Tietosuojavaltuutetun toimisto (Finland) - 3379/182/23: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=3379/182/23 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2023/20232203 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
 
(Short summary)
 
(2 intermediate revisions by 2 users not shown)
Line 61: Line 61:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=fred
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]
|
|
}}
}}


The DPA reprimanded the City of Helsinki because it could have prevented a data breach in its online service by implementing appropriate technical and organisational measures to ensure the security of the processing of personal data.
The DPA reprimanded the City of Helsinki for making user profiles publicly searchable and visible to all through the platform's own search function when this was not necessary.


== English Summary ==
== English Summary ==
Line 81: Line 81:
On the basis of the information provided by the controller, the DPA considered that, given the nature of the service, it could not be considered necessary that the user profiles had been publicly searchable and visible to all through the platform's own search function. The DPA found that the controller had not implemented any technical or organisational measures to prevent third parties from accessing data to which they should not have access.
On the basis of the information provided by the controller, the DPA considered that, given the nature of the service, it could not be considered necessary that the user profiles had been publicly searchable and visible to all through the platform's own search function. The DPA found that the controller had not implemented any technical or organisational measures to prevent third parties from accessing data to which they should not have access.


On the basis of the information gathered, the DPA held that the controller had violated [[Article 25 GDPR#2|Article 25(2) GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]] by making the user profiles and related personal data to be searchable and viewable by anyone. As a result, the DPA issued a reprimand to the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]].
On the basis of the information gathered, the DPA held that the controller violated [[Article 25 GDPR#2|Article 25(2) GDPR]] and [[Article 32 GDPR#1|Article 32(1) GDPR]] by making the user profiles and related personal data to be searchable and viewable by anyone. As a result, the DPA issued a reprimand to the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]].


== Comment ==
== Comment ==

Latest revision as of 12:10, 19 June 2024

Tietosuojavaltuutetun toimisto - 3379/182/23
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 25(2) GDPR
Article 32(1) GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started: 29.03.2023
Decided: 01.09.2023
Published: 29.05.2024
Fine: n/a
Parties: City of Helsinki
National Case Number/Name: 3379/182/23
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA reprimanded the City of Helsinki for making user profiles publicly searchable and visible to all through the platform's own search function when this was not necessary.

English Summary

Facts

The Finnish DPA was notified that through the search function of an online service operated by the City of Helsinki (the controller), it was possible to see the names of all persons registered with the service. The DPA then asked the controller to explain how it had implemented appropriate technical and organisational measures to ensure the security of the processing.

In response to the request, the controller clarified that the service in question was a participatory budgeting platform where city residents could discuss the development of the city and suggest things they would like to see in their own residential area. Following the DPA's request, the controller had discovered a data breach in relation to the platform.

The controller stated that the user profiles of all 124,000 people registered on the platform had been publicly searchable and viewable by default through the platform's own search function. The profiles had also been viewable through Google Search and had displayed at least the first and last name of the users.

The controller also noted that all profiles had been deleted and the possibility to register on the service had been closed. In addition, the controller had disabled the search function of the service and requested Google to remove the search results from Google Search.

Holding

On the basis of the information provided by the controller, the DPA considered that, given the nature of the service, it could not be considered necessary that the user profiles had been publicly searchable and visible to all through the platform's own search function. The DPA found that the controller had not implemented any technical or organisational measures to prevent third parties from accessing data to which they should not have access.

On the basis of the information gathered, the DPA held that the controller violated Article 25(2) GDPR and Article 32(1) GDPR by making the user profiles and related personal data to be searchable and viewable by anyone. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

Built-in and default data protection and processing security
Registrar

City
Notification made to the office of the Data Protection Commissioner

On March 29, 2023, the Office of the Data Protection Commissioner received a notification regarding the data controller's participatory budgeting service (hereinafter referred to as the service). According to the announcement, it is possible to see the first and last name of all people registered for the service with the search function of the service. According to the announcement, the service has about 124,000 people's names publicly visible and searchable.
Statement received from the registrar

On April 25, 2023, the Office of the Data Protection Commissioner requested an explanation from the data controller. On May 25, 2023, the registrar stated the following in his response to the clarification request.

The registrar has said that the purpose of the service has been to involve the city's residents in budgeting. According to the registrar, the site is a social inclusion service in nature, where the citizens can have a discussion about the development of the city.

According to the registrar, the service has had a search function from which all material on the site could be searched: users, suggestions and publications. All profiles created in the service have been visible to everyone in the site's search results. This has been a basic feature of the platform used by the site.

As a result of the data protection authorized office's request for clarification, the data controller has discovered a data security breach in the service, about which it has made a notification to the data protection authorized office on May 3, 2023. In order to correct the data security breach, all profiles created for the service have been deleted and registration for the service has been closed. In addition, the search function of the service has been removed. The controller has also asked Google to remove the search page about the service from the search results. According to the data controller, about 160,000 people have been the target of a data security breach.

According to the registrar, it has been possible to see the first and last name of all users. For voting purposes, registration in the service has taken place through strong identification, and the first and last name enter the person's profile directly from the identification service. If desired, the name could be changed afterwards.

If you wish, you can add a nickname and a picture and more information about the profile. The user could have entered any information he wanted in the additional information field. In addition, the profile shows the person's activity on the site and the profiles he follows, as well as the profiles that follow him. The activity view has shown the suggestions and comments that the person may have left, but not, for example, votes.

Due to the clarification request, the controller has now re-evaluated the visibility and publication of the data on the website and ended up hiding the profiles created in the service. Only in those situations when the user wants to publish a proposal or leave a comment on the service, consent to publish the profile is requested. After leaving a suggestion or comment, the profile can be hidden again if desired.
A legal question

The Deputy Data Protection Commissioner must decide whether the data controller has complied with the provisions of Article 25, Paragraph 2 of the General Data Protection Regulation (EU) 2016/679 regarding built-in and default data protection and Article 32, Paragraph 1 of the General Data Protection Regulation (EU) 2016/679 regarding processing security, to the extent that the profiles created for the service and the related information have been searchable by all and visible.
Decision and reasons of the Deputy Data Protection Commissioner
Decision

The controller has not complied with the provisions of Article 25, paragraph 2, and Article 32, paragraph 1 of the General Data Protection Regulation to the extent that the profiles created for the service and the information related to them have been searchable and viewable by everyone.

As a result, the Deputy Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Section 2, Subsection b of the General Data Protection Regulation.

In this context, the Deputy Data Protection Commissioner does not give the data controller the order according to Article 58, paragraph 2, subsection d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation, because the data controller has already taken measures to correct the functionality of the service.
Reasoning
Applicable legal guidelines

Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 2 of the article, the controller must take appropriate technical and organizational measures to ensure that by default only personal data necessary for the specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that, by default, personal data is not made available to an unlimited number of people without the contribution of a natural person. According to paragraph 78 of the preamble of the General Data Protection Regulation, when developing, planning, selecting and using services, it must be taken into account that the data controller must be able to fulfill its data protection obligations.

Article 32 of the General Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology, implementation costs, the nature, scope, context and purposes of the processing, as well as risks to the rights and freedoms of natural persons, which vary in probability and severity, the controller and personal data processor must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk.
The clarification received in the matter

Based on the report received from the registrar, the service has had a search function from which all users of the site could be searched. All profiles created in the service have been visible to everyone in the site's search results. The users' first and last names have been visible in the profiles, unless the user has changed their name after registration. If you wish, you can add a nickname and a picture and more information about the profile. The user could have entered any information he wanted in the additional information field. In addition, the profile shows the person's activity on the site and the profiles he follows, as well as the profiles that follow him. The suggestions and comments left by the person have been shown in the activity view.

Based on the report received from the registrar, the purpose of the service has been to involve the city's residents in budgeting. According to the registrar, the site is a social inclusion service in nature, where city residents can have a discussion about the development of the city. The controller has now re-evaluated the visibility and publication of the data on the website, following the clarification request of the data protection authorized office, and ended up hiding the profiles created in the service.
Legal assessment and conclusions

The Deputy Data Protection Commissioner states that, taking into account the purpose of use of the service as a tool for participatory budgeting, it cannot be considered necessary that the profiles of all users have been publicly searchable and visible to everyone through the service's own search function. There has been no technical or organizational limitation in the service that would have prevented outsiders from accessing information they are not supposed to have access to. The profiles of the users of the service have thus been available to an unlimited number of people.

Based on the above, the deputy data protection commissioner considers that the data controller has not implemented the appropriate technical and organizational measures required by Article 25, paragraph 2 of the General Data Protection Regulation, which ensure by default only the processing of personal data necessary for each specific purpose of the processing. The controller has also not implemented appropriate technical and organizational measures to ensure a level of security corresponding to the risk required by Article 32, paragraph 1 of the General Data Protection Regulation.