Tietosuojavaltuutetun toimisto (Finland) - 531/161/20
| Tietosuojavaltuutetun toimisto - 531/161/20 | |
|---|---|
 | |
| Authority: | Tietosuojavaltuutetun toimisto (Finland) |
| Jurisdiction: | Finland |
| Relevant Law: | Article 25 GDPR Article 35 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 18.5.2020 |
| Fine: | 16000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 531/161/20 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Finnish |
| Original Source: | Tietosuojavaltuutetun toimisto (in FI) |
| Initial Contributor: | n/a |
Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35.
English Summary
Facts
A company monitored employees’ working hours by using location data from vehicle information systems. The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment.
Dispute
The main legal arguments were as follows: 1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA? 2. If yes, has the controller complied with its obligations under Article 35 GPDPR? 3. Has the controller taken adequate organisational and/or technical measures in accordance with Article 25 GDPR.
Holding
The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored. Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
