Tietosuojavaltuutetun toimisto (Finland) - 531/161/20: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
 
m (removed national law that was not relevant)
Line 29: Line 29:




|National_Law_Name_1=2004/759
|National_Law_Name_1=
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2004/20040759


Line 54: Line 54:
Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35.  
Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35.  


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
A company monitored employees’ working hours by using location data from vehicle information systems.  
A company monitored employees’ working hours by using location data from vehicle information systems.  
The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment.  
The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment.  




=== Dispute ===
===Dispute===
The main legal arguments were as follows:  
The main legal arguments were as follows:  
1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA?
1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA?
Line 68: Line 68:




=== Holding ===
===Holding===
The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored.
The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored.
Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations.  
Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations.  




== Comment ==
==Comment==




== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.



Revision as of 18:38, 15 June 2020

Tietosuojavaltuutetun toimisto - 531/161/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 25 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 16000 EUR
Parties: n/a
National Case Number/Name: 531/161/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: n/a

Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35.

English Summary

Facts

A company monitored employees’ working hours by using location data from vehicle information systems. The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment.


Dispute

The main legal arguments were as follows: 1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA? 2. If yes, has the controller complied with its obligations under Article 35 GPDPR? 3. Has the controller taken adequate organisational and/or technical measures in accordance with Article 25 GDPR.


Holding

The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored. Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations.


Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.