KHO - KHO:2025:29
From GDPRhub
| KHO - KHO:2025:29 | |
|---|---|
 | |
| Court: | KHO (Finland) |
| Jurisdiction: | Finland |
| Relevant Law: | Article 6(1)(c) GDPR Basic Education Act 628/1998 |
| Decided: | 07.04.2025 |
| Published: | 07.04.2025 |
| Parties: | City of Espoo Tietosuojavaltuutetun toimisto |
| National Case Number/Name: | KHO:2025:29 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Not appealed |
| Original Language(s): | Finnish |
| Original Source: | Korkein hallinto-oikeus (in Finnish) |
| Initial Contributor: | cwa |
The Supreme Administrative Court held that compliance with a legal obligation (i.e. providing basic education) could potentially be a legal basis for the City of Espoo to implement Google Workspace in primary schools. Therefore, the Court referred the case back to the DPA.
English Summary
Facts
The City of Espoo (controller) had implemented Google Workspace for Education in the primary schools under their remit. The controller relied on Article 6(1)(c) GDPR to do so, believing the measure necessary for compliance with their legal obligation to organise basic education.
On 30th December 2021, the Finnish DPA held that Article 6(1)(c) GDPR did not provide a valid lawful basis for the processing in question, and the use of the e-learning platform was not in compliance with the GDPR. The DPA noted that processing based on the ground of legal obligation must explicitly refer to the nature and purpose of the processing. The DPA commented that the Basic Education Act does not refer to the nature of the processing or require the implementation of an e-learning platform, thus leaving the controller with significant discretion in fulfilling their obligation and rendering the use of this provision as a legal obligation inappropriate.
During the investigation, the DPA also highlighted the fact that this processing operation involved the collection of large amounts of data (including sensitive data) of children who are vulnerable data subjects, both while they are at home and at school. Also, the amount of data processed was far higher than that which would be processed under a traditional pre-school education arrangement. Additionally, the controller had to accept Google’s standard terms and conditions which limited their ability to control the processing taking place. The DPA therefore concluded that the use of such an e-learning platform cannot be automatically considered necessary and proportionate to allow the controller to justify the processing without having performed a case-by-case assessment in light of their obligation to organise basic education.
On 30th June 2023, the Administrative Court rejected the controller’s appeal against the decision. The Court reasoned that the Basic Education Act does not define the means of processing and thus leaves the controller with too much discretion in order to rely on the provision as providing a legal obligation to introduce the system. The Court also noted that the processing was not limited to what was necessary and proportionate for school purposes and the limited discretion that the controller had over the system after agreeing to the platform’s general terms of use.
The controller then appealed to the Supreme Administrative Court, requesting that the decision of the Administrative Court and the DPA be annulled and confirmation that they may rely on Article 6(1)(c) for this processing operation. In their submissions, the controller argued that the use of Google Workspace is necessary to comply with both their obligation to provide basic education and also their obligation to equip pupils with computer skills (ICT) available in the public domain. The controller argued that both the DPA and the administrative court have failed to take proper account of this. The controller also called for a more detailed analysis of the different offerings present in the Google Workspace environment by examining each independently deployable application to assess the extent to which the lawful basis may apply. The “all-or-nothing” approach in assessing legitimacy of the system adopted by both the DPA and the administrative court was inappropriate, the controller argued.
The DPA requested that the controller’s claims be dismissed. The DPA submitted that the obligation to provide basic education simply could not lead to an obligation to use Google’s educational software, that such a measure is not necessary for the provision of basic education. The DPA further argued that the processing in question is extensive and the controller is unable to exercise control over the pupil’s personal data, nor even to provide an actual explanation of how the processing is conducted, instead relying on service descriptions and contractual terms provided by Google. According to the DPA, the controller has not demonstrated that they have performed a proper assessment of the e-learning system.
Holding
At the outset, the Court noted that the lawful basis under Article 6(1)(c) must be interpreted strictly as it entails the processing of personal data without the consent of the data subjects. The Court referenced the judgment in C-394/23 Mousse in finding so. The Court also noted that processing under this basis must be based on Union or Member State law meeting an objective of public interest and must be necessary and proportionate to achieve those objectives.
The Court then considered whether the Basic Education Act even constitutes a legal obligation of the controller, compliance with which the use of an electronic education platform could be based upon.
The Court highlighted that the decisions of both the Administrative Court and DPA concluded that the fulfilment of the obligation under the Basic Education Act could not be seen as requiring the use of an e-learning platform. The Court disagreed with this premise.
The Court acknowledged the existence of the controller’s obligation under the Basic Education Act to provide basic education. The Court further referenced the National Board of Education’s objectives as to the content of basic education which stress the importance of technological literacy for pupils. The Court reasoned, therefore, that such an objective must be deemed to require the use of ICT-based learning environments to develop these skills in basic education. The Court concluded that there exists, therefore, a clear and precise legal basis for the processing of personal data necessary for the use of such applications for this purpose.
The Court thus found that compliance with the controller’s obligation under the Basic Education Act may provide a basis for the use of an electronic education platform. This differed from the findings of both the DPA and the Administrative Court.
As the decisions of the Administrative Court and the DPA were based on an incorrect premise, the Court found them to be incorrect. The Court noted that while the controller’s obligation does not require the use of the Google platform specifically, this does not necessitate a different assessment, as the GDPR obviously never specifies services or products required to be used by name.
The Court concluded that the DPA erred in finding that the controller’s obligation under the Basic Education Act could not provide a lawful basis for the use of an online education platform. The Court did not deem it necessary to consider the extent that the specific processing in question could be considered as fulfilling the controller’s legal obligation.
The Court also noted that the Google Workspace platform used different types of personal data for different purposes, for example for identifying users, developing applications etc. The applications could also be used independently of each other. The Court found that the fact that the processing of personal data is not necessary for a specific purpose does not necessarily allow the conclusion that the processing is incompatible with the lawful basis under Article 6(1)(c). This differed from the findings of both the DPA and the Administrative Court on this point, and the Court found their reasoning to be wrong.
The Court also referenced the DPA’s comments about the different uses of personal data present in the Google Workspace system (for identifying users, for developing services etc.), the sensitivity of the data involved, and the lack of oversight by the controller on the processing. While the Court did confirm that the controller would have to comply with the other provisions of the GDPR as they relate to these points, these issues were irrelevant from the perspective of the lawful basis, upon which the DPA focused.
In conclusion, the Court found that neither the DPA nor the Court could have concluded on the basis of the ground advanced that the processing could not be based on Article 6(1)(c) GDPR. The case was remitted back to the DPA for reconsideration.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
The city had introduced an electronic learning platform for basic education. According to the city, the basis for processing personal data in this regard was Article 6(1)(c) of the General Data Protection Regulation, as the processing was necessary for the city to comply with its statutory obligation, namely to provide basic education. The Data Protection Ombudsman had considered that the basis for processing proposed by the city was not applicable in the case. The Data Protection Ombudsman had not considered that the regulation on basic education could constitute a statutory obligation for the city, compliance with which could have been used to process personal data on an electronic learning platform, even in part. The Administrative Court had dismissed the city’s appeal. The Supreme Administrative Court held that the regulation on basic education could in itself constitute a statutory obligation for the city, compliance with which could have been used to process personal data on an electronic learning platform. The decisions of the Data Protection Ombudsman and the Administrative Court were therefore incorrect insofar as they were based on a different starting point. The other grounds presented in the decisions also did not allow the conclusion that Article 6(1)(c) of the General Data Protection Regulation would not apply in any respect in the case. The Supreme Administrative Court did not, in the first instance, decide in more detail to what extent the processing of personal data in question possibly lacked a basis in accordance with the General Data Protection Regulation. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Article 6(1)(c) and Article 6(3) Basic Education Act, Section 4(1) and Section 14 Government Decree on the national objectives of education referred to in the Basic Education Act and the distribution of hours in basic education, Section 3(1) and Section 4(2) Decision subject to appeal Helsinki Administrative Court, 30 June 2023, No. 3945/2023 Decision of the Supreme Administrative Court The Supreme Administrative Court grants leave to appeal and examines the matter. 1. The Data Protection Ombudsman's request for a preliminary ruling from the Court of Justice is dismissed. 2. The City of Espoo's request for an oral hearing is dismissed. 3. The decisions of the Administrative Court and the Data Protection Ombudsman are annulled. The matter is returned to the Data Protection Ombudsman for reconsideration. 4. The Office of the Data Protection Ombudsman is ordered to compensate the City of Espoo for the legal costs in the Administrative Court and the Supreme Administrative Court in the amount of EUR 30,000, including default interest. Default interest is determined at the interest rate referred to in Section 4(1) of the Interest Act, starting from the date one month has passed since the Supreme Administrative Court issued this decision. Background (1) The City of Espoo (hereinafter also referred to as the controller or the city) has implemented the Google Workspace for Education program package (hereinafter also referred to as the learning platform or curriculum) in basic education. The city has considered that the basis for the processing of personal data in this regard is Article 6(1)(c) of the General Data Protection Regulation, as the processing is necessary to comply with the city's statutory obligation, namely to organize basic education. (2) In its decision of 30 December 2021 (case number 1509/452/18), the Data Protection Ombudsman has held, insofar as the Supreme Administrative Court is concerned, that Article 6(1)(c) of the General Data Protection Regulation does not apply as a processing ground in this case and that the processing of personal data related to the use of the e-learning programme has not been in accordance with the Regulation under this provision. The City of Espoo has been issued an order pursuant to Article 58(2)(d) of the Regulation to bring the processing operations into compliance with the Regulation and a warning pursuant to Article 58(2)(b) of the Regulation regarding the processing operations of personal data that are in breach of the provisions. (3) The reasoning for the Data Protection Ombudsman's decision states, among other things, that the processing ground of a statutory obligation is applied on the basis of provisions that expressly refer to the nature and purpose of the processing. The Basic Education Act does not explicitly refer to the nature of the processing, and the fulfilment of the obligation under the law does not as such require the use of an electronic teaching programme. The means of data processing are not defined in the law, and the regulation leaves significant room for discretion in this regard. (4) The decision of the Data Protection Ombudsman also states that attention has been paid, among other things, to the fact that data on the student is collected over a long period of time, that the data may also contain so-called sensitive data, that significantly more data is processed through the electronic teaching programme than in traditional face-to-face teaching, and that the processing of data is not limited to information necessary for the school assignment. In addition, according to the decision, attention has been paid to the fact that the data in question concerns children, that the controller has accepted Google's standard terms and conditions, that the data processing is decentralized, that the programme is used at home in addition to school, and that the use of the electronic service has implications for the controller's ability to monitor the processing of personal data. It has also been pointed out that the encryption used to create the user account identifier has been done using a method considered outdated, and that the controller has significant discretion in relation to the use of the electronic curriculum, that there may be major differences between the different options and that the data subject has no influence on the choice of controller. (5) According to the decision of the Data Protection Commissioner, it is not justified to automatically consider the processing of personal data related to the use of the electronic curriculum as necessary and proportionate in such a way that the controller could justify the processing of students' personal data directly and without case-by-case consideration under its obligation to provide basic education. (6) By its decision of 30 June 2023, the Administrative Court, insofar as the Supreme Administrative Court is concerned, dismissed the City of Espoo's appeal against the decision of the Data Protection Commissioner. The Administrative Court has also dismissed the City's claim for reimbursement of its legal costs. (7) In its reasoning, the Administrative Court has stated, among other things, that the Basic Education Act does not explicitly refer to the nature of the processing of personal data or specify the means of processing, but rather leaves the controller considerable discretion with regard to the means used in the processing of personal data. In this case, the controller cannot justify the processing of personal data related to the Google curriculum directly on the basis of compliance with a statutory obligation. Although the processing of personal data in an electronic curriculum may in some situations be necessary for the provision of basic education, compliance with the obligation under the Basic Education Act does not as such require the use of an electronic curriculum, let alone a specific curriculum. (8) The Administrative Court has also referred to the fact that the personal data in question concerns children, the student logs into the curriculum with his or her own ID, the controller processes a significant amount of personal data of the students in connection with the use of the curriculum, and the data is accumulated over a long period of time. In addition, the Administrative Court has referred to the fact that the processing of personal data is not limited to information that is necessary and necessary for schooling, and that in home use, the responsibility for ensuring data security lies with the student and his or her guardians. The Administrative Court has further referred to the fact that the controller has accepted Google's standard agreement on the processing of personal data and the terms of use, and the controller has had little opportunity to influence their content. (9) Taking the above into account, the Administrative Court has assessed that the controller does not actually have the opportunity to sufficiently monitor and instruct Google's processing of personal data. The controller's conduct in connection with the use of the Google educational program cannot in this case be considered necessary in such a way that the controller could justify the processing of the students' personal data by directly invoking compliance with the statutory obligation to provide basic education. According to the Administrative Court, Article 6(1)(c) of the General Data Protection Regulation does not apply to the controller as a basis for processing personal data to the extent presented in relation to the Google educational program. The case was decided by the members of the Administrative Court, Petteri Leppikorpi, Jonna Konstari and Sari Komonen, who also presented the case. Claims in the Supreme Administrative Court (10) The City of Espoo has requested permission to appeal the decision of the Administrative Court and in its appeal has requested that the decisions of the Administrative Court and the Data Protection Ombudsman be overturned. In the case, it must be confirmed that the city is entitled to process the personal data of students on the basis of Article 6(1)(c) of the General Data Protection Regulation when organising basic education using the Google educational platform in question. (11) The City of Espoo has also requested that an oral hearing be held in the case, among other things, to clarify for what purposes the educational platform and the programs it contains are used and what kind of data is processed therein. The city has further requested that the Data Protection Ombudsman be ordered to reimburse the city's legal costs in the Supreme Administrative Court and the Administrative Court in the amount of EUR 220,073.75, including default interest. (12) The Data Protection Ombudsman has requested that the city's appeal and claim for reimbursement of legal costs be dismissed. The Data Protection Ombudsman has also requested that a preliminary ruling be requested from the Court of Justice of the European Union if the question of the interpretation of the General Data Protection Regulation is considered unclear. According to the Data Protection Ombudsman, it is not necessary to hold an oral hearing. Reasons for the Supreme Administrative Court's decision 1. Rejection of the request for a preliminary ruling (13) Pursuant to Article 267 of the Treaty on the Functioning of the European Union, the Court of Justice of the European Union has jurisdiction to give a preliminary ruling on, among other things, the interpretation of the Treaty and of acts of the institutions of the European Union. If such a question arises in a case pending before a national court or tribunal against whose decisions there is no judicial remedy under national law, that court or tribunal shall bring the matter before the Court of Justice of the European Union. The Supreme Administrative Court (Supreme Administrative Court) exercises the highest judicial jurisdiction in administrative law matters in Finland. (14) It is clear from the case-law of the Court of Justice that there is no obligation to make a reference for a preliminary ruling where the national court has no genuine doubt as to the applicability of the Court's existing case-law to the case or where it is perfectly clear how Union law is to be properly applied in the circumstances in question. (15) Having regard to the case-law of the Court of Justice and its applicability to the case in question, and the grounds on which the Supreme Administrative Court has ruled, no question has arisen which would, in view of the above, require a reference for a preliminary ruling. The request in this regard must therefore be dismissed. 2. Oral proceedings (16) Pursuant to Section 57(1) of the Act on Administrative Procedure, the administrative court must hold oral proceedings if the court considers it necessary or if a private party so requests. Subsection 2 of the section provides for the grounds on which the court may, despite the request of a party, refrain from holding an oral hearing. According to subsection 3 of the section, the Supreme Administrative Court may, despite the request of a party, refrain from holding an oral hearing also if the matter concerns an appeal against a decision of an administrative court and holding an oral hearing is not necessary for the resolution of the matter. (17) Taking into account the grounds on which the Supreme Administrative Court has decided the matter, as well as the grounds on which the City of Espoo has requested that an oral hearing be held, the explanation that the City has announced that it will present in the case, and the explanation available from the documents, holding an oral hearing is not necessary for the resolution of the matter. 3. Main matter 3.1 Questioning (18) The Data Protection Ombudsman has resolved the question in its decision as to whether Article 6(1)(c) of the General Data Protection Regulation could be applied as a basis for processing personal data in this matter. The decision is based on the explanations requested and received from the controller. (19) The decision of the Data Protection Ombudsman does not refer to Article 5(2) of the General Data Protection Regulation concerning the controller's obligation to provide evidence. It does not appear from the decision that it was based on the controller's failure to clarify what data or for what purpose the data is processed, or otherwise to provide the necessary explanation of the processing of the data. (20) In view of the above, the matter must be decided whether the Data Protection Ombudsman could, on the grounds set out in the decision, consider that Article 6(1)(c) of the General Data Protection Regulation does not apply as a basis for the processing of personal data in this case, and whether he should issue the City of Espoo with the remark and order set out in the decision on this basis. This questioning is not changed by the fact that the Commissioner has referred to the city's explanation as being incomplete during the proceedings. 3.2 Key positions of the parties (21) According to the City of Espoo, the processing of personal data on the Google Workspace for Education educational platform is necessary to comply with the city's statutory obligation, namely the provision of basic education in accordance with the Basic Education Act. Based on the provisions and regulations concerning education, the city must utilize and teach information and communication technology as part of basic education. The city is obliged to provide students with the skills to utilize generally available information and communication technology services. The decisions of the Data Protection Commissioner and the Administrative Court have not taken into account all the provisions and regulations concerning basic education. (22) According to the City of Espoo, Google Workspace for Education is an educational platform that consists of several independent programs that can be used separately from each other. The platform includes standard programs, such as email, calendar, word processing program, and spreadsheet and presentation tools. The city has only implemented programs necessary for organizing basic education. The basis for processing personal data must be assessed separately for each use situation. If the processing of data includes both processing operations to which the processing basis applies and operations to which no basis applies, processing is prohibited only for the latter processing operations. (23) According to the City of Espoo, the matter has been incorrectly assessed as a categorical all-or-nothing question. The Administrative Court and the Data Protection Ombudsman have, without specifying the different processing operations, considered that the processing basis presented by the city is in no way applicable as a basis for processing personal data in relation to the Google educational program, even though the use of the electronic educational platform itself has been found to be necessary for organizing basic education. The inapplicability of the processing basis has also been incorrectly justified in the case on grounds relating to the general lawfulness of the processing or which are characteristic of electronic educational platforms and computer programs in general. The facts have been insufficiently clarified. (24) According to the Data Protection Ombudsman, the obligation to provide basic education cannot be used as an obligation to use the Google curriculum. The processing of students' personal data in the Google curriculum is not actually necessary for the city to provide basic education. The processing of personal data under Article 6(1)(c) of the General Data Protection Regulation may be possible in the case of an electronic curriculum, citing the obligation to provide basic education. The city is not legally obliged to use the Google curriculum. (25) According to the Data Protection Ombudsman, the processing of students' personal data in this case is extensive both in terms of quantity and geography. The City of Espoo has no visibility into how Google actually processes students' personal data, and the city is therefore unable to ascertain the extent of Google's processing of personal data and that the data is processed in accordance with the necessity requirement and otherwise in accordance with the law. The city has not provided a report on the actual processing of personal data by Google, but has instead provided, for example, service descriptions and terms of agreement prepared by Google, in which Google has described its activities in a way it wishes. The report provided by the city does not indicate whether it has properly assessed the processing of personal data related to the use of the electronic teaching program. (26) The Data Protection Ombudsman has stated that, in principle, the shortcomings identified in the case concern individual Google services. Everything that is done in the Google teaching program takes place in the Google service and Google has access to the data processed in its own service. 3.3 Applicable legal provisions 3.3.1 General Data Protection Regulation (27) Article 5(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) lays down the principles and requirements for the processing of personal data. According to Article 5(2) of the same Article, the controller shall be responsible for and shall be able to demonstrate that paragraph 1 has been complied with (burden of proof). (28) According to Article 6(1) of the Regulation, processing is lawful only if and to the extent that, inter alia, the following condition is met: the processing is necessary for compliance with a legal obligation to which the controller is subject (point (c)). (29) According to Article 3(3), the basis for the processing referred to in points (c) and (e) of Article 1 shall be laid down either: (a) in Union law; or (b) in the law of the Member State to which the controller is subject. That paragraph also provides, inter alia, that the purpose of the processing shall be specified in the legal basis for the processing. Union law or Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued. (30) According to recital 41 of the Regulation, whenever a Regulation refers to a legal basis or a legislative act for the processing, it does not necessarily require an act adopted by Parliament, without prejudice to the requirements of the constitutional order of the Member State concerned. However, the legal basis or legislative act for the processing in question should be clear, precise and foreseeable for individuals, in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights. (31) Recital 45 of the Regulation states, inter alia, that where processing is carried out in accordance with a legal obligation to which the controller is subject or where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the processing should have a basis in Union or Member State law. The Regulation does not require that there be a specific law for each individual processing situation. A single law underlying several processing operations may be sufficient where the processing is based on a legal obligation to which the controller is subject or where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The purpose of the processing should also be specified in Union or Member State law. 3.3.2 Provisions and regulations concerning basic education (32) According to Section 4(1) of the Basic Education Act, a municipality is obliged to provide basic education to those of compulsory school age referred to in Section 26(1) of the Act residing in its territory. (33) According to Section 14(1) of the Basic Education Act, the Government shall decide on the general national objectives of education referred to in the Act and on the distribution of time used for basic education between the teaching of different subjects and subject groups and for student guidance (hour allocation). According to Section 2 of the same section, the National Board of Education shall decide on the objectives and key contents of the different subjects and subject areas of basic education, student guidance and other teaching referred to in the said Act, as well as on the key principles of home-school cooperation and student care and the objectives of student care as part of teaching (fundamentals of the curriculum). (34) According to Section 3(1) of the Government Decree on the National Objectives of Education and the Distribution of Hours in Basic Education as referred to in the Basic Education Act, the aim of education is to develop a broad general education in the student, broaden and deepen their worldview. This requires, among other things, knowledge of economics and technology. Section 4(2) of the Decree stipulates, among other things, that students are guided and encouraged to acquire information independently and critically and are given the skills to use the information and communication technology required for this. (35) The National Board of Education’s regulation on the Basic Education Curriculum 2014 states, among other things, that information and communication technology competence is an important civic skill, both in itself and as part of multi-literacy. It is the object and tool of learning. In basic education, it is ensured that all students have opportunities to develop their ICT competence. ICT is systematically used in all grades of basic education, in different subjects and in multidisciplinary learning modules, and in other school work. Students are guided to become familiar with the various applications and uses of ICT and to notice their importance in everyday life and in interaction between people and as a means of influencing. (36) The Finnish National Board of Education regulation states, among other things, that ICT is an essential part of diverse learning environments. It strengthens students' participation and skills in working together as a community, and supports students' personal learning paths. The development of learning environments takes into account a diverse media culture. New ICT solutions are introduced to promote and support learning. Students' own IT devices may be used to support learning in ways agreed with their guardians. At the same time, it is ensured that all students have access to information and communication technology. 3.4 Legal assessment and outcome 3.4.1 Basis of the assessment (37) According to the case-law of the Court of Justice of the European Union, the justification in Article 6(1)(c) of the GDPR must be interpreted strictly, as it makes the processing of personal data carried out without the consent of the data subject lawful (e.g. C-394/23 Mousse, paragraph 27 and the case-law cited, and C-252/21 Meta Platforms and Others, paragraph 93 and the case-law cited). (38) Processing of personal data is lawful under Article 6(1)(c) of the GDPR if it is necessary for compliance with a legal obligation to which the controller is subject. Article 6(3) of the Regulation specifies that the processing must be based on Union law or on the law of a Member State to which the controller is subject and that this legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued (e.g. C-17/22 and C-18/22 HTB, paragraphs 66-67 of the judgment and C-252/21 Meta Platforms and Others, paragraphs 127-128 of the judgment and the case-law cited). (39) The processing of personal data based on law must be suitable for achieving objectives of public interest and must not go beyond what is necessary in order to achieve those objectives. The requirement of necessity is met if the public interest objective pursued cannot reasonably be achieved as effectively by other means which are less restrictive of the fundamental rights of data subjects, in particular the rights to respect for private life and the protection of personal data guaranteed by Articles 7 and 8 of the Charter (e.g. C-184/20 OT, paragraphs 82 and 85 of the judgment and case-law cited). Exceptions and limitations to the principle of the protection of personal data must be implemented only to the extent strictly necessary (e.g. C-394/23 Mousse, paragraph 28 of the judgment and case-law cited). (40) The GDPR does not require an act adopted by Parliament when referring to the legal basis or legislative act for processing. However, the legal basis or legislative measure for the processing in question should be clear and precise and its application should be foreseeable for the persons concerned (e.g. C-17/22 and C-18/22 HTB, paragraph 68 of the judgment). 3.4.2 Legal obligation of the controller (41) In the case, it must first be assessed whether the regulation on basic education can constitute a legal obligation for the City of Espoo, compliance with which could in principle be based on the processing of personal data on the electronic educational platform in question. (42) The decisions of the Data Protection Ombudsman and the Administrative Court have referred to the obligation to organise basic education laid down in the Basic Education Act. According to the decisions, however, the law has not specified the means of processing personal data or expressly referred to the nature of the processing, and the fulfilment of the obligation under the law as such has not been considered to require the use of an electronic educational programme. The decisions still appear to have considered it possible that the processing of personal data in such a curriculum may be justified on a case-by-case basis on the basis of the obligation to provide basic education. (43) The decisions are not unambiguous in this respect. However, it is justified to interpret the decisions in such a way that in this case the regulation on basic education has not been considered to constitute a statutory obligation for the City of Espoo, compliance with which could be used to partially base the processing of personal data on the electronic education platform in question. (44) The Supreme Administrative Court states that the city is obliged to provide basic education under Section 4 of the Basic Education Act. According to the Basic Education Act, the Government decides, among other things, on the general national objectives of education and the National Board of Education decides, among other things, on the central content of education. The central content of the Government Decree and the National Board of Education regulation issued under the Act in this matter has been explained above. (45) The provisions and regulations concerning the objectives and content of basic education have emphasised, among other things, the provision of skills in the use of information and communication technology and the general importance of knowledge of technology. Information and communication technology has been identified as an object of learning, a tool and an essential part of diverse learning environments. Basic education must, among other things, ensure that pupils have the opportunity to develop and use information and communication technology competence, make versatile use of this technology and introduce new information and communication technology solutions to promote and support learning. (46) The provisions and regulations concerning the objectives and content of basic education must be considered to require that basic education use learning environments based on information and communication technology and other applications essential for the development of information and communication technology competence. These provisions and regulations can accordingly be considered to constitute a clear and precise legal basis for the processing of personal data that is necessary for the use of the applications in question in a manner corresponding to their usual purpose. Such processing of personal data in basic education can also be considered foreseeable. (47) In order to organise the education referred to in the Basic Education Act, the City of Espoo has introduced an electronic educational platform, which includes applications that are commonly used in the information society or that are closely related to the implementation of education, such as email, calendar, file storage service and applications related to the production of text and other content and the management of school assignments. The use of such applications can in principle be considered to be in accordance with the requirements stated above concerning basic education. (48) Based on the above, the regulation concerning basic education can in itself constitute a statutory obligation for the City of Espoo, compliance with which the processing of personal data in question on the electronic educational platform can in principle be based. The decisions of the Data Protection Ombudsman and the Administrative Court are therefore incorrect insofar as they were based on a different starting point. (49) The matter does not need to be assessed differently due to the fact referred to by the Data Protection Ombudsman that the regulation on basic education does not impose an obligation on the City of Espoo to use Google’s educational platform. It is obvious that the General Data Protection Regulation does not require the processing of personal data to be regulated with the precision of the services or products mentioned by name. (50) Based on the above, the Data Protection Ombudsman has not been able to conclude, on the grounds set out in the decision in this regard, that Article 6(1)(c) of the General Data Protection Regulation does not apply as a basis for processing personal data. It is not necessary at this stage to take a more detailed position on the extent to which the processing of personal data in question can be considered to be based on compliance with a statutory obligation. 3.4.3 Assessment of the decisions of the Data Protection Ombudsman and the Administrative Court in other respects (51) The processing of personal data pursuant to Article 6(1)(c) of the General Data Protection Regulation requires that the legal basis for the processing meets an objective in the public interest and is proportionate to the legitimate aim pursued. The processing must be necessary for compliance with a statutory obligation. (52) In the justifications for their decisions, the Data Protection Ombudsman and the Administrative Court have highlighted matters that can be considered to be related, among other things, to aspects of the necessity and proportionality of the processing. However, the decisions are not unambiguous in this respect either. The justifications for the decisions indicate that personal data have been considered to be processed in certain respects more extensively than is necessary in connection with the electronic learning platform used by the City of Espoo and that there has been no basis for the processing of the data to this extent put forward by the City. However, the final result of the decisions has been that the processing basis will not be applicable in this case in any respect. (53) The Supreme Administrative Court states that in connection with the electronic learning platform used by the City of Espoo, various personal data are processed for different purposes. The data can be processed, for example, to identify users, provide applications or develop services. In addition, based on the investigation received, the applications belonging to the electronic learning platform can be used independently of each other and they can process different information. (54) The fact that the processing of personal data is not necessary for a specific purpose, for example, cannot be concluded that the processing basis under Article 6(1)(c) of the General Data Protection Regulation could not apply to the processing of personal data in this case in any way. The decisions of the Data Protection Commissioner and the Administrative Court, which, as stated above, appear to be based on such reasoning, are therefore also incorrect in this respect. (55) The City of Espoo has submitted to the Data Protection Ombudsman a report on the data processed in connection with the electronic learning platform and on the terms and conditions and agreements concerning their processing. As the Data Protection Ombudsman has referred to in the Supreme Administrative Court, it is partly difficult to state with certainty from the terms and conditions and agreements what personal data is processed on the basis of them and for what purpose. (56) The controller is obliged to demonstrate that personal data is processed for a legitimate purpose. To demonstrate this, the controller must be able, among other things, to explain what personal data it processes and for what purpose. The Data Protection Ombudsman may take action in accordance with the General Data Protection Regulation if the controller fails to fulfil its obligations. (57) As stated above in Section 3.1, the decision of the Data Protection Ombudsman in this case has not been based on the controller’s failure to clarify what data or for what purpose the data is processed, or otherwise to provide the necessary explanation of the data processing. Instead, the decision has decided, on the basis of the explanation presented by the controller, whether the processing basis referred to in Article 6(1)(c) of the General Data Protection Regulation could be applied as the basis for the processing of personal data in this case. (58) The Data Protection Ombudsman has justified his decision by referring to the fact that the data processed may include so-called sensitive data, that more data is processed through the e-learning programme than in traditional face-to-face teaching, and that the processing of data is not limited to data necessary for the school task. These facts may in themselves be partly correct. However, they do not mean that the presented processing basis is not applicable to the processing of data in any respect. (59) In its decision, the Data Protection Supervisor has also referred to the controller's ability to control the processing of personal data, the decentralization of data processing, the use of the curriculum not only at school but also at home, and the encryption associated with the creation of the user account identifier. Reference has also been made to the controller's discretion, the differences between the different options, and the fact that the data subject has no influence on the choice made by the controller. Based on the decision, it remains unclear how these factors relate to the assessment of the processing ground. Although some of the factors mentioned may be relevant for the application of other provisions of the General Data Protection Regulation, they do not allow the conclusion that the presented processing ground is not applicable to the processing of the data in any respect. (60) In its decision, the Data Protection Supervisor has also referred to the fact that the personal data of children is involved, that the data is collected over a long period of time, and that the controller has accepted Google's standard terms and conditions. These factors may in themselves be relevant when assessing the proportionality and necessity of the processing. However, they are not, as such and as they are mostly unspecified, grounds for considering that the presented processing ground is not applicable to the processing of data in any respect. 3.4.4 Final result (61) The Data Protection Ombudsman has not been able to consider, on the grounds presented in the decision, that Article 6(1)(c) of the General Data Protection Regulation does not apply in any respect as a basis for processing personal data in this case. Accordingly, the Data Protection Ombudsman has not been able to issue the City of Espoo, on this basis, an order to bring the processing of personal data into compliance with the Regulation, nor a warning for processing activities that are contrary to the provisions, as reflected in his decision. (62) The Administrative Court's decision was based on essentially the same factors as the Data Protection Commissioner's decision. The Administrative Court should not have dismissed the City of Espoo's appeal on these grounds. (63) The Supreme Administrative Court will not decide in more detail in the first instance to what extent the processing of personal data in question may lack a basis under the General Data Protection Regulation. The matter will be returned to the Data Protection Ombudsman for re-examination in this respect. 4. Legal costs (64) According to Section 95(1) of the Act on Administrative Proceedings, a party to the proceedings is obliged to compensate the other party's legal costs in whole or in part if, in particular, taking into account the decision given in the case, it is unreasonable for the other party to have to bear its own legal costs. According to Section 2 of the same section, when assessing the reasonableness of the liability for compensation, the legal ambiguity of the matter, the actions of the parties and the significance of the matter for the party concerned may also be taken into account. (65) According to the detailed reasoning of the section (HE 29/2018 vp), the starting point is that if a public party loses the case, it would be obliged to compensate the other party's legal costs. According to the reasoning, when assessing the grounds for liability for compensation, special attention should be paid to the decision given in the case. However, the outcome of the case is not the only determining factor when assessing the reimbursement of legal costs, but the decision regarding the reimbursement of legal costs is a question of the overall assessment of the reasonableness of the liability for costs. (66) The Data Protection Ombudsman has made the decision in question in order to carry out its task of supervising compliance with the data protection legislation. The matter has been subject to legal interpretation. The annulment of the Data Protection Ombudsman's decision does not as such mean that it would be unreasonable, within the meaning of section 95(1) of the Act on Administrative Proceedings, to bear the entire legal costs of the City of Espoo. (67) However, taking into account in particular the above-mentioned open-ended nature of the reasoning for the Data Protection Ombudsman's decision and the grounds on which the Supreme Administrative Court has decided the matter, it would be unreasonable if the City of Espoo were to have to bear its legal costs in full. Therefore, the Office of the Data Protection Ombudsman is obliged, pursuant to sections 95 and 100 of the Act on Judicial Proceedings in Administrative Matters, to compensate the City of Espoo for the legal costs in the Supreme Administrative Court and the Administrative Court, including interest on late payment, in the amount determined by the Supreme Administrative Court to be reasonable, as set out in the above resolution. The case has been decided by legal advisors Outi Suviranta, Petri Helander, Taina Pyysaari, Toni Kaarresalo and Robert Utter. The rapporteur for the case is Paul Karlsson.
