Tietosuojavaltuutetun toimisto (Finland) - 531/161/20: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...") |
m (Fred moved page Tietosuojavaltuutetun toimisto (Findland) - 531/161/20 to Tietosuojavaltuutetun toimisto (Finland) - 531/161/20: corrected the name) |
||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 18: | Line 18: | ||
|Outcome=Violation Found | |Outcome=Violation Found | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published= | |Date_Published=18.5.2020 | ||
|Year= | |Year= | ||
|Fine=16000 | |Fine=16000 | ||
| Line 29: | Line 29: | ||
|National_Law_Name_1= | |National_Law_Name_1= | ||
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759 | |National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759 | ||
| Line 54: | Line 54: | ||
Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35. | Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
A company monitored employees’ working hours by using location data from vehicle information systems. | A company monitored employees’ working hours by using location data from vehicle information systems. | ||
The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment. | The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment. | ||
=== Dispute === | ===Dispute=== | ||
The main legal arguments were as follows: | The main legal arguments were as follows: | ||
1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA? | 1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA? | ||
| Line 68: | Line 68: | ||
=== Holding === | ===Holding=== | ||
The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored. | The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored. | ||
Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations. | Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations. | ||
== Comment == | ==Comment== | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details. | The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details. | ||
Latest revision as of 13:05, 3 March 2024
| Tietosuojavaltuutetun toimisto - 531/161/20 | |
|---|---|
 | |
| Authority: | Tietosuojavaltuutetun toimisto (Finland) |
| Jurisdiction: | Finland |
| Relevant Law: | Article 25 GDPR Article 35 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 18.5.2020 |
| Fine: | 16000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 531/161/20 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Finnish |
| Original Source: | Tietosuojavaltuutetun toimisto (in FI) |
| Initial Contributor: | n/a |
Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35.
English Summary
Facts
A company monitored employees’ working hours by using location data from vehicle information systems. The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment.
Dispute
The main legal arguments were as follows: 1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA? 2. If yes, has the controller complied with its obligations under Article 35 GPDPR? 3. Has the controller taken adequate organisational and/or technical measures in accordance with Article 25 GDPR.
Holding
The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored. Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
