Tietosuojavaltuutetun toimisto (Finland) - TSV/4/2018: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/4/2018 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2024/20242363 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language...") |
m (added links) |
||
Line 74: | Line 74: | ||
=== Facts === | === Facts === | ||
On the 5 July 2018, the data subject filed a complaint against the main postal service provider in Finland (Posti Jakelu Oy), the controller, with the Finnish DPA (Tietosuojavaltuutetun toimisto). The data subject explained that their documents and invoices automatically went to an electronic mailbox which they had never signed up to. | On the 5 July 2018, the data subject filed a complaint against the main postal service provider in Finland (Posti Jakelu Oy), the controller, with the Finnish DPA ([[Tietosuojavaltuutetun toimisto (Finland)|Tietosuojavaltuutetun toimisto]]). The data subject explained that their documents and invoices automatically went to an electronic mailbox which they had never signed up to. | ||
Upon receipt of the complaint, the DPA began an investigation which found that the electronic mailbox service was being used by 1,690,000 active users. | Upon receipt of the complaint, the DPA began an investigation which found that the electronic mailbox service was being used by 1,690,000 active users. The electronic “OmaPosti” mailbox is one of the services included in the controller’s general service package. When a data subject signs up to the “OmaPosti” service, an electronic mailbox is automatically crated when the data subject accepts the terms and conditions. In order to avail of the general postal service, the data subject must create an “OmaPosti” account. | ||
The electronic “OmaPosti” mailbox is one of the services included in the controller’s general service package. When a data subject signs up to the “OmaPosti” service, an electronic mailbox is automatically crated when the data subject accepts the terms and conditions. In order to avail of the general postal service, the data subject must create an “OmaPosti” account. | |||
In the mobile app version of the postal service data subjects are asked whether they want to receive their mail electronically. However, in the fine print under this question, it is explained that the question refers to whether the data subject wants to receive electronic mail for some senders only or all senders. In addition, the notice only appeared to some data subjects depending on which device they were using and what font size they had selected. | In the mobile app version of the postal service data subjects are asked whether they want to receive their mail electronically. However, in the fine print under this question, it is explained that the question refers to whether the data subject wants to receive electronic mail for some senders only or all senders. In addition, the notice only appeared to some data subjects depending on which device they were using and what font size they had selected. Moreover, if users tried to manually select from which senders they would like to receive digital communications, the pre-ticked “Allow electronic copies” box remained hidden on the device display. | ||
The investigation found that the processing of personal data was based on an agreement under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. The controller argued that data subjects were able to choose whether they wanted to receive their mail physically or digitally. It cited that data subjects were informed in the terms and conditions that they could receive their mail electronically. It posited that the settings section of the customer account, data subjects could select whether they wanted to receive communications digitally. | |||
The controller added that the browser version of the postal service account showed a notice which informed users that they will receive a digital copy of their physical mail but that users can choose whether they want this. It also informed users that a digital mailbox will be created for them. However, during the course of the investigation the controller submitted that the above information was incorrect and that users could not exclusively receive physical mail to their home address. Moreover, the controller also admitted during the course of the investigation that the pre-ticked “Allow electronic copies” box was not supposed to be ticked. | The controller added that the browser version of the postal service account showed a notice which informed users that they will receive a digital copy of their physical mail but that users can choose whether they want this. It also informed users that a digital mailbox will be created for them. However, during the course of the investigation the controller submitted that the above information was incorrect and that users could not exclusively receive physical mail to their home address. Moreover, the controller also admitted during the course of the investigation that the pre-ticked “Allow electronic copies” box was not supposed to be ticked. | ||
Line 90: | Line 87: | ||
The DPA assessed the following two points: | The DPA assessed the following two points: | ||
(1) Whether the controller had adequately informed data subjects of the processing as per the requirements of Articles 5(1)(a), 12(1), 13(1)(c) and 25(1) GDPR and | '''(1)''' Whether the controller had adequately informed data subjects of the processing as per the requirements of Articles 5(1)(a), 12(1), 13(1)(c) and 25(1) GDPR and | ||
(2) Whether the controller could rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for the creation of the electronic mailbox. | |||
'''(2)''' Whether the controller could rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for the creation of the electronic mailbox. | |||
'''(1) – Adequate information''' | |||
The DPA held that the controller did not adequately inform the data subject of the processing of their data at the time of the creation of the mailbox. Data subjects were not clearly informed that the mailbox will begin to operate immediately after signing up. The controller simply told data subjects that they could receive their mail electronically but from the wording, it was unreasonable to assume that this meant that this function was automatically enabled. | The DPA held that the controller did not adequately inform the data subject of the processing of their data at the time of the creation of the mailbox. Data subjects were not clearly informed that the mailbox will begin to operate immediately after signing up. The controller simply told data subjects that they could receive their mail electronically but from the wording, it was unreasonable to assume that this meant that this function was automatically enabled. | ||
The DPA highlighted that the European Working Party on Data Protection has stated that modal verbs such as “may” should be avoided by controllers. Under [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] the data subject should shows true understanding of the purposes for which their data is processed, but instead the controller was held to have provided incorrect and misleading information. | The DPA highlighted that the European Working Party on Data Protection has stated that modal verbs such as “may” should be avoided by controllers. Under [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] the data subject should shows true understanding of the purposes for which their data is processed, but instead the controller was held to have provided incorrect and misleading information. | ||
Therefore, the requirements under Articles 5(1)(a), 12(1), 13(1)(c) and 25(1) GDPR were not met. | Therefore, the requirements under [[Article 5 GDPR|Articles 5(1)(a)]], [[Article 12 GDPR|12(1)]], [[Article 13 GDPR|13(1)(c)]] and [[Article 25 GDPR|25(1)]] GDPR were not met. | ||
'''(2) – Legal basis''' | |||
In referring to the CJEU case C-252/21, the DPA reiterated that if there are less intrusive alternatives available to perform the contract, controllers should avail of these. This case also clarified that when a contract is made up of several services, which can be performed independently of each other the necessity of each service must be assessed separately. The controller was held to have failed to individually assess whether the data processing was necessary to the service availed for under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. | The DPA held that the controller could not rely on any legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] for the processing. The creation of the electronic mailbox was unnecessary for the performance of the general postal service, which the data subject had requested. Several of the services included in the general postal service could be provided without the electronic mailbox. | ||
In referring to the CJEU case [[CJEU - C-252/21 - Meta Platforms and Others (General terms of use of a social network)|C-252/21]], the DPA reiterated that if there are less intrusive alternatives available to perform the contract, controllers should avail of these. This case also clarified that when a contract is made up of several services, which can be performed independently of each other the necessity of each service must be assessed separately. The controller was held to have failed to individually assess whether the data processing was necessary to the service availed for under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. | |||
Setting the fine | Setting the fine | ||
The unlawful processing of data had been ongoing for more than six years since the GDPR entered into force in 2018. The number of data subjects affected (approximately 2,000,000 registered users) and the amount of personal data processed justified the fine set at €2,400,000 based on the controller’s annual turnover. | The unlawful processing of data had been ongoing for more than six years since the GDPR entered into force in 2018. The number of data subjects affected (approximately 2,000,000 registered users) and the amount of personal data processed justified the fine set at €2,400,000 based on the controller’s annual turnover. | ||
Revision as of 15:32, 3 December 2024
Tietosuojavaltuutetun toimisto - TSV/4/2018 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(b) GDPR Article 12(1) GDPR Article 13(1)(c) GDPR Article 25(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.07.2018 |
Decided: | 13.11.2024 |
Published: | |
Fine: | 2,400,000 EUR |
Parties: | Posti Jakelu Oy |
National Case Number/Name: | TSV/4/2018 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Finnish |
Original Source: | Finlex (in FI) |
Initial Contributor: | ao |
The DPA issued a €2,400,000 fine to the Finnish postal service for automatically creating an electronic mailbox for its customers without their consent and without an opt-out.
English Summary
Facts
On the 5 July 2018, the data subject filed a complaint against the main postal service provider in Finland (Posti Jakelu Oy), the controller, with the Finnish DPA (Tietosuojavaltuutetun toimisto). The data subject explained that their documents and invoices automatically went to an electronic mailbox which they had never signed up to.
Upon receipt of the complaint, the DPA began an investigation which found that the electronic mailbox service was being used by 1,690,000 active users. The electronic “OmaPosti” mailbox is one of the services included in the controller’s general service package. When a data subject signs up to the “OmaPosti” service, an electronic mailbox is automatically crated when the data subject accepts the terms and conditions. In order to avail of the general postal service, the data subject must create an “OmaPosti” account.
In the mobile app version of the postal service data subjects are asked whether they want to receive their mail electronically. However, in the fine print under this question, it is explained that the question refers to whether the data subject wants to receive electronic mail for some senders only or all senders. In addition, the notice only appeared to some data subjects depending on which device they were using and what font size they had selected. Moreover, if users tried to manually select from which senders they would like to receive digital communications, the pre-ticked “Allow electronic copies” box remained hidden on the device display.
The investigation found that the processing of personal data was based on an agreement under Article 6(1)(b) GDPR. The controller argued that data subjects were able to choose whether they wanted to receive their mail physically or digitally. It cited that data subjects were informed in the terms and conditions that they could receive their mail electronically. It posited that the settings section of the customer account, data subjects could select whether they wanted to receive communications digitally.
The controller added that the browser version of the postal service account showed a notice which informed users that they will receive a digital copy of their physical mail but that users can choose whether they want this. It also informed users that a digital mailbox will be created for them. However, during the course of the investigation the controller submitted that the above information was incorrect and that users could not exclusively receive physical mail to their home address. Moreover, the controller also admitted during the course of the investigation that the pre-ticked “Allow electronic copies” box was not supposed to be ticked.
Holding
The DPA assessed the following two points:
(1) Whether the controller had adequately informed data subjects of the processing as per the requirements of Articles 5(1)(a), 12(1), 13(1)(c) and 25(1) GDPR and
(2) Whether the controller could rely on Article 6(1)(b) GDPR for the creation of the electronic mailbox.
(1) – Adequate information
The DPA held that the controller did not adequately inform the data subject of the processing of their data at the time of the creation of the mailbox. Data subjects were not clearly informed that the mailbox will begin to operate immediately after signing up. The controller simply told data subjects that they could receive their mail electronically but from the wording, it was unreasonable to assume that this meant that this function was automatically enabled. The DPA highlighted that the European Working Party on Data Protection has stated that modal verbs such as “may” should be avoided by controllers. Under Article 13(1)(c) GDPR the data subject should shows true understanding of the purposes for which their data is processed, but instead the controller was held to have provided incorrect and misleading information. Therefore, the requirements under Articles 5(1)(a), 12(1), 13(1)(c) and 25(1) GDPR were not met.
(2) – Legal basis
The DPA held that the controller could not rely on any legal basis under Article 6(1) GDPR for the processing. The creation of the electronic mailbox was unnecessary for the performance of the general postal service, which the data subject had requested. Several of the services included in the general postal service could be provided without the electronic mailbox. In referring to the CJEU case C-252/21, the DPA reiterated that if there are less intrusive alternatives available to perform the contract, controllers should avail of these. This case also clarified that when a contract is made up of several services, which can be performed independently of each other the necessity of each service must be assessed separately. The controller was held to have failed to individually assess whether the data processing was necessary to the service availed for under Article 6(1)(b) GDPR.
Setting the fine
The unlawful processing of data had been ongoing for more than six years since the GDPR entered into force in 2018. The number of data subjects affected (approximately 2,000,000 registered users) and the amount of personal data processed justified the fine set at €2,400,000 based on the controller’s annual turnover.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.