Tietosuojavaltuutetun toimisto (Finland) - TSV/4/2018

From GDPRhub
Revision as of 15:26, 3 December 2024 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/4/2018 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2024/20242363 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - TSV/4/2018
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(b) GDPR
Article 12(1) GDPR
Article 13(1)(c) GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 05.07.2018
Decided: 13.11.2024
Published:
Fine: 2,400,000 EUR
Parties: Posti Jakelu Oy
National Case Number/Name: TSV/4/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: ao

The DPA issued a €2,400,000 fine to the Finnish postal service for automatically creating an electronic mailbox for its customers without their consent and without an opt-out.

English Summary

Facts

On the 5 July 2018, the data subject filed a complaint against the main postal service provider in Finland (Posti Jakelu Oy), the controller, with the Finnish DPA (Tietosuojavaltuutetun toimisto). The data subject explained that their documents and invoices automatically went to an electronic mailbox which they had never signed up to.

Upon receipt of the complaint, the DPA began an investigation which found that the electronic mailbox service was being used by 1,690,000 active users. The electronic “OmaPosti” mailbox is one of the services included in the controller’s general service package. When a data subject signs up to the “OmaPosti” service, an electronic mailbox is automatically crated when the data subject accepts the terms and conditions. In order to avail of the general postal service, the data subject must create an “OmaPosti” account. So, if a data subject for example availed of the “my pick-up point service” an electronic mailbox was automatically created.

In the mobile app version of the postal service data subjects are asked whether they want to receive their mail electronically. However, in the fine print under this question, it is explained that the question refers to whether the data subject wants to receive electronic mail for some senders only or all senders. In addition, the notice only appeared to some data subjects depending on which device they were using and what font size they had selected.

Moreover, if users tried to manually select from which senders they would like to receive digital communications, the pre-ticked “Allow electronic copies” box remained hidden on the device display.

The investigation found that the processing of personal data was based on an agreement under Article 6(1)(b) GDPR. The controller argued that data subjects were able to choose whether they wanted to receive their mail physically or digitally. It cited that data subjects were informed in the terms and conditions that they could receive their mail electronically. It posited that the settings section of the customer account, data subjects could select whether they wanted to receive communications digitally. The controller added that the browser version of the postal service account showed a notice which informed users that they will receive a digital copy of their physical mail but that users can choose whether they want this. It also informed users that a digital mailbox will be created for them. However, during the course of the investigation the controller submitted that the above information was incorrect and that users could not exclusively receive physical mail to their home address. Moreover, the controller also admitted during the course of the investigation that the pre-ticked “Allow electronic copies” box was not supposed to be ticked.

Holding

The DPA assessed the following two points:

(1) Whether the controller had adequately informed data subjects of the processing as per the requirements of Articles 5(1)(a), 12(1), 13(1)(c) and 25(1) GDPR and (2) Whether the controller could rely on Article 6(1)(b) GDPR for the creation of the electronic mailbox. On point (1) – Adequate information The DPA held that the controller did not adequately inform the data subject of the processing of their data at the time of the creation of the mailbox. Data subjects were not clearly informed that the mailbox will begin to operate immediately after signing up. The controller simply told data subjects that they could receive their mail electronically but from the wording, it was unreasonable to assume that this meant that this function was automatically enabled. The DPA highlighted that the European Working Party on Data Protection has stated that modal verbs such as “may” should be avoided by controllers. Under Article 13(1)(c) GDPR the data subject should shows true understanding of the purposes for which their data is processed, but instead the controller was held to have provided incorrect and misleading information. Therefore, the requirements under Articles 5(1)(a), 12(1), 13(1)(c) and 25(1) GDPR were not met.

On point (2) – Legal basis Further, the DPA held that the controller could not rely on any legal basis under Article 6(1) GDPR for the processing. The creation of the electronic mailbox was unnecessary for the performance of the general postal service, which the data subject had requested. Several of the services included in the general postal service could be provided without the electronic mailbox. In referring to the CJEU case C-252/21, the DPA reiterated that if there are less intrusive alternatives available to perform the contract, controllers should avail of these. This case also clarified that when a contract is made up of several services, which can be performed independently of each other the necessity of each service must be assessed separately. The controller was held to have failed to individually assess whether the data processing was necessary to the service availed for under Article 6(1)(b) GDPR.

Setting the fine The unlawful processing of data had been ongoing for more than six years since the GDPR entered into force in 2018. The number of data subjects affected (approximately 2,000,000 registered users) and the amount of personal data processed justified the fine set at €2,400,000 based on the controller’s annual turnover.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.