIktlc2tpa29rb2luZW4iLAogICJlbGVtZW50LmNvbXBvbmVudCIgOiAidHJ1ZSIsCiAgImkxOG4uZHJvcC5maWxlLnRvLmFyZWEuYmVsb3cub3IuY2xpY2suaXQudG8uc2VsZWN0LmZpbGUiIDogIlB1ZG90YSB0aWVkb3N0byBhbGxhb2xldmFhbiBrZW50dMOkw6RuIHRhaSBrbGlra2FhIHNpdMOkIHZhbGl0YWtzZXNpIHRpZWRvc3RvLiIsCiAgImkxOG4uY3JlYXRlLmFuY2hvciIgOiAiTHVvIGFua2t1cmkiLAogICJzZWxlY3QudHlwZSIgOiAiZmFsc2UiLAogICJpMThuLmluZGVudCIgOiAiU2lzZW5uw6QiLAogICJzcGVjdHJ1bS5zaG93UGFsZXR0ZU9ubHkiIDogInRydWUiLAogICJlbGVtZW50LmJhc2UubGlzdCIgOiAiL21vZHVsZXNiYXNlL2VsZW1lbnRzL2NvbnRlbnQvdGV4dCwvbW9kdWxlc2Jhc2UvZWxlbWVudHMvc3RhdG8vY21zL2NvbnRlbnRlZGl0b3IvdGV4dC1lZGl0b3IiLAogICJhbGxvd19tdWx0aXBsZV9saW5lYnJlYWtzIiA6ICJ0cnVlIiwKICAiYnV0dG9uLnN0cmlrZXRocm91Z2giIDogImZhbHNlIiwKICAiaTE4bi50ZXh0LmVkaXRvciIgOiAiVGVrc3RpZWRpdG9yaSIsCiAgImkxOG4uZ2VybWFuIiA6ICJzYWtzYSIsCiAgImJ1dHRvbi5mdWxsc2NyZWVuIiA6ICJmYWxzZSIsCiAgInBpY2t1cC1lbGVtZW50IiA6ICJtYXRlcmlhbC9iYW5rL3BpY2t1cCIsCiAgImkxOG4udG9nZ2xlLnd5c2l3eWciIDogIlBhbGFhIHBlcnVzdGlsYWFuIiwKICAic3BlY3RydW0ucGFsZXR0ZSIgOiAiW1snIzAwMCcsJyM0NDQnLCcjNjY2JywnIzk5OScsJyNjY2MnLCcjZWVlJywnI2YzZjNmMycsJyNmZmYnXSxbJyNmMDAnLCcjZjkwJywnI2ZmMCcsJyMwZjAnLCcjMGZmJywnIzAwZicsJyM5MGYnLCcjZjBmJ10sWycjZjRjY2NjJywnI2ZjZTVjZCcsJyNmZmYyY2MnLCcjZDllYWQzJywnI2QwZTBlMycsJyNjZmUyZjMnLCcjZDlkMmU5JywnI2VhZDFkYyddLFsnI2VhOTk5OScsJyNmOWNiOWMnLCcjZmZlNTk5JywnI2I2ZDdhOCcsJyNhMmM0YzknLCcjOWZjNWU4JywnI2I0YTdkNicsJyNkNWE2YmQnXSxbJyNlMDY2NjYnLCcjZjZiMjZiJywnI2ZmZDk2NicsJyM5M2M0N2QnLCcjNzZhNWFmJywnIzZmYThkYycsJyM4ZTdjYzMnLCcjYzI3YmEwJ10sWycjYzAwJywnI2U2OTEzOCcsJyNmMWMyMzInLCcjNmFhODRmJywnIzQ1ODE4ZScsJyMzZDg1YzYnLCcjNjc0ZWE3JywnI2E2NGQ3OSddLFsnIzkwMCcsJyNiNDVmMDYnLCcjYmY5MDAwJywnIzM4NzYxZCcsJyMxMzRmNWMnLCcjMGI1Mzk0JywnIzM1MWM3NScsJyM3NDFiNDcnXSxbJyM2MDAnLCcjNzgzZjA0JywnIzdmNjAwMCcsJyMyNzRlMTMnLCcjMGMzNDNkJywnIzA3Mzc2MycsJyMyMDEyNGQnLCcjNGMxMTMwJ11dIiwKICAiaTE4bi5hbmNob3IubmFtZSIgOiAiQW5ra3VyaW4gbmltaSIsCiAgImVsZW1lbnQucHVibGljY29tcG9uZW50IiA6ICIiLAogICJidXR0b24uY29kZW1vZGUiIDogImZhbHNlIiwKICAiaTE4bi5wYXJhZ3JhcGgiIDogIkxlaXDDpHRla3N0aSIsCiAgImltYWdlLWVsZW1lbnQiIDogIm9oLWludGVybmV0LXNpc2FsbG9uaGFsbGludGEvc2lzYWx0b2VkaXRvcmkvdGV4dC9pbWFnZSIsCiAgImkxOG4ubm93cmFwcGFyYWdyYXBoIiA6ICJUZWtzdGkgZWkga2llcnLDpCBrdXZhYSIsCiAgImkxOG4uc21hbGwiIDogIlBpZW5pIiwKICAiaTE4bi5vcmRlcmVkLmxpc3QiIDogIk51bWVyb2l0dSBsaXN0YSIsCiAgImkxOG4uaW1wb3J0LmNvbnRlbnQiIDogIlR1byBzaXPDpGx0w7YiLAogICJidXR0b24uYm9sZCIgOiAidHJ1ZSIsCiAgImkxOG4uc21hbGwuaW1hZ2UiIDogIlBpZW5pIGt1dmEiLAogICJpMThuLmFsaWduLnJpZ2h0IiA6ICJUYXNhYSB0ZWtzdGkgb2lrZWFsbGUiLAogICJibG9ja3R5cGUiIDogInRleHQtZWRpdG9yIiwKICAiaTE4bi5oaWdobGlnaHQiIDogIktvcm9zdHVzbGFhdGlra28iLAogICJidXR0b24uYWxpZ24uY2VudGVyIiA6ICJ0cnVlIiwKICAiaTE4bi5saW5rLnRvLnRoZS5vcmlnaW5hbC5pbWFnZSIgOiAiTGlua2tpIGFsa3VwZXLDpGlzZWVuIGt1dmFhbiIsCiAgImkxOG4uc3Vic2NyaXB0IiA6ICJBbGFpbmRla3NpIiwKICAiaTE4bi5tZWRpdW0uaW1hZ2UiIDogIktlc2tpa29rb2luZW4ga3V2YSIsCiAgImkxOG4uY2hvb3NlLmltYWdlLnNpemUiIDogIlZhbGl0c2Uga3V2YW4ga29rbyIsCiAgIkVsZW1lbnQuQmFzZSIgOiAic3RhdG8vY21zL2NvbnRlbnRlZGl0b3IvdGV4dC1lZGl0b3IiLAogICJidXR0b24ub3V0ZGVudCIgOiAidHJ1ZSIsCiAgImNzc19saWJyYXJpZXMiIDogIiIsCiAgImkxOG4uIiA6ICIiLAogICJidXR0b24uaHlwaGVuYXRlIiA6ICJmYWxzZSIsCiAgImVsZW1lbnQuaW1wb3J0Y2hpbGRyZW4iIDogInRydWUiLAogICJidXR0b24uYWxpZ24ubGVmdCIgOiAidHJ1ZSIsCiAgImJ1dHRvbi5pbXBvcnQiIDogInRydWUiLAogICJidXR0b24ubGluayIgOiAidHJ1ZSIsCiAgImkxOG4udGV4dC52YXJpYWJsZSIgOiAiVGVrc3RpbXV1dHR1amEiLAogICJjbGFzcyIgOiAiaXMtdGV4dC1lZGl0b3IiLAogICJpMThuLnBhZ2UuYnJlYWsiIDogIlNpdnVudmFpaHRvIiwKICAic2tpbi5leHRlbmQiIDogIi90b29scy9lbGVtZW50cy9jbXMvY29udGVudGVkaXRvci90ZXh0LWVkaXRvci9za2lucy9odG1sL3RleHQtZWRpdG9yLmh0bWwiLAogICJpMThuLmFsaWduLmxlZnQiIDogIlRhc2FhIHRla3N0aSB2YXNlbW1hbGxlIiwKICAiYnV0dG9uLmxpbmUiIDogInRydWUiLAogICJhZGRhYmxlIiA6ICJ0cnVlIiwKICAic3BlY3RydW0uc2hvd1BhbGV0dGUiIDogInRydWUiLAogICJyZW1vdmFibGUiIDogImZhbHNlIiwKICAiZWxlbWVudC5vdXRsaW5lIiA6ICJ0cnVlIiwKICAiaTE4bi5hZGQucHVibGljLmxpbmsiIDogIkxpc8Okw6QganVsa2luZW4gbGlua2tpIiwKICAiaTE4bi5sYW5ndWFnZS52ZXJzaW9ucyIgOiAiS2llbGl2ZXJzaW90IiwKICAiaTE4bi5mdWxsIiA6ICJUw6R5c2kiLAogICJidXR0b24ucmVtb3ZlZm9ybWF0IiA6ICJ0cnVlIiwKICAiaTE4bi5waWNrIiA6ICJQb2ltaSIsCiAgImZpZWxkbmFtZSIgOiAicmF0a2Fpc3UubGVpcGF0ZWtzdGkiLAogICJpMThuLmNvbnRlbnQiIDogIlNpc8OkbHTDtiIsCiAgImJ1dHRvbi5pdGFsaWMiIDogInRydWUiLAogICJidXR0b24ucG5vd3JhcCIgOiAidHJ1ZSIsCiAgImVsZW1lbnQubW9kZSIgOiAiZWxlbWVudCIsCiAgImkxOG4ubGFyZ2UiIDogIlN1dXJpIiwKICAiYnV0dG9uLmJsb2NrcXVvdGUiIDogInRydWUiLAogICJlbGVtZW50LmxpbmsiIDogIi9lbGVtZW50Lmh0bWwuc3R4IiwKICAiZWxlbWVudC5sb2FkIiA6ICJjbGllbnQiLAogICJpMThuLmJsb2NrcXVvdGUiIDogIkxhaW5hdXMiLAogICJ2aWV3dXJsIiA6ICIvYmluL2dldC92aWQvTzNCcGhZbEhBLk8zRFM2aG1oMi5OdGNhbk5IeHMiLAogICJpMThuLnN1cGVyc2NyaXB0IiA6ICJZbMOkaW5kZWtzaSIsCiAgImkxOG4uc3RyaWtldGhyb3VnaCIgOiAiWWxpdmlpdmF1cyIsCiAgImJ1dHRvbi5hZGRjb2x1bW5yaWdodCIgOiAidHJ1ZSIsCiAgImJ1dHRvbi5yZWRvIiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5zdWJzY3JpcHQiIDogInRydWUiLAogICJVSUQiIDogImlkT2VldlF3RWlxIiwKICAiZWxlbWVudC5zdGF0aWMiIDogInRydWUiLAogICJjZXdyYXBwZXJJc0VkaXRhYmxlIiA6ICJ0cnVlIiwKICAic2tpbiIgOiAidGV4dC5odG1sIiwKICAiY2hhbm5lbC5sYW5ndWFnZSIgOiAiZmkiLAogICJpMThuLm91dGRlbnQiIDogIlVsb25uYSIsCiAgImVsZW1lbnQuNyIgOiAidHJ1ZSIsCiAgImVsZW1lbnQuNiIgOiAiZmFsc2UiLAogICJlbGVtZW50LjUiIDogImZhbHNlIiwKICAiaTE4bi5yZW1vdmUuYnV0dG9uLnRleHQiIDogIlBvaXN0YSIsCiAgImkxOG4uaG9yaXpvbnRhbC5ydWxlIiA6ICJFcm90aW52aWl2YSIsCiAgImVsZW1lbnQucm9vdC5saXN0IiA6ICIvbW9kdWxlc2Jhc2UvZWxlbWVudHMvc3RhdG8vY21zL2NvbnRlbnRlZGl0b3IvdGV4dC1lZGl0b3Ivcm9vdC5zdGF0byIsCiAgImkxOG4uYWRkLmltYWdlIiA6ICJMaXPDpMOkIGt1dmEiLAogICJpMThuLmFzLmxhcmdlLmFzLnRoZXJlLmlzLnNwYWNlLmhvcml6b250YWxseSIgOiAiTmlpbiBzdXVyaSBrdXZhIGt1aW4gbGV2ZXlzc3V1bm5hc3NhIG9uIHRpbGFhIiwKICAiYnV0dG9uLnVuZG8iIDogImZhbHNlIiwKICAicGFyc2VsaW5rcy5zZXJ2aWNlIiA6ICJzdGF0by9jbXMvY29udGVudGVkaXRvci9saW5rcyIsCiAgImJsb2NrLnRpdGxlIiA6ICJUZWtzdGkiLAogICJidXR0b24udWwiIDogInRydWUiLAogICJkYXRhVHlwZSIgOiAidGV4dC1lZGl0b3ItSFRNTCIsCiAgImFsbG93X2VtcHR5X3RhZ3MiIDogImZhbHNlIiwKICAiaTE4bi5ib2xkIiA6ICJMaWhhdm9pbnRpIiwKICAiZWxlbWVudF9tb2RlIiA6ICIiLAogICJidXR0b24uaHIiIDogImZhbHNlIiwKICAiYmxvY2suaWNvbiIgOiAiZmFzIGZhLWFsaWduLWxlZnQiLAogICJpMThuLmZ1bGxzY3JlZW4ubW9kZS5vbi5vZmYiIDogIktva29ydXV0dXRpbGEgcMOkw6RsbGUvcG9pcyIsCiAgImkxOG4ucmVtb3ZlLmltYWdlIiA6ICJQb2lzdGEga3V2YSIsCiAgInNwZWN0cnVtLnByZWZlcnJlZEZvcm1hdCIgOiAiaGV4IiwKICAic3BlY3RydW0uY29udGFpbmVyQ2xhc3NOYW1lIiA6ICJzdWktY29sb3JwaWNrZXIiLAogICJpMThuLmFsaWduLmNlbnRlciIgOiAiVGFzYWEgdGVrc3RpIGtlc2tlbGxlIiwKICAiaTE4bi52YXJpYWJsZSIgOiAiTXV1dHR1amEiLAogICJJTlNUQU5DRUlEIiA6ICJPZWVxb1lyRFEiLAogICJidXR0b24ucHVibGljbGluayIgOiAiZmFsc2UiLAogICJpMThuLnJlbW92ZS5jb250ZW50LmFyZWEiIDogIlBvaXN0YSBzaXPDpGx0w7ZhbHVlIiwKICAiaTE4bi5vcmlnaW5hbC5zaXplLm9mLmltYWdlIiA6ICJLdXZhbiBhbGt1cGVyw6RpbmVuIGtva28iLAogICJidXR0b24uYWxpZ24uanVzdGlmeSIgOiAidHJ1ZSIsCiAgInNwZWN0cnVtLnNob3dBbHBoYSIgOiAiZmFsc2UiLAogICJlbGVtZW50LnNraW4ubW9kZSIgOiAiZXh0ZW5kIiwKICAiYnV0dG9uLmFsaWduLnJpZ2h0IiA6ICJ0cnVlIiwKICAiYnV0dG9uLnAuaGlnaGxpZ2h0IiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5hdHRhY2htZW50IiA6ICJ0cnVlIiwKICAiZWxlbWVudC5vbmxvYWQiIDogImNsaWVudCIsCiAgImkxOG4uZWRpdGFibGUuY29udGVudCIgOiAiTXVva2F0dGF2YSBzaXPDpGx0w7YiLAogICJpMThuLnN3ZWRpc2giIDogInJ1b3RzaSIsCiAgImkxOG4uaXRhbGljIiA6ICJLdXJzaXZvaW50aSIsCiAgInNvcnRhYmxlIiA6ICJmYWxzZSIsCiAgInNwZWN0cnVtLnNob3dJbnB1dCIgOiAiZmFsc2UiLAogICJpMThuLmxpbmsub3B0aW9ucyIgOiAiTGlua2tpdmFsaW5uYXQiLAogICJidXR0b24uaDYiIDogInRydWUiLAogICJlZGl0dXJsIiA6ICIvYmluL2dldC92ZWQvTzNCcGhZbEhBLk8zRFM2aG1oMi5OdGNhbk5IeHMiLAogICJidXR0b24uaDUiIDogInRydWUiLAogICJpMThuLnJlZG8iIDogIlRlZSB1dWRlbGxlZW4iLAogICJidXR0b24uaDQiIDogInRydWUiLAogICJidXR0b24uaDMiIDogInRydWUiLAogICJidXR0b24uZGVsZXRlY29sdW1uIiA6ICJ0cnVlIiwKICAiYnV0dG9uLmgyIiA6ICJ0cnVlIiwKICAiYnV0dG9uLmgxIiA6ICJmYWxzZSIsCiAgImJ1dHRvbi5zdXBlcnNjcmlwdCIgOiAidHJ1ZSIsCiAgImkxOG4udW5vcmRlcmVkLmxpc3QiIDogIk51bWVyb2ltYXRvbiBsaXN0YSIsCiAgImkxOG4udGV4dC50eXBlIiA6ICJUZWtzdGluIHR5eWxpIiwKICAic2VjdGlvbiIgOiAiZGVmYXVsdCIsCiAgImJ1dHRvbi5hZGRyb3diZWxvdyIgOiAidHJ1ZSIsCiAgImVsZW1lbnQucHVibGljbGluayIgOiAiL2VsZW1lbnQuaHRtbC5zdHgiLAogICJpMThuLnVuZGVybGluZSIgOiAiQWxsZXZpaXZhdXMiLAogICJpMThuLmxhcmdlLmltYWdlIiA6ICJTdXVyaSBrdXZhIiwKICAiYmxvY2tlZGl0b3IuYmxvY2siIDogInRydWUiLAogICJpMThuLmFsaWduLmp1c3RpZnkiIDogIlRhc2FhIHRla3N0aSB2YXNlbW1hbGxlIGphIG9pa2VhbGxlIiwKICAiaTE4bi5hZGQuYXR0YWNobWVudCIgOiAiTGlzw6TDpCBsaWl0ZXRpZWRvc3RvIiwKICAicGxhY2Vob2xkZXIiIDogIlNpc8OkbHTDtiIsCiAgImNzcyIgOiAiY3NzL3RleHQuY3NzLGNzcy90ZXh0LWVkaXRvci5jc3MiLAogICJpMThuLnVuZG8iIDogIkt1bW9hIiw KICAiaTE4bi5mcmVuY2giIDogInJhbnNrYSIsCiAgImRhdGFfbGlzdGVuZXJzIiA6ICJvaC1pbnRlcm5ldC1zaXNhbGxvbmhhbGxpbnRhL3Npc2FsdG9lZGl0b3JpL3RleHQiLAogICIiIDogIiIKfQ==A Oy (data controller) engaged in rental activities collected personal identification numbers of minor children of families who regularly live in a rented apartment or are looking for an apartment. The Supreme Administrative Court considered that the data controller had not presented such a report, on the basis of which it could be considered that the regular collection of personal identification numbers of all minor children living with their parents in a rented apartment or applying for an apartment would be necessary for the purposes stated by the data controller, as required by the General Data Protection Regulation. The Deputy Data Protection Commissioner could therefore have given the controller an order to bring the processing operations in respect of the collection of children's personal identification numbers in line with the provisions of the regulation and to delete the collected children's personal identification data to the extent that there was no appropriate basis for their collection. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of data and the repeal of Directive 95/46/EC (General Data Protection Regulation) Article 5, paragraph 1, subparagraph c, Article 25, Article 58, paragraph 2, subparagraph d, and Article 87, Section 29, subsection 1 of the Data Protection Act. court 15 August 2022 No. 1036/2022 Decision of the Supreme Administrative Court The Supreme Administrative Court grants leave to appeal and examines the case. The administrative court's decision is overturned in the part under appeal, i.e. to the extent that the administrative court has overturned the order given to A Oy by the deputy data protection commissioner regarding the processing of children's personal identification numbers. The decision of the Deputy Data Protection Commissioner on May 24, 2021 will be enforced in this respect. Background of the case(1) In its decision of 24 May 2021, the Deputy Data Protection Commissioner has given the data controller (A Oy) an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations in relation to the collection of children's personal identification numbers into compliance with the provisions of the regulation, and to delete the collected children's personal identification information to the extent that there is no reason for their collection had an appropriate basis. (2) The Deputy Data Protection Commissioner has stated in his decision that the collection of personal data must take place in accordance with the requirement of necessity, and it is not lawful for the controller to collect such personal data from the registered persons, the necessity of which cannot be presented with appropriate grounds. The existence of grounds should be assessed on a case-by-case basis, and personal data cannot, for example, be collected and stored just to be sure, in case of the future. (3) Regarding the individual justifications presented by the controller, the deputy data protection commissioner has stated in his decision that it is not necessary to include the child's personal identification number in the child protection notice, and the controller cannot collect this information in advance on this basis with possible future use in mind. Also, in cases of lost keys, it is not possible to justify the collection of children's personal identification numbers, and the child who has lost the key does not even, as a rule, have to present an identity document with which it would be possible to compare the personal identification information held by the registrar. The National Pension Service, on the other hand, does not ask the landlord to collect the children's personal identification numbers in the case of housing allowance, and neither the landlord nor the property manager can apply for housing allowance on behalf of the resident. Regarding the Ministry of the Environment's regulation on the application form for arava and interest-subsidized rental apartments and its appendices, according to the deputy data protection commissioner, it can be noted that there is no limitation based on the resident's age, but according to § 1, personal identification information is collected from those who come to live in arava and interest-subsidy rental apartments. However, according to the Deputy Data Protection Commissioner, this does not justify the systematic collection of children's personal identification information in rental and hosting activities, but the assessment of necessity must be carried out on a case-by-case basis, and when applying the regulation of the Ministry of the Environment, the controller must make sure that the person falls within the scope of the regulation. (4) The Administrative Court has revoked A Oy's appeal decision of the Deputy Data Protection Commissioner. The administrative court has stated the following in its reasoning: (5) The processing of children's personal data in a tenancy relationship may be possible based on the legitimate interest referred to in Article 6(1)(f) of the Data Protection Regulation. The basis for processing a legitimate interest requires that the data subject's interests or basic rights and freedoms requiring the protection of personal data do not override the data controller's legitimate interest in processing personal data, especially if the data subject is a child. In the weighing of interests in this regard, the purpose of the data protection legislation and the principles of personal data processing according to Article 5 of the Data Protection Regulation must be taken into account, among other things. (6) In the situation in question, children's personal identification numbers are not intended to be used for the purposes listed in paragraph 38 of the introductory paragraph of the Data Protection Regulation, in connection with which children's personal data would be subject to special protection need. The processing of children's personal identification numbers in rental activities cannot in itself be considered a significant interference with children's rights and interests, and the processing of personal identification numbers therefore does not have a significant impact on the registered children. In this regard, the administrative court has also drawn attention to the fact that, nationally, a provision at the level of a decree requires that applicants for an apartment covered by the Area Limitation Act must indicate the personal identification numbers of all those coming to live in the apartment on the apartment application form when applying for an apartment. (7) Section 29 subsection 2 of the Data Protection Act explicitly allows the identification processing in rental operations. Since the said subsection has not demarcated whether it concerns the actual parties to the tenancy relationship or, more broadly, the processing of personal identification numbers of persons coming to live in the apartment, the said subsection can be interpreted as covering the processing operations relating to rental activities in general, including the processing of the personal identification numbers of children coming to live in the apartment. (8) The company has had rental activities the resulting legitimate interest in the processing of children's personal data referred to in Article 6(1)(f) of the Data Protection Regulation. Taking into account section 29 subsection 2 of the Data Protection Act and the fact that the reliable identification of a person in rental activities is also important from the point of view of the registered person's legal protection, the administrative court has considered that the legitimate interest in the current situation also extends to the processing of children's personal identification numbers. Since, on this basis, the processing of the personal identification number must be considered lawful in the sense referred to in Article 5, paragraph 1, letter a) and Article 6 of the Data Protection Regulation, it cannot be considered unnecessary in terms of the purpose of use in question when applying subsection c) of the first mentioned article regarding data minimization. (9) The company's processing activities according to the administrative court, they were in accordance with the law. of the administrative court's decision and demanded in his appeal that the administrative court's decision be annulled. The Deputy Data Protection Commissioner has presented the following in support of his claim: (11) The Administrative Court has justified the fulfillment of the necessity requirement of Article 5 of the General Data Protection Regulation by the fact that, according to the Administrative Court's view, there was a basis for processing according to Article 6 of the regulation. Articles 5 and 6 of the General Data Protection Regulation deal with two different issues. Article 5(1)(c) of the General Data Protection Regulation cannot be left out of application. The interpretation of administrative law would make the article in question meaningless and would mean that it does not need to be taken into account at all when processing the personal identification number. (12) The necessity of processing personal data cannot be justified by the fact that a processing basis according to Article 6 of the General Data Protection Regulation can be defined for data processing. The assessment of necessity is its own key assessment, and it should not be confused with the definition of the basis for processing. (13) In its decision, the Deputy Data Protection Commissioner has considered that there is no need for the systematic collection of children's personal identification numbers as required by Article 5, Section 1, Subsection c of the General Data Protection Regulation. In the case being evaluated now, it has not been about defining the basis for processing personal data (Article 6 of the General Data Protection Regulation), and the decision of the Deputy Data Protection Commissioner has therefore not taken any position on the basis for processing. If the controller processes personal data other than those necessary in the manner intended in the data protection regulation, its procedure is illegal, even if the processing basis in accordance with Article 6 of the General Data Protection Regulation can be defined in itself, such as the consent of the data subject or the legitimate interest of the controller. (14) The Administrative Court has also based its decision on criteria , which in data protection regulations are not related to the assessment of the necessity of personal data processing, and failed to carry out an appropriate necessity assessment. (15) In the case being evaluated, the controller has not presented such grounds for collecting children's personal identification numbers where the purpose of the processing was not reasonably achievable by other means. (16) Collection of personal data and other processing is not possible directly on the basis that, for example, the data subject is not considered to have any significant effects. Significant intervention or significant effects are not criteria used in the necessity assessment according to data protection regulations. (17) The necessity requirement for the processing of personal data (the so-called minimization principle) is intended to prevent, for example, operators from collecting personal data just in case and without valid, case-specific grounds. The purpose of the necessity requirement becomes concrete, for example, when outsiders gain access to personal data. In the event of a data leak, the information also ends up being used by unauthorized parties, and the data subject may become a victim of a crime, such as identity theft. (18) A Oy has announced that it will not provide an explanation in the matter. The company's notification has been sent to the deputy data protection commissioner for information. Reasons for the decision of the Supreme Administrative Court Question statement (19) The matter is whether A Oy's collection of personal identification numbers of minor children is in violation of the General Data Protection Regulation, so that the deputy data protection commissioner could have given A Oy an order to processing operations regarding the collection of children's personal identification numbers in accordance with the provisions of the regulation, and delete the collected children's personal identification information to the extent that there was no appropriate basis for their collection. (20) In the decision in question, the Deputy Data Protection Commissioner has now evaluated the collection of children's personal identification numbers by A Oy in accordance with Article 5, Paragraph 1 of the General Data Protection Regulation in terms of the necessity requirement according to subsection c. The question to be assessed in the case is therefore whether the collection of personal identification numbers of minor children by A Oy is in accordance with the requirement regarding the minimization of information set out in the mentioned subsection. (21) For the sake of clarity, the Supreme Administrative Court states that the decision of the Deputy Data Protection Commissioner in question has not taken a position on Article 6 to the processing basis. The case is therefore not about assessing whether there is a basis for processing referred to in Article 6. Applicable legal guidelines(22) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (general data protection regulation) in Article 5 (Principles for the processing of personal data) in point 1 lists the requirements that must be followed in relation to personal data. According to subparagraph c of the said paragraph, they must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").(23) Paragraph 1 of Article 25 of the General Data Protection Regulation (Built-in and default data protection) taking into account the latest technology, implementation costs and the nature, scope, context and purposes of the processing, as well as the varying probability and severity of risks caused by the processing to the rights and freedoms of natural persons, the controller must implement appropriate technical and organizational measures, such as pseudonymization of the data, both in connection with the determination of the processing methods and the processing itself, effectively for the implementation of data protection principles, such as data minimization, in order to include the necessary protective measures as part of the processing and in order for the processing to comply with the requirements of this regulation and to protect the rights of data subjects. (24) According to paragraph 2 of the same article, the data controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. These measures must be used to ensure, in particular, that by default personal data is not made available to an unlimited number of people without the contribution of a natural person. (25) According to Article 58 (Powers) paragraph 2 of the General Data Protection Regulation, the supervisory authority has, among other things, the following remedial powers: d) to appoint the controller or personal data the processor to bring the processing activities into compliance with the provisions of this regulation, if necessary in a certain way and within a certain deadline. (26) According to Article 87 of the General Data Protection Regulation (Processing of the National Identity Number), member states can define in more detail the special conditions for the processing of a national identity number or other general identifier. In this case, the national personal identification number or other general identifier must be used only in compliance with the appropriate protective measures regarding the rights and freedoms of the data subject in accordance with this regulation. (27) According to Section 29 subsection 1 of the Data Protection Act, the personal identification number may be processed with the consent of the data subject or, if the processing is stipulated by law. In addition, the personal identification number may be processed if unambiguous identification of the registered person is important: 1) to perform a task stipulated by law; 2) to fulfill the rights and obligations of the registered person or the data controller; or3) for historical or scientific research or statistical purposes. (28) According to Section 29 subsection 2 of the Data Protection Act, the personal identification number may be processed in lending or debt collection, insurance, credit institution, payment service, rental and lending activities, credit information activities, health care, social care and other in the implementation of social security or in matters concerning official, employment and other service relationships and related benefits. (29) According to Section 29, subsection 3 of the Data Protection Act, in addition to what is stipulated in subsections 1 and 2 regarding the processing of personal identification numbers, the personal identification number may be disclosed in order to update address information or to avoid multiple mailings for the data processing to be carried out, if the personal identification number is already available to the transferee. Legal assessment and conclusion (30) Article 5 of the General Data Protection Regulation lays down the general principles that must be followed in all personal data processing within the scope of the regulation. According to paragraph 1 subparagraph a of the article, personal data must be processed in accordance with the law. (31) Article 6 of the General Data Protection Regulation stipulates which grounds for processing personal data are in accordance with the law. The processing of personal data can only be lawful if there is a basis for it provided for in the article in question. However, the existence of a basis for processing alone does not make the processing lawful. In addition, the processing of personal data must comply with the requirements laid down in Article 5, among other things, the minimization principle laid down in Article 1, letter c. (32) The Court of Justice of the European Union has stated in several decisions that the processing of personal data must, on the one hand, be in accordance with the principles expressed in Article 5 of the said regulation and, on the other hand, fulfill Article 6 of the same regulation. the conditions listed in the article (e.g. C-439/19, paragraph 96 of the judgment and consolidated cases C-511/18, C-512/18 and C-520/18, paragraph 208 of the judgment) (33) Based on the above, the processing of personal data cannot considered to be necessary in the manner referred to in Article 5, paragraph 1, letter c, because, based on the use of administrative law, that there is a legal basis for the processing referred to in Article 6. (34) Article 87 of the General Data Protection Regulation enables the conditions for the processing of a national personal identification number to be regulated nationally. Section 29 of the Data Protection Act, which is based on this provision, enables the processing of personal identification numbers in rental operations. However, even then, the processing must also be in accordance with the principles laid down in Article 5 of the General Data Protection Regulation. (35) When assessing whether the personal data is appropriate and essential as referred to in Article 5, paragraph 1, letter c, and limited to what is necessary in relation to the purposes for which it is processed , must take into account the purposes of use of the data stated by the controller. In the assessment of necessity, the introductory paragraph 39 of the General Data Protection Regulation can also be taken into account, where, among other things, it is stated that personal data should be sufficient and essential and limited to what is necessary in terms of the purposes of their processing, and that personal data should only be processed if the purpose of the processing cannot be reasonably achieve by other means.(36) A Oy has announced that it needs the children's personal identification numbers to handle matters related to the tenancy and to maintain the resident register. The collection of personal identification numbers is also justified for reasons related to housing support, door opening service, reporting concerns to social services and the operation of the information system. In addition, with regard to arava and interest-subsidized apartments, the legislation obliges the names and personal identification numbers of the persons coming to live on the housing application form. (37) The Supreme Administrative Court states, like the administrative court, that the Deputy Data Protection Commissioner has accepted that the Ministry of the Environment's decree on the application form for arava and interest-subsidized rental apartments and its annexes (904/2006), regardless of age, personal identification numbers can be collected from persons covered by For this reason, the collection of children's personal identification numbers in situations falling under the scope of application of the said regulation will not be evaluated in the case. (38) However, based on the report presented in the case, A Oy has regularly collected children's personal identification numbers from apartment applicants and tenants, regardless of whether they are subsidized, interest-subsidized, or self-financed rental apartments. . As far as freely financed rental apartments are concerned, the legislation regarding rent and interest subsidies mentioned as the basis does not require the collection of personal identification numbers of minor children who live with their parents in a rental apartment or who are applying for an apartment. However, processing a minor child's social security number is necessary when the minor himself is a party to a rental agreement or an applicant for a rental apartment. However, these situations in which the collection of minor children's personal identification numbers is necessary for reasons related to the lease agreement and the application for an apartment do not constitute a need to collect personal identification numbers in accordance with the rules from all minor children of tenants or apartment applicants. (39) Nor do the issues related to housing support, door opening service and filing of concern reports justify the need for children's personal identification numbers for regular collection. As a rule, the applicant for housing allowance is the parent of a minor child. It is possible to handle the door-opening service and reporting of concerns without using a personal identification number. (40) Although handling the above-mentioned tasks may in some situations be easier if a personal identification number is available, the purposes of the processing mentioned by the controller can still be reasonably implemented without using a personal identification number. (41) The General Data Protection Regulation The requirement for built-in and default data protection laid down in Article 25 means, among other things, that the data controller must choose the default processing settings and options and be responsible for their implementation in such a way that by default only the processing of personal data that is absolutely necessary to achieve the set legal goal is carried out (Directions of the European Data Protection Board 4/2019 on Article 25 on Privacy by Design and by Default, version 2.0, issued on 20 October 2020, paragraph 42). Thus, the controller cannot justify the necessity of processing personal data with the technical requirements of the information system it uses, but the information systems must be designed in such a way that they do not require the processing of otherwise unnecessary personal data. Consequently, the reasons presented by A Oy, related to the functionality of the information system, cannot be considered as circumstances on the basis of which the processing of personal data should be considered necessary in the manner referred to in Article 5, paragraph 1, letter c of the General Data Protection Regulation. (42) Based on the above, the Supreme Administrative Court considers, that A Oy, as the data controller, has not presented such a report, on the basis of which it could be considered that the regular collection of the personal identification numbers of all minor children living with their parents in a rented apartment or applying for an apartment would be necessary for the above-mentioned uses stated by the company in the manner referred to in Article 5, paragraph 1, letter c of the General Data Protection Regulation. The Deputy Data Protection Commissioner has therefore been able to issue an order to A Oy to bring the processing operations in respect of the collection of children's personal identification numbers in line with the provisions of the regulation and to delete the collected children's personal identification data to the extent that there was no appropriate basis for their collection. The Supreme Administrative Court states that the order does not prevent A Oy, as the data controller, from continuing to collect and store children's personal identification numbers in situations where there is a basis and need for the processing in accordance with data protection regulations. revoked the order on the collection of children's personal identification numbers and the decision of the deputy data protection commissioner is put into effect in this respect. The presenter of the issue is Liisa Selvenius-Hurme.