Tietosuojavaltuutetun toimisto (Finland) - 1198/161/2022

From GDPRhub
Revision as of 13:40, 11 January 2023 by Ex4 (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finnland) |...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - Dnro 1198/161/2022
[[File:|center|250px]]
Authority: Tietosuojavaltuutetun toimisto (Finnland)
Jurisdiction: Finland
Relevant Law: Article 9(2)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.12.2022
Published:
Fine: 122000 EUR
Parties: n/a
National Case Number/Name: Dnro 1198/161/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Eetu Salpaharju

Finnish Authority imposed a fine of 122,000 euros on a company handling health-related types of personal data without proper consent.

English Summary

Facts

Unnamed company had not asked the users of its service for individual consent to the processing of health-related types of personal data.

Holding

Data subjects was asked general consent for handling data, but it was not detailed enough to handle special data groups, such as health-related information.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The company had not asked the users of its service for individual consent to the processing of health-related types of personal data. The data protection commissioner's office imposed a penalty on the company for violating the data protection regulation, as the processing of health data is part of the company's core business. In addition, the data protection commissioner ordered the company to correct its practice in requesting consent. The Office of the Data Protection Commissioner investigated the company's operating methods in 2018–2019 based on the complaints received. The investigations revealed that the company did not have consent in accordance with the EU's General Data Protection Regulation to process data on body mass index and maximum oxygen uptake capacity. Health data belong to so-called special personal data groups and their processing is basically prohibited. Data can be processed, for example, when the data subject has given his consent. The company had asked for consent to process health-related data in general, but had not specified the data it collected and processed. The requested consent did not meet the requirements of the data protection regulation, as it was not individualized and informed. The Data Protection Commissioner considers that the data controller had informed the data subjects that their personal data would be processed, but had not provided sufficient information about the types of personal data being processed and the purpose for which each type of personal data is being processed. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company's core business. "A company whose business mainly includes the processing of personal data must always take care of all the requirements for the proper processing of personal data. In a data-intensive economy, the importance of this will grow all the time," states Data Protection Commissioner Anu Talus. The matter was dealt with in cooperation between EU countries. The company's service is also available in other EU and EEA countries, which is why the matter was dealt with in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. The company's location in Finland is responsible for the processing of personal data, and the data protection commissioner's office acted as the leading supervisory authority in the investigation. The participating supervisory authorities have accepted the decision of the Data Protection Commissioner and the Sanctions College, and the decision is also binding on them. The sanction panel of the Office of the Data Protection Commissioner imposed a fine of 122,000 euros on the company for data protection violations. In addition, a notice was issued to the company. The decisions are not yet legally binding and can be appealed to the administrative court. Decisions of the Data Protection Commissioner and Sanctions Board (pdf) More information: Data Protection Commissioner Anu Talus, anu.talus(at)om.fi, tel. 029 566 6766 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the National Data Protection Act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros. ​​​​​​​​​More information on the so-called about the one-stop shop mechanism in the European Data Protection Board brochure (pdf)