Tietosuojavaltuutetun toimisto (Finland) - 531/161/20: Difference between revisions

From GDPRhub
m (Added date as indicated in the PDF of the decision.)
 
(One intermediate revision by one other user not shown)

Latest revision as of 13:05, 3 March 2024

Tietosuojavaltuutetun toimisto - 531/161/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 25 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 18.5.2020
Fine: 16000 EUR
Parties: n/a
National Case Number/Name: 531/161/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: n/a

Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35.

English Summary

Facts

A company monitored employees’ working hours by using location data from vehicle information systems. The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment.


Dispute

The main legal arguments were as follows: 1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA? 2. If yes, has the controller complied with its obligations under Article 35 GPDPR? 3. Has the controller taken adequate organisational and/or technical measures in accordance with Article 25 GDPR.


Holding

The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored. Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations.


Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.