Tietosuojavaltuutetun toimisto (Finland) - 6609/163/19: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
 
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<!-- Any Content? -->
{{DPAdecisionBOX
{{DPAdecisionBOX


Line 51: Line 52:
|
|
}}
}}
X


== English Summary ==
== English Summary ==
The Finish DPA rendered a decision in a case opposing a parent (the applicant) to a company specialized in kindergarten and school photography (the controller). The applicant complained about the fact that a picture of his children was appearing in miniature on the invoice sent by the controller. The Finish DPA ruled that including a miniature of the children's pictures on the invoice was not necessary for the purpose of payment or security, and that the controller had therefore infringed the principle of data minimization enshrined in Article 5(1)(c) GDPR. The Finish DPA further ordered the controller to bring its processing activities into compliance under Article 58(2)(d) GDPR.


=== Facts ===
=== Facts ===
X
The controller is a Finish company specialized in taking pictures of children at kindergarten and schools. The controller was printing and sending pictures of about 400,000 pupils each year. For several years, the controller had adopted a practice consisting in printing a miniature of the pictures on the invoice to be sent to the parents. After receiving an invoice on which a miniature of his children's picture was printed, a parent decided to contact the customer service of the controller to complaint about that practice. The controller did not agree with the parent. As a consequence, the parent lodged a complaint with the Finish DPA.


=== Dispute ===
=== Dispute ===
X
The dispute concerned whether or not printing the children's pictures in miniature on the invoice was complying with the GDPR, and in particular with the principle of data minimisation enshrined in Article 5(1)(c) GDPR. According to the company, printing the pictures in miniature on the invoice was enabling its employees to make sure that the correct pictures and invoices were sent together to each customer. The controller also argued that such a practice was justified from the point of view of data security. According to the parent, such practice was not necessary for the purposes pursued by the controller, and violated the principle of data minimisation according to which the processing of personal data must be "''adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed''" (Article 5(1)(c) GDPR).


=== Holding ===
=== Holding ===
X
The Finish DPA ruled that the controller did not comply with the principle of data minimization set out in Article 5(1)(c) GDPR when processing personal data in connection with invoices. The Finish DPA furthermore required under its enforcement officer to instruct the controller to bring the processing of personal data into compliance by no longer printing or including miniatures of the children's picture on the invoices.


== Comment ==
== Comment ==
X
== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''
Line 75: Line 73:


<pre>
<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fi" lang="fi"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><title> Data Protection Officer 8.2.2021 - FINLEX ® </title><meta name="description" content="Finlex ® is a public and free Internet service for legal material owned by the Ministry of Justice." /><meta name="DC.Title" content="FINLEX ® - Tietosuojavaltuutettu 8.2.2021" /><meta name="DC.Language" content="fi" /><meta name="DC.Identifier" content="/fi/viranomaiset/tsv/2021/20210743" /><meta name="DC.Publisher" content="Oikeusministeriö" /><meta name="DC.Subject" content="Lasten koulukuvien lisääminen pienoiskoossa asiakkaiden laskuille" /><link rel="Shortcut Icon" href="/favicon.ico" type="image/x-icon" /><link rel="apple-touch-icon" href="/assets/img/touch-icon.png" type="image/png" /><link rel="image_src" href="/assets/img/logo-144x118.png" /><link rel="stylesheet" href="/assets/css/fonts.css" type="text/css" media="all" /><link rel="stylesheet" href="/assets/css/screen.css" type="text/css" media="screen, projection" /><link rel="stylesheet" href="/assets/css/finlex.css" type="text/css" media="screen, projection" /><link rel="stylesheet" href="/assets/css/print.css" type="text/css" media="print" /><!--[if lt IE 8]> <link href="/assets/css/ie.css" media="screen" rel="stylesheet" type="text/css" /><![endif]--><script type="text/javascript" src="/assets/js/mootools-core-1.4.1.js"></script><script type="text/javascript" src="/assets/js/finlex.js"></script><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Search everything" href="/fi/opensearch/kaikki/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Up-to-date legislation search" href="/fi/opensearch/ajantasa/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Case Law Search" href="/fi/opensearch/oikeus/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Authorities Search" href="/fi/opensearch/viranomaiset/" /></head><body id="lang-fi"><div id="header"><div id="header-content" class="container"><h1> <a href="/fi/" title="Finlex"><span>Finlex ®</span></a></h1><div id="lang" title="Select language"><ul><li class="choose-lang-fi"> <a href="/fi/">In Finnish</a></li><li class="choose-lang-sv"> <a href="/sv/">In Swedish</a></li><li class="choose-lang-en"> <a href="/en/">In English</a></li></ul></div><div class="siirry"> <a class="skip" href="#skip">Skip to content</a></div><div id="locationBar0" title="You are here:"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Supervisor</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 8.2.2021">8.2.2021</span></div><div id="navi-container"><ul id="navi"><li> <a href="/fi/">front page</a></li><li> <a href="/fi/laki/" accesskey="l">Legislation</a></li><li> <a href="/fi/oikeus/" accesskey="o">Case law</a></li><li class="selected"> <a href="/fi/viranomaiset/" accesskey="v">Authorities</a></li><li> <a href="/fi/sopimukset/" accesskey="s">Government contracts</a></li><li> <a href="/fi/esitykset/" accesskey="e">Government proposals</a></li><li> <a href="http://julkaisut.finlex.fi" accesskey="j">Proceedings</a></li></ul></div></div><div id="section-header"><div id="search"><h3 class="title search"> Search the material </h3><form action="/fi/viranomaiset/tsv/haku/" method="get"><div class="search"><input type="hidden" name="search[type]" value="pika" /><input title="Keyword..." type="text" name="search[pika]" class="search-phrase" value="" accesskey="h" /></div><input type="submit" name="submit" class="submit" value="Search ›" /><p class="search-example"> Search the text for eg personal * and give up *. As a Keyword Break *. Also try <a href="/fi/viranomaiset/tsv/haku/">Advanced Search</a> . See <a href="/fi/ohjeet">instructions</a> .</p></form></div><div class="info"><div class="container"><div id="breadcrumbs"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Supervisor</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 8.2.2021">8.2.2021</span> </div></div></div></div></div><div id="main"><div id="main-content"><div id="document-header"><h2 id="skip" title="FINLEX ® - Data Protection Officer 8.2.2021"> 2/8/2021</h2></div><div id="document"><div id="oikeus-tsv"><h3 class="asiasanat"> Adding children’s school photos in miniature to customer invoices</h3><table class="metadata"><tr><th style="vertical-align:text-top"> Keywords:</th><td> Data minimization<br/> Personal information<br/> Photos<br/> Children&#39;s privacy<br/></td></tr><tr><th> Legal basis:</th><td> Decision under the EU General Data Protection Regulation</td></tr><tr><th> Diary number:</th><td> 6609/163/19</td></tr></table><h4 id="OT1"> <strong>Decision of the Assistant Supervisor</strong></h4><h4 id="OT2"> Thing</h4><p> Data minimization</p><h4 id="OT3"> Applicant &#39;s claims and reasons</h4><p> On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller&#39;s invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller&#39;s customer service, and according to the customer service message sent to the EDPS&#39;s office, the controller&#39;s data security officer is to consider covering the images in the invoices sent to the collection agency.</p><h4 id="OT4"> Statement received from the controller</h4><p> On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer&#39;s home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller&#39;s staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses.</p><p> According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary.</p><p> The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images.</p><h4 id="OT5"> Applicant &#39;s reply</h4><p> On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances.</p><h4 id="OT6"> Applicable law</h4><p> The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).</p><h4 id="OT7"> Legal issue</h4><p> The Assistant Data Protection Supervisor will assess and resolve the applicant&#39;s case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved</p><p> 1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and</p><p> 2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations into line with the provisions of the General Data Protection Regulation.</p><h4 id="OT8"> Decision and reasons of the Assistant Data Protection Supervisor</h4><h5 id="OT9"> Decision</h5><p> The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices.</p><h5 id="OT10"> Regulation</h5><p> The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data.</p><h5 id="OT11"> Reasoning</h5><h6 id="OT12"> The principle of data minimization</h6><p> Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.</p><p> As mentioned above, the personal data processed must be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government&#39;s proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may be processed only if the purpose of the processing cannot reasonably be achieved by other means.</p><p> As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means. In practice, therefore, as little personal data as possible should be collected in each situation.</p><p> In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.</p><h6 id="OT13"> On the present case</h6><p> It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim.</p><p> The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children&#39;s personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children&#39;s personal data.</p><p> For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation.</p><h4 id="OT14"> Applicable law</h4><p> Mentioned in the explanatory memorandum.</p><h4 id="OT15"> Appeal</h4><p> According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).</p><p> The decision is not yet final.</p></div><!-- cached 12:27:29 24.03.2021 --></div></div><div id="sidebar"><div class="description"><h3 class="title material"> <a href="/fi/viranomaiset/tsv/">Data Protection Officer</a></h3><p> Decisions of the Data Protection Supervisor on the interpretation of the Data Protection Regulation and the Personal Data Act.</p></div><div id="document-sidebar"><div class="extra-links"><h3 class="other title"> Other material related to the material</h3><ul><li> <a href="/data/tsv/TSV_tyojarjestys_FI.pdf" class="pdf"><span>›</span> Rules of procedure of the Office of the Data Protection Officer</a></li></ul></div></div><div id="toc-container"><div id="toc-title"><h4> Table of contents</h4><h3> 2/8/2021</h3></div><div id="toc-content"><div id="toc"> <a href="#">Adding Children&#39;s school of miniature images of customers invoices</a> <a href="#OT1">of the Assistant Decision</a> <a href="#OT2">Key</a> <a href="#OT3">requirements The applicant reasoned</a> <a href="#OT4">statement from the Registrar</a> <a href="#OT5">applicant&#39;s response to</a> <a href="#OT6">applicable legislation</a> <a href="#OT7">The legal question</a> <a href="#OT8">of the Assistant decision and the reasons for</a> <a href="#OT9">decision to</a> <a href="#OT10">order</a> <a href="#OT11">reasons</a> <a href="#OT12">the principle of data minimization</a> <a href="#OT13">in the present case</a> <a href="#OT14">Applicable legal provisions</a> <a href="#OT15">for appeal</a></div></div><div id="toc-footer"> <a class="to-top" href="#document">To the beginning of the page</a></div></div></div></div><div id="breadcrumbs-bottom"><div class="container"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Supervisor</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 8.2.2021">8.2.2021</span> </div></div><div id="sitemap"><div id="sitemap-content" class="container"><div id="sitemap-category-laki"><h5> <a href="/fi/laki/">Legislation</a></h5><ul><li> <a href="/fi/laki/ajantasa/">Up - to - date legislation</a></li><li> <a href="/fi/laki/alkup/">Acts in original</a></li><li> <a href="/fi/laki/kokoelma/">Electronic collection of legal acts</a></li><li> <a href="/fi/laki/smur/">Directory of legislative amendments</a></li><li> <a href="/fi/laki/kaannokset/">Translations of legal acts</a></li><li> <a href="/fi/laki/saame/">Acts in the Sámi language</a></li></ul></div><div id="sitemap-category-oikeus"><h5> <a href="/fi/oikeus/">Case law</a></h5><ul><li> <a href="/fi/oikeus/kko/">The Supreme Court</a></li><li> <a href="/fi/oikeus/kho/">The Supreme Administrative Court</a></li><li> <a href="/fi/oikeus/ho/">Rights of the Court</a></li><li> <a href="/fi/oikeus/hao/">Administrative rights</a></li><li> <a href="/fi/oikeus/mao/">Market law</a></li><li> <a href="/fi/oikeus/tt/">Industrial tribunal</a></li><li> <a href="/fi/oikeus/vako/">Insurance law</a></li><li> <a href="/fi/oikeus/eurooppa/">European courts</a></li><li> <a href="/fi/oikeus/foki/">Case law in the literature</a></li></ul></div><div id="sitemap-category-viranomaiset"><h5> <a href="/fi/viranomaiset/">Authorities</a></h5><ul><li> <a href="/fi/viranomaiset/normi/">Collections of regulations of public authorities</a></li><li> <a href="/fi/viranomaiset/tyoehto/">Collective agreements</a></li><li> <a href="/fi/viranomaiset/foka/">Chancellor of Justice of the Government</a></li><li> <a href="/fi/viranomaiset/ftie/">Data Protection Board</a></li><li> <a href="/fi/viranomaiset/tsv/">Data Protection Officer</a></li></ul></div><div id="sitemap-category-sopimukset"><h5> <a href="/fi/sopimukset/">Government contracts</a></h5><ul><li> <a href="/fi/sopimukset/sopsteksti/">Government contracts</a></li><li> <a href="/fi/sopimukset/sopsviite/">Government Contracts Reference Database</a></li><li> <a href="/fi/sopimukset/sopimussarja/">Electronic contract series</a></li><li><a href="/fi/sopimukset/verosopimusteksti/">
Decision of the Assistant Supervisor
                      </a></li></ul></div><div id="sitemap-category-esitykset"><h5><a href="/fi/esitykset/">Government proposals</a></h5><ul><li> <a href="/fi/esitykset/he/">Government proposals</a></li></ul><h5> <a href="http://julkaisut.finlex.fi">Proceedings</a></h5><ul><li> <a href="http://lainvalmistelu.finlex.fi">Legislative Process Guide</a></li><li> <a href="http://helo.finlex.fi">Instructions for preparing Board proposals</a></li><li> <a href="http://lainkirjoittaja.finlex.fi">The Writer&#39;s Guide</a></li><li> <a href="http://yhdenvertaisuus.finlex.fi">Equality assessment</a></li><li> <a href="http://kuulemisopas.finlex.fi">Legislative Consultation Guide</a></li><li> <a href="http://kokeiluohje.finlex.fi">Trial Law Guide</a></li></ul></div><div id="sitemap-category-finlex"><h5> <a href="/fi/">Finlex®</a></h5><ul><li> <a href="/fi/uutiset/">News archive</a></li><li> <a href="/fi/rss/">RSS feeds</a></li><li> <a href="/fi/ohjeet/">Instructions</a></li><li> <a href="/fi/palaute/">Feedback</a></li><li> <a href="/fi/kayttoehdot/">Terms of use</a></li><li> <a href="/fi/saavutettavuusseloste/">Accessibility statement</a></li><li> <a href="/fi/sivukartta/">Sitemap</a></li></ul></div></div><div id="disclaimer"><p> Finlex ® is a public and free Internet service for legal material owned by the Ministry of Justice.<br /> Finlex content is produced and maintained by Edita Publishing Oy. Neither the Ministry of Justice nor Edita shall be liable for any errors that may occur in the content of the databases, direct or indirect damages caused to the user by their use, or interruptions in the use of the Internet data network or other disturbances.</p></div></div></body></html>
 
Thing
 
Data minimization
 
Applicant 's claims and reasons
 
On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller's invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller's customer service, and according to the customer service message sent to the DPO's office, the controller's data security officer is to consider covering the images in the invoices sent to the collection agency.
 
Statement received from the controller
 
On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer's home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller's staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses.
 
According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary.
 
The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images.
 
Applicant 's reply
 
On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances.
 
Applicable law
 
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of directly applicable law in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).
 
Legal issue
 
The Assistant Data Protection Supervisor will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved
 
1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and
 
2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation.
 
Decision and reasons of the Assistant Data Protection Supervisor
 
Decision
 
The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices.
 
Regulation
 
The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data.
 
Reasoning
 
The principle of data minimization
 
Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.
 
The personal data processed must, as mentioned above, be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may only be processed ifif the purpose of the processing cannot reasonably be achieved by other means.
 
As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means.In practice, therefore, as little personal data as possible should be collected in each situation.
 
In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.
 
On the present case
 
It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim.
 
The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children's personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children's personal data.
 
For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation.
 
Applicable law
 
Mentioned in the explanatory memorandum.
 
Appeal
 
According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).
 
The decision is not yet final.
</pre>
</pre>

Latest revision as of 13:06, 3 March 2024

Tietosuojavaltuutetun toimisto - 6609/163/19
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 25(2) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.02.2021
Published: 19.02.2021
Fine: None
Parties: n/a
National Case Number/Name: 6609/163/19
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: V

English Summary

The Finish DPA rendered a decision in a case opposing a parent (the applicant) to a company specialized in kindergarten and school photography (the controller). The applicant complained about the fact that a picture of his children was appearing in miniature on the invoice sent by the controller. The Finish DPA ruled that including a miniature of the children's pictures on the invoice was not necessary for the purpose of payment or security, and that the controller had therefore infringed the principle of data minimization enshrined in Article 5(1)(c) GDPR. The Finish DPA further ordered the controller to bring its processing activities into compliance under Article 58(2)(d) GDPR.

Facts

The controller is a Finish company specialized in taking pictures of children at kindergarten and schools. The controller was printing and sending pictures of about 400,000 pupils each year. For several years, the controller had adopted a practice consisting in printing a miniature of the pictures on the invoice to be sent to the parents. After receiving an invoice on which a miniature of his children's picture was printed, a parent decided to contact the customer service of the controller to complaint about that practice. The controller did not agree with the parent. As a consequence, the parent lodged a complaint with the Finish DPA.

Dispute

The dispute concerned whether or not printing the children's pictures in miniature on the invoice was complying with the GDPR, and in particular with the principle of data minimisation enshrined in Article 5(1)(c) GDPR. According to the company, printing the pictures in miniature on the invoice was enabling its employees to make sure that the correct pictures and invoices were sent together to each customer. The controller also argued that such a practice was justified from the point of view of data security. According to the parent, such practice was not necessary for the purposes pursued by the controller, and violated the principle of data minimisation according to which the processing of personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (Article 5(1)(c) GDPR).

Holding

The Finish DPA ruled that the controller did not comply with the principle of data minimization set out in Article 5(1)(c) GDPR when processing personal data in connection with invoices. The Finish DPA furthermore required under its enforcement officer to instruct the controller to bring the processing of personal data into compliance by no longer printing or including miniatures of the children's picture on the invoices.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Assistant Supervisor

Thing

Data minimization

Applicant 's claims and reasons

On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller's invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller's customer service, and according to the customer service message sent to the DPO's office, the controller's data security officer is to consider covering the images in the invoices sent to the collection agency.

Statement received from the controller

On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer's home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller's staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses.

According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary.

The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images.

Applicant 's reply

On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances.

Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of directly applicable law in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).

Legal issue

The Assistant Data Protection Supervisor will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved

1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and

2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation.

Decision and reasons of the Assistant Data Protection Supervisor

Decision

The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices.

Regulation

The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data.

Reasoning

The principle of data minimization

Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.

The personal data processed must, as mentioned above, be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may only be processed ifif the purpose of the processing cannot reasonably be achieved by other means.

As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means.In practice, therefore, as little personal data as possible should be collected in each situation.

In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.

On the present case

It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim.

The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children's personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children's personal data.

For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation.

Applicable law

Mentioned in the explanatory memorandum.

Appeal

According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).

The decision is not yet final.