Tietosuojavaltuutetun toimisto (Finland) - 8393/161/2019
Tietosuojavaltuutetun toimisto - 8393/161/2019 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 5(1)(c) GDPR Article 5(2) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 13(2)(d) GDPR Article 13(2)(e) GDPR Article 26 GDPR Article 30 GDPR Article 35 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 26.05.2020 |
Published: | |
Fine: | 72000 EUR |
Parties: | Taksi Helsinki |
National Case Number/Name: | 8393/161/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Finnish English |
Original Source: | tietosuoja.fi (in FI) tietosuoja.fi (press release) (in EN) |
Initial Contributor: | n/a |
The Finnish DPA (Tietosuojavaltuutetun toimisto) fined Taksi Helsinki € 72,000 for failing to assess the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis.
English Summary
Facts
Following the investigations carried out in November 2019 on Taksi Helsinki’s processing, the Tietosuojavaltuutetun toimisto found several serious GDPR violations regarding the processing of customers’ audio and video personal data.
Dispute
The Tietosuojavaltuutetun toimisto raised six data protection law issues regarding the processing of both audio and video data which can be summed up as below: - Does the controller process audio and video data for security purposes in accordance with Article 6(1)(f) GDPR? - Does the controller process audio and video data in accordance with 5(1)(c) GDPR? - Does the information provided to data subjects regarding the security camera and the automated decision making process comply with Article 12 GDPR? - Did the controller identify the actors playing a role in the processing, with respect to Articles 4(7), (8) and Articles 26, 28 GDPR (processor, controller, joint controllership)? - Did the controller maintain a record of processing activities according to Article 30 GDPR? - Did the controller perform a data protection impact assessment prior to the implementation for the security camera system, as prescribed under Article 35 GDPR?
Holding
First, the Tietosuojavaltuutetun toimisto decided that the controller was not able to demonstrate that the processing of video and audio data for security purposes complies with Article 5 (1) (a) and Article 6 (1) (f) GDPR. Thus, the controller failed to comply with the accountability principle under Article 5 (2) GDPR. Second, the data protection authority pointed out that the recording of images and sound in all of the company’s cars did not comply with the principle of data minimisation under Article 5(1)(c) GDPR. The recording of the image would have fit the purposes of safety and the investigation of criminal offences and damages which might have occurred, as claimed by the controller. Regarding the information to be provided to the data subjects, the data protection authority ruled that several pieces of information were missing, such as the right to lodge a complaint and whether the provision of personal data is a legal or contractual requirement, (Article 13 (2) and (e) GDPR). The authority also stated that there was no link between the controller’s privacy policy and the information about the loyalty program website targeting the consumer. This prevents the data subject from exercising their GDPR rights during the processing, and results in an incomprehensible overview of the processing of personal data by the controller in the context of the automated decision making for the loyalty program. Thus, the authority held that the controller did not comply with Article 12 GDPR. In identifying the controller or processor, in particular the role of the taxi drivers in the processing at stake, the authority held that Taksi Helsinki did not defined what personal data it processes as a controller. Thus, the authority decided that Taksi Helsinki failed to demonstrate its compliance with Article 26 GDPR. Furthermore, Article 30 GDPR does not require that a report of the processing activities has to be drawn in a specific form other than in writing. However, a report has to be drawn in a document and cannot only subsist in the privacy statements that the data controller provided. Thus, Taksi Helsinki violated Article 30 GDPR. Lastly, the authority decided that the controller did not carried out any impact assessment. Thus, the controller breached Article 35 GDPR.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Decisions of the Assistant Data Protection Supervisor and the Sanctions Chamber Thing General information on the processing of personal data by Taksi Helsinki Oy (later the registrar) compliance with the Data Protection Regulation 1 • The security camera surveillance carried out by the controller in taxi cars is and data minimization • Transparency in the processing of personal data • Defining the roles of the actors involved in the processing of personal data • The controller's obligation to prepare a report on the processing operations, as well as • The obligation for the controller to carry out a data protection impact assessment. The Office of the EDPS has started to investigate the matter on his own initiative after receiving the relevant anonymous notification. The Office of the Data Protection Officer has asked the controller for clarification of the personal data processing on 13 November 2019. The controller provided its response to the request for clarification within the deadline of 12.12.2019. The controller has been asked to complete the report 02.06.2020. The registrar provided the requested supplement on the same day. The EDPS office has requested further clarification and reserved it for the controller opportunity to be heard on 13 February 2020. The controller responded to the request for further clarification and consultation by the deadline of 6.3.2020. The controller was requested to complete its further study on 16.4.2020. The requested supplement was received 21.04.2020. The matter has also been clarified by consulting the controller’s website, information from the mobile app and other publicly available sources. The Office of the Data Protection Officer has requested clarification from the controller from the service provider on 9.4.2020, but the request for clarification has not been answered. Decision of the Assistant EDPS on the breach of the Regulation and his powers exercise of its remedial powers Statement received from the controller 1. Legality of security camera surveillance The controller has stated in its report that it is in compliance with the general data protection implementation of the principle of legality in accordance with Article 5 (1) (a) of documenting all uses and their legal bases. The register According to the controller, the responsible person is responsible for the equivalence of the processing carried out. and legal basis. Further consent and legitimate interest the controller shall also provide documentation of the legal proceedings. Trust and process estimates found in other reporting. The controller has identified camera surveillance as the primary legal basis in accordance with Article 6 (1) (f) of the General Data Protection Regulation implementation of the legitimate interests pursued by the controller or a third party. As regards the requirement of the necessity of a legal basis, the controller submits that the processing is necessary on the one hand because of the right of the taxi driver and the passenger personal safety can be ensured by both the taxi driver to safeguard working conditions. On the other hand, processing is considered necessary after processing the purpose is to deal with incidents and safety hazards clarification so that a third party can take legal action or legitimate interests in defense. As regards the balancing test for the application of the legitimate interest the controller states that it passes it clearly, but states that it has not been before this response has been prepared or documented. In the view of the controller there is in any case a balance between the interests of the controller and the data subjects assessed in the decision of the Data Protection Board of 25 February 2002, and not by the controller has therefore not considered that there is a need for separate additional documentation. Likewise, the controller submits that the legal status with regard to the type of documentation required of the controller in such a situation shall be deemed to be so unclear, the controller could not have been required to perform a balancing test in a documented manner. Finally, however, the controller states that it will operate the balancing test without undue delay during the spring of 2020 and the balance between the interests of the controller and those registered at regular intervals. 2. Minimization of personal data in connection with security camera surveillance The controller has stated in its report that it is in compliance with the general data protection the principle of data minimization in accordance with Article 5 (1) (c) of documenting all personal data stored in information systems or elsewhere. Re- the registrar states that it shall ensure that it does not hold the data resources for which it is has not specified at least one use. The controller shall also that the responsible person is responsible for the equivalence and reasonableness of the personal data stored; in relation to the purposes for which the data are used. The registrar has stated in his report of 12 December 2019 and in the in the privacy statement of the mass surveillance camera surveillance that it deals with whose personal data of taxi drivers, staff and motorists' customers are described and using a sound recording camera surveillance system. In its reply of 6.3.2020, the controller states, unlike before, that it processes image data only in the context of its security camera surveillance. The registrar brings emphasized in its reply that new security cameras with voice recording capability roit was installed in about half of the taxi cars covered by it in the summer 2019. Likewise, the controller states in his response that the processing of audio data was a mistake and was never intended to deal with in the context of security camera surveillance. The data controller has provided his reply as an annex with a voice recording feature Security Cameras that require Voice Recording has been set to “Off” during installation. In its same reply, the controller stated that on 20 December 2019 it had invited the cars covered by its service to deactivate audio recording. motorists has had to use the maintenance of his taxi by 15 January 2020 to remove the audio recording at the risk of a motorist who failed to perform a maintenance visit being removed from taxi the scope of this Regulation. Furthermore, the controller has stated that maintenance that voice recording is switched off for all security cameras and an add-on has been added to the cameras to prevent future use. The EDPS Office has tried to find out with the voice recording feature the accuracy of the information on the installation of cameras equipped with from the service provider of the holder, but has not received a reply to the request for background. According to bulletin 2 published on the registrar's website on 13 November 2019 in its cars is a recording security camera, some of which records sound and images, some of which are mere images. You- In a mass bulletin, the registrar states that the security camera is for car security in order to guarantee. In another published by the registrar on its website on 15.11.2019 in bulletin 3, the controller states that it has been found that some of the cameras have voice recording on and off. Recording camera surveillance data on 25 May 202020, the are processed in cars by a camera and sound recording camera surveillance system through. 4 The registrar has defined the report it submitted on 12 December 201 in the appendix in the privacy statement of the security camera for the purposes of the processing of personal data in the context of the transfer protection of the property of motorists and drivers, the control of operational processes prevention of crime and the prevention of settlement of accidents and damage to cars in the dealership between them and in their vicinity. In its release of 13 November 2015, the registrar has announced a vote and image, and some are afraid of image, for the purpose of security cameras. guaranteeing security. 5 The purposes of the processing have been mentioned by the controller in his subsequent reply 6.3.2020 Ensuring the safety of the taxi driver and the passenger, as well as the situations and security threats, as well as the controller compliance with legal obligations when handing over video recordings to the police. 3. Transparency of processing 3.1. Transparency of processing in the context of security camera surveillance According to the report provided by the controller, the processing of personal data visibility in the context of security camera surveillance is firstly ensured by security camera. The notice is placed in on the outside and inside of the car and, in the controller's view, on the notices the data subject is informed of the existence of the security camera even before and, where appropriate, from the inside. Aircraft, both exterior and interior, supplied by cars by the controller The notifications mainly contain information on the formation of the price of a taxi ride. Toa. At the bottom left of the message there is a black message text regarding the safety cameras: “Car security camera. Registrar Taxi Hel- zinc Oy. There is a surveillance camera in the car. The controller is Taxi Helsinki Ltd." In addition to the notices in taxi cars, the controller’s website provides the general data protection statement of the controller and the data protection loste regarding recording camera surveillance. For recording camera surveillance in the privacy statement of the recording camera surveillance • The data transmission system of the controller for the processing of personal data camera surveillance system for recording the image and sound of cars through the system • Registered groups • Purposes of processing • Legal basis of the proceedings • The legitimate interests of the controller when the processing is based on a general Article 6 (1) (f) of the Regulation • Personal data to be processed • Information on safety camera surveillance notices placed in cars • Information on the operators employed by the controller who receive process such personal data • Information about the recipients of personal data. In other respects, the Security Camera Surveillance Privacy Statement refers to the controller general privacy statement. The general data protection statement shall inform the processing of data in so far as such data do not survive security camera surveillance detailed data protection statement. Such a general privacy regulation Required by Articles 12 and 13 and set out in the controller’s general data protection statement information is • the identity and contact details of the controller • Contact details of the Data Protection Officer • Criteria for determining the retention period of personal data • the right of the data subject to request from the controller access to data relating to him personal data and the right to request the rectification or erasure of such data. restricting or opposing the processing and the right to transfer information from one system to another In addition, the controller 's general privacy statement sets out the information on personal data extradition outside the European Economic Area and the right to withdraw consent when the processing of personal data is based on Article 6 (1) of the General Data Protection Regulation paragraph (a). In addition to safety camera notices and privacy statements, the controller has provided information on the processing of personal data in the framework of camera surveillance on in two bulletins: Information on Taxi Helsinki Taxi Safety Cameras published on 13 November 2019 and the Voice Recording will be deleted from all Taxi Hel- in the bulletin on security cameras for taxis brokered by sinki Oy, which has been published 15.11.2019. In a press release published on 13 November 2019, the registrar has described security cameras the processing of personal data as follows: 1. Taxis Helsinki cars have a recording security camera. Some cameras record sound and image, part of a mere image. 2. Security cameras shall be automatic and continuous recording with a new file flies over the old. The recordings remain for a few days, depending on the camera I drive. 3. The security camera is in the car for safety and no recordings are made or go through non-special situations such as criminal suspicions. 4. Security camera data shall only be released at the request of the authorities. 5. Taxi In accordance with the GDPR, Helsinki has taken care that the customer's information is sheltered. 6. The privacy statements can be found on our website at www.taksihel- sinki.fi/taksi-helsinki-oy/tietosuojaselosteet/ In addition, the controller regrets that it has not indicated clearly enough in addition to the image in the security cameras, they record sound and tell you that the security camera is in the car only to ensure the safety of customers and drivers. In addition, the holder states in his bulletin that the installation of the cameras has taken into account the Protection Regulation and the 2001 decision of the Data Protection Board. In relation to the data protection statements maintained by the controller, the controller 13.11. published the bulletin specifies that security cameras are automatic and continuous, where the new file is saved on top of the old one and that the recordings remain I'll talk for a few days. The bulletin also adds to the privacy statement that security camera data shall only be released at the request of the authority and that the in accordance with the GDPR, the customer has ensured that the customer's data is protected. In a press release published on 15 November 2019, the registrar announces that the audio recording removed from taxis brokered by the controller. The bottom bar of the websites of the bulletins published by the controller contains a link to and further details of the controller’s general privacy policy. and the security camera surveillance privacy statement 3.2. Transparency of processing in the context of the loyalty program tomato decision-making In connection with its loyalty program, the controller shall carry out an automatic including profiling. According to the registrar's report, it informs in connection with the loyalty program automatic decision-making in its data protection statements and separate publications. by means of notifications. In separate notifications, the controller refers to the notification in the registrar's mobile application, as well as in the notices published on the website 6 regarding the launch of the loyalty program and its own loyalty program itself. The registrar has submitted his report as an appendix on 12 December 2019 on his website the general data protection statement described above and the marketing authorization and the customer register’s privacy statement, both of which apply to customer and processing of personal data of potential customers. The Privacy Statement, which clarifies the General Privacy Statement, concerns the processing of personal data. in particular the controller’s website, the controller’s application and the direct in the context of marketing. It does not specify in the context of the loyalty program personal data to be processed or its associated automatic decision-making. In the controller’s general data protection statement, the automatic decision-making marketing, product and customer analysis may involve profiling. and that the controller has a legitimate interest in using profiling, for example for marketing customer analyzes. This right is mentioned in the privacy statement opposes processing on the basis of a legitimate interest of the controller. The registrar is In its reply of 6 March 202020, it stated that it had not taken any steps to and the processing of personal data in connection with the customer analyzes mentioned in the description. In general on the other hand, this privacy statement does not specify the loyalty program legal basis and no information on the car to be carried out under the loyalty program. decision-making, including profiling. In a press release issued on 6 September 2018, the registrar states that it will publish a new loyalty program that allows taxi ride subscribers to have a loyalty program as a so-called VIP customer, the opportunity to get past the queue to order a car during urination. The registrar states in the press release that the loyalty program will be opened at the beginning only for users of the registrar's mobile application. About the content of the loyalty program it is said that that VIP clientele is achieved by running 10 mobile apps taxi journey booked within 60 days and that the benefits of VIP membership are valid only price per month. In addition, the loyalty program is announced to be launched on 10.9. with the application update. The registrar’s loyalty program website states that the loyalty program The program can be accessed using the registrar's mobile application or account on a regular basis. by downloading a taxi in the Helsinki metropolitan area from the registrar's taxi order number. So age registrar says there are two loyalty levels: VIP and SuperVIP. You can become a VIP customer by placing at least 10 phone orders in 60 days. VIP- Customer Phone Orders progress as the VIP customer calls the registrar order number, the system identifies the VIP customer, after which the customer the call is prioritized to the top of the queue. SuperVIP customership is achieved by making at least 10 application or phone subscriptions within 60 days. SuperVIP customer required registration in the registrar's mobile application. In order to accumulate SuperVIP loyalty points Phone orders must be placed under the same number. from the mero registered in the application. The description also states that In connection with a perVip customer relationship, you can check your own loyalty program from the “My personal information” section of the mobile application and that information about the SuperVIP client subscription appears in the car when you order from both app and phone orders. Mo- the description of the more frequent loyalty levels states that with loyalty calls or calls and taxi orders always go past the queue even during peak hours. In addition, the Loyalty Program website states that “Each taxi ride is 10 points and 100 points, you become a VIP or SuperVIP customer. That is, everyone the ride will take you not only to your destination, but also closer to VIP membership! Loyalty level the benefits are always available to you one month at a time. The system always checks the order what your level is and thus know how to configure your call or subscription correctly. Loyalty does not require anything from you and does not oblige you to do anything. You can only enjoy the priority it brings. ” Likewise, the loyalty program shows where its mobile app can be downloaded. The websites of the notices published on the controller’s website as described above There is a link in the bottom bar of the page to the Privacy Statement page, where you can still find the controller’s general privacy statement and the marketing and customer registration the privacy statement. The menu of the registrar's mobile application shows how many points are the user of the application needs to reach the VIP level. When navigating from the application menu from ‘Settings’ to ‘Terms of Use’, you can access the controller application. options. The Terms of Use contain some information related to the processing of personal data, but no information about the loyalty program or related processing of personal data. At the bottom of the Terms of Use page is a link to what is on the registrar's website general data protection statement. 7 Loyalty program or related personnel no information on data processing can be found in the menu of the mobile application 'Contacts and questions' or elsewhere in the application. 4. Actors involved in the processing of personal data and their roles The controller considers himself to be the controller with regard to the personal data he processes. The controller has defined the following actors as its processors of personal data In connection with the reply submitted on 12 December 2019: • Telia / Inmics • MTI • Zendesk • Nets • Benemen • Motorists • Drivers In its reply of 6.3.2020, the controller has defined the following: operators as processors of personal data: • Avenla Oy • Zendesk Inc. • Arena Interactive Oy • LINK Mobility Oy • Telia Inmics-Nebula Oy • MTI Ltd, Data processing agreement • Atea Finland Oy • Mediatoimisto Voitto Oy • Nets Finland Oy • Benemen Finland Oy • Koodiviidakko Oy • Mediamaisteri Oy The registrar has provided the information specified in his reply of 6.3.2020 agreements on the processing of personal data with processors of personal data. The registrar has stated in his report of 6.3.2020 that it works at least for orders with taxi drivers in connection with the receipt and execution of orders yhteisrekisterinpitäjänä. For this reason, the registrar has not provided taxi drivers agreements on the processing of personal data with The registrar submits that it will further clarify the arrangement between it and motorists, in particular their treatment operations where it and the motoring companies jointly determine the purposes and means of the processing of personal data. According to the data controller's report, order brokerage software must be placed in taxi cars The terminal is Android-based. In addition, the controller shall notify in the 'Contacts and Questions' section of its mobile application that its mobile application use the various software licenses that are • MIT licensed components: Adform tracking, SAMKeychain (iOS only) • Apache License 2.0 licensed components: KeyBoardVisibilityEvent (Android Only), Snackbar (Android only), Volley (Android only), Scytale (Android Only) • Facebook Licensed Components: Facebook SDK • Google Licensed or Google Premium Plan Components: Protobuf, Google Maps, Google Place. 5. Description of processing operations As an annex to the report submitted on 12 December 2019, the data controller has submitted in accordance with Article 30 of the General Data Protection Regulation. its obligation to draw up a report on the processing operations. In addition, in his reply of 6 March 2019, the controller stated that the data In accordance with Article 30 of the General Data Protection Regulation, the following information: • The purposes of the processing of personal data; • The categories of personal data to be processed and the groups of data subjects; • Groups of recipients of personal data; • Transfer of personal data to a third country and criteria for data transfer; • Where possible, those designed to delete personal information deadlines; and • Where possible, a general description of the technical and organizational aspects security measures. 6. Data protection impact assessment 6.1. Impact assessment on the processing of location data On 6 February 2020, the controller submitted a data protection impact assessment, concerning the processing of location data and drawn up in accordance with the according to the date appearing in the document, 4 December 2019. The impact assessment on the processing of location data includes the following main sections: description of personal data, contributing to the proportionality and necessity of the processing measures to promote the rights of the taxi customer and the motorist / driver (hereinafter measures to manage risks to the client’s rights and freedoms. describes the involvement of stakeholders, the measures planned to address the risks protection and security measures and mechanisms to ensure the protection of personal data protection. According to the response provided by the registrar on 6 March 2019, it has taken the MTI to use the brokerage software in June 2017. Previously delivered on 12.12.2019 according to the study, all taxi orders are logged in the MTI brokerage system. The system the order number of the order, the number of the car making the order, the driver id, the customer’s pick-up address, any destination address, and the departure and arrival moment to destination. The ride route is stored in the system as well as in the car speeds. In most cases, the customer's telephone number is also linked to the order. customers the name and e-mail address may also be stored (depending on the subscription channel). 6.2. Data protection impact assessment on security camera surveillance In its reply of 6 March 2020, the controller considered that it should not have drawn up a data protection impact assessment pursuant to Article 35 of the Data Protection Regulation the use of personal data in the context of security camera surveillance of taxi cars the General Data Protection Regulation, the Data Protection Act or the decision of the on the basis of that list. According to the report provided by the controller, it collects security camera surveillance video and audio recordings that are time- and location-specific. The security cameras in the registrar's report describe not only the interior of the taxi car but also taxi car environment. Iltasanomat, the registrar’s service manager, was given 13 November 2019 According to this video interview, newer security cameras record in addition to the image sound and describe the interior of the car in addition to the front of the car. 8 The controller has clarified that the number of its registrants is calculated in hundreds of that it handles around four million taxis a year and that its it covers a total of more than 2,000 cars with recordable security camera surveillance. Val- most of the taxis brokered by the controller operate mainly in the main tick in the area. According to the information on the controller’s website, the controller provides information taxi services for specific customer groups, such as seniors disabled taxi services. 6.3. Data protection impact assessment for automatic decision - making In its reply of 6 March 2020, the controller considered that it should not have drawn up a data protection impact assessment pursuant to Article 35 of the Data Protection Regulation automatic decision-making in the context of its loyalty program, including profiling, the processing of personal data a list decided by its Data Protection Regulation, the Data Protection Act or the Data Protection Officer by. According to the registrar’s report, the car operated by its loyalty program decision-making is limited to identifying phone or application subscriptions. Provided the registrant has ordered a taxi ride by phone or using the ordering application 10 times Within 60 days, the customer will be automatically classified as a VIP customer, when placing a new order, passes a possible queue. The controller considers that its automatic decision-making in the context of the loyalty program purchase, including profiling, has no legal effect or other significant effect. to the data subject. Based on the data controller's report, the personal data it processes are automatic decision-making, including profiling, is based on telephone numbers, information on orders placed with the taxi application and whether the registered VIP level. Legal issues 1. Does the controller process personal data collected in connection with security camera surveillance with the general public? in accordance with Article 6 (1) (f) of the Data Protection Regulation 2. Is the processing of both audio and video data in the context of security camera surveillance by the controller the principle of minimization in accordance with Article 5 (1) (c) of the General Data Protection Regulation according to the 3. Does the information provided by the controller to data subjects reflect the general data protection Regulation 12? the information required by Article 1 (1) in such a way that such information can be easily understood; and at hand 3.1. Regarding security camera surveillance by the controller in taxi cars 3.2. Regarding the automation of the controller in the context of the loyalty program decision-making, including profiling 4. Has the controller identified the actors involved in the processing of its personal data in the in accordance with Article 4 (7) to (8), Article 26 and Article 28 of the 5. Does the description of the processing operations provided by the controller comply with Article 30 of the General Data Protection Regulation? requirements of this Article 6. Data protection impact assessment 6.1. Does the location data processing data provided by the controller correspond to requirements of Article 35 of the General Data Protection Regulation 6.2. Is the controller obliged to draw up a security camera surveillance of taxi cars? Article 35 of the General Data Protection Regulation on the processing of personal data data protection impact assessment in accordance with 6.3. Is the controller obliged to draw up a program in connection with the loyalty program? automatic decision-making, including profiling, public information data protection impact assessment under Article 35 of the Data Protection Regulation The matter is pending before the Sanctions Chamber of the EDPS 7. If the activities of the controller are considered to be as described in the above paragraphs the matter is contrary to or incomplete in the General Data Protection Regulation whether the General Data Protection Regulation should be laid down in Article 58 of the General Data Protection Regulation administrative penalty fee in accordance with Article 2 (2) (i) and Article 83 and its amount. Decision of the Assistant Supervisor 1. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, Article 6 (1) (f) of the General Data Protection Regulation. the balancing test required by the first subparagraph and provide a report on the measures taken to the Office of the Data Protection Officer within one month of the adoption of this Decision. 2. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, the controller to ensure that the processing of audio data in taxi security cameras in the event of supervision without objective justification shall be terminated immediately. The controller shall report on the measures taken to the Office of the Data Protection Officer within one month within one month of the adoption of this Decision. 3. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, the controller to change the security camera surveillance and the loyalty program automatic decision-making, including profiling, information processing practices in such a way that the information it provides to data subjects all the information required by Article 12 (1) of the General Data Protection Regulation in an easily accessible and comprehensible form, and to provide a report on the action taken. the Office of the Data Protection Officer within one month of the adoption of this Decision. the two. 4. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, the controller to comprehensively define the operators to the controller as a processor of personal data. In addition, the controller must determine to what extent it acts as joint registrar in accordance with Article 26 of the General Data Protection Regulation for taxi and entrepreneurs. The controller shall submit to the Office of the Data Protection Officer for information within one month of the adoption of this Decision 4.1. An explanation of how the controller has defined the software of the Taxi Helsinki mobile application the role of licensing providers vis-à-vis the controller in relation to the processing of personal data and on what basis. 4.2. Arrangements for joint registration with taxi drivers, and 4.3. An explanation of any other measures taken in relation to the processing of personal data actors and their roles from the point of view of the processing of personal data. 5. The Assistant Data Protection Supervisor shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, the controller to bring the processing of personal data into line with the general requirements of Article 30 of the Protection Regulation and to provide a report on the measures taken to the Office of the Data Protection Officer within one month of the adoption of this Decision. 6. Data protection impact assessments 6.1. In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Assistant that the controller must draw up a personal data processing plan. processing of personal data pursuant to Article 35 of the General Data Protection Regulation spring impact assessment. 6.2. In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Assistant that the controller must draw up a security camera general data protection regulation on the processing of personal data in connection with Data protection impact assessment under Article 35. 6.3. In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Assistant that the controller must prepare the content of its loyalty program automatic decision-making, including profiling. processing of personal data pursuant to Article 35 of the General Data Protection Regulation the impact assessment. In this context, the Assistant EDPS draws attention to the general provisions of the the obligation to consult the supervisory authority in accordance with Article 36 thereof, if based on the impact assessment, there is a need for this. Grounds for the decision of the Assistant Data Protection Supervisor 1. Legitimate under Article 6 (1) (f) of the General Data Protection Regulation advantage as a basis for addressing security camera surveillance and the lack of test Article 6 of the General Data Protection Regulation lists the situations in which the processing of personal data may take place can be considered legal. According to paragraph 1 (f) of that Article, one of these situations responses have it, when the treatment is necessary for the operator or a third party authorized to interests, except where the interests of the data subject or rights and freedoms override such benefits, especially if the data subject is a child (later legitimate interest). According to recital 47 of the General Data Protection Regulation, such a legitimate interest may exist exist, for example, where there is a relevant and relevant relationship between the data subject and the controller. such that the data subject is a customer of or employed by the controller. According to the same paragraph, the existence of a legitimate interest must in any event be basis; must assess, inter alia, whether the data subject can reasonably expect the collection of personal data at the time and in the context that personal data may be processed for that purpose. eTEN the interests and fundamental rights of the data subject could override the interests of the controller if the processed in circumstances where the data subject cannot reasonably expect further processing. According to Article 5 (1) (a) of the General Data Protection Regulation, personal data must be lawfully, properly and transparently for the data subject. Article 2 of the same article paragraph 1, the controller shall be responsible for it and shall be able to demonstrate that paragraph 1 has been complied with (the so-called obligation to demonstrate). The application of a legitimate ground of priority under the General Data Protection Regulation requires on the one hand the legitimate interests of the data controller or third-party evaluation of the existence and on the other hand, an assessment of whether the legitimate interest of the controller overrides the interests of the data subject or rights or freedoms. The existence of a legitimate interest of the controller may be demonstrated by this with the so-called balance test. The Office of the Data Protection Supervisor has included in its guidelines published on 24 May 2018 the use of its legitimate interest as a legal basis. In particular, the performance of the balancing test the Office of the Security Officer instructs that the test must be prepared in accordance with the obligation to demonstrate a written description enabling the controller to demonstrate, where appropriate, that the activity is of a general nature in accordance with the Data Protection Regulation. In its instructions, the EDPS shall specify the balance six steps for performing the test with explanations. The guidelines call for the test to be repeated. and update the description if the purpose, nature or purpose of the processing of personal data the context changes. The statement received from the controller indicates that it has not prepared or documented a legitimate interest in accordance with Article 6 (1) (f) of the Data Protection Regulation. the balancing test required for the application of the Therefore, the EDPS considers that the controller has not been able to demonstrate in accordance with Article 5 (2) of the General Data Protection Regulation, that the processing of in the context of camera surveillance complies with Article 5 (1) (a) of the General Data Protection Regulation. and Article 6 (1) (f). The EDPS draws attention to the fact that the opinion of the Data Protection Board of 25 February 2002 This Decision concerns the processing of audio data in the context of security camera surveillance. Now under evaluation the processing of personal data and the technology used in connection therewith have changed significantly, so that the controller cannot rely on the decision of the panel and the assessments made in the context of the impact of the the interests, rights or freedoms of data subjects, as such. Nor can the data controller’s claim that the general data protection regulation application of Article 6 (1) (f) of this Regulation, including those relating to the balancing test requirements, the legal situation would be so unclear that compliance could not be required by the from suppliers. The EDPS draws attention to the fact that the information contained in the balancing test and the obligation to document in accordance with the obligation to demonstrate is defined in the protection regulation and that the general data protection regulation does not require a balancing test in a particular in terms of. The EDPS also draws attention to the controller's argument that the website of the Office of the Data Protection Officer contains a comprehensive and practical how the balance test can be performed. 2. The processing of audio and video data in the context of security camera surveillance in the light of the principle of minimization set out in Article 5 (1) (c) of the Regulation According to Article 5 (1) (c) of the General Data Protection Regulation, personal data must be: appropriate and relevant and limited to what is necessary in for which they are processed (the so-called data minimization principle). According to recital 39 of the General Data Protection Regulation, ‘… personal data should be and relevant and limited to what is necessary for the purposes for which they are processed. of view. This requires, in particular, that the retention period for personal data be as short as possible. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. " The report received from the controller and any other report obtained by the EDPS’s office is ests. The Office of the EDPS has not been provided with unambiguous information on whether the the controller intended to process both audio and video data in the context of security camera conjunction. On the basis of the report provided by the controller and the publicly available information, it is that the controller has been aware that the audio data will be processed in some of its transmission taxi vehicles covered by this Regulation and that it has considered such treatment to be appropriate at least until 15 November 2019, as soon as cameras with voice recording function are installed. said housing. The controller may be deemed to have taken steps to terminate the processing December 20, 2019, when it called the cars covered by its brokerage service for voice recording operations to deactivate. Although the controller has reformulated the purposes of the processing as the case progressed, safety and the investigation of criminal offenses and damage can be considered as the basis for the common elements for the purposes of security camera surveillance when such processing based on a legitimate interest. Until the controller has taken steps to to eliminate flight and when voice recording has still been used in some cars, processing purposes, the report provided by the controller and publicly available must be considered including monitoring of operational processes on the basis of privacy statements. In its report, the controller has not provided any justification as to why it has processed the in addition to the data, audio data in some of their cars. On the other hand, the controller has argued at a later stage that the processing of audio data was an error. As above it has emerged that this is inconsistent with other clarification received in the case. Since, on the basis of the controller’s report, it processes image data in all its cars, the processing of image data shall be deemed to be its normal processing and the processing of van beyond this. The security camera surveillance practice indicated by the controller, in which only part of its In addition to image data, voice data and data from the controller are also recorded. On the basis of this report, it can be concluded that the processing of audio data has not been necessary for the purposes defined by it and that it has been able to achieve the security camera the purposes of the processing of personal data which it has defined for the purposes of by. Accordingly, the EDPS considers that the processing of the controller's voice data is secure. In addition to image data in the context of camera surveillance, there has been no accordance with the principle of data minimization in paragraph 1 (c) and has not been able to demonstrate compliance with the same section of the General Data Protection Regulation in accordance with Article 5 (2) of that Regulation. 3. Transparency of processing as required by Article 12 (1) of the General Data Protection Regulation in this way Article 12 of the General Data Protection Regulation requires the controller to take appropriate action measures to provide the data subject with the information in accordance with Articles 13 and 14 and Articles 15 to 22 and All processing information in accordance with Article 34 in a concise, transparent, easily accessible manner in a comprehensible and accessible form in clear and simple language, in particular where the information is intended specifically for a child. The information must be provided in writing or otherwise and, where appropriate, in electronic form. According to Article 13 of the General Data Protection Regulation, when collecting personal data personal data must be provided by the controller to the data subject when personal data are received all of the following information: (a) the identity and contact details of the controller and, where applicable, of any such representative; information; (b) where applicable, the contact details of the Data Protection Officer; (c) the purposes for which the personal data are processed and the legal basis for the processing; d) the legitimate interests of the data controller or a third party, if the processing is based on Article 6 Paragraph 1 (f); (e) the recipients or categories of recipients of the personal data; (f) where applicable, the fact that the controller intends to transfer personal data to a third party country or international organization, and information on the adequacy of the data protection to the Commission the existence or absence of a decision, or in the case of Articles 46 or 47, or Referred to in the second subparagraph of Article 49 (1), information on appropriate or and how to obtain a copy of them or where they are placed. making available. In addition to the information referred to in paragraph 1, the controller shall, when personal data provide the data subject with the following additional information necessary for the proper and to ensure fast handling: (a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period; (b) the right of the data subject to request from the controller access to personal data concerning him or her; the right to request the rectification or erasure or processing of such data restriction or opposition to processing and the right to transfer data from one system to another; (c) the right to withdraw consent at any time without prejudice to the grounds for the lawfulness of the processing carried out before its cancellation, if the processing based on Article 6 (1) (a) or Article 9 (2) (a); (d) the right to lodge a complaint with the supervisory authority; (e) whether the provision of personal data is a legal or contractual requirement or the requirement for the conclusion of the contract and whether the data subject is obliged to supply personal data and the possible consequences of not providing such data; (f) automatic decision-making, including the procedure referred to in Article 22 (1) and (4); the existence of filing, as well as, at least in these cases, the relevant data for processing as well as the significance and possible consequences of that processing. to the data subject. 3.1. Registrar 's information policy regarding security camera surveillance The information required by Article 13 (2) (de) of the General Data Protection Regulation is missing from the controller’s privacy statements in its entirety, and the controller has not demonstrated that dot would be available to registrants elsewhere. When informing the controller of the processing of voice data, the security camera surveillance there is a mismatch between the various channels of communication. First, in taxis the security camera surveillance notification does not specifically describe or mention the flying. The notices on the taxis also do not refer to the security camera of the controller. privacy statement or elsewhere from which passengers would have been informed processing of audio data. Information on the processing of audio data has been found only for security camera surveillance on 13 November 2019 and 15 November 2019 on the website of the controller. following the publication of these bulletins. The controller has been deemed to have processed or processed audio data as described above. Consequently, the controller has not informed the data subjects of its processing of personal data. Article 12 (1) of the General Data Protection Regulation and has not informed the data subjects about the processing of audio data security camera surveillance in such a way that this would have been the case under Article 5 of the General Data Protection Regulation as required by Article 12 (1) (a) and Article 12 (1) understandable and accessible and has not been able to demonstrate compliance with the accordance with Article 5 (2) of the General Data Protection Regulation. 3.2. The controller’s information policy regarding transactions made in connection with the loyalty program automatic decision-making, including profiling Contrary to Article 12 (1) of the General Data Protection Regulation, the controller's privacy statements are missing information pursuant to Article 22 of the General Data Protection Regulation. the right not to be subject to automatic individual decisions, including profiling, in. The controller has not shown that this information can be found elsewhere. The controller 's privacy statement shall not contain information in accordance with Article 13 (1) (c) the legal basis on which its automatic loyalty program decision-making, including profiling. The loyalty program cannot be the marketing, product and product information referred to in the data protection statement of the analyzes which it claims to carry out on the basis of a legitimate interest, even if that processing may involve automatic decision making, including profiling, as it does not has not yet undertaken that treatment. The controller has not demonstrated that information on the grounds for processing could be found elsewhere. The legal basis for automatic decision-making in the context of the loyalty program when it is unclear, the data subjects' rights are also not communicated in a transparent manner. In particular, Article 21 (1) of the General Data Protection Regulation the meaning of the processing in the legitimate interest of the controller remains unclear. The registrar’s automatic decision-making process in the context of the loyalty program including profiling, the data protection statements lack the general data protection regulations information pursuant to Article 13 (2) (f) thereof, the existence of the profiling referred to in Article 22 (1) and (4) relevant information on the processing logic as well as significance and possible consequences for the data subject. The registrar’s loyalty program website describes how to determine VIP membership. its grounds. The Loyalty Program website lacks unambiguous information about the autoresponder the existence of a decision and the processing of personal data concerning it. This information is in particular to enable data subjects to exercise their data protection rights during processing. The privacy statements on the registrar's website are not linked to the loyalty program website or vice versa in such a way that the data subject receives it in an easy and comprehensible form an overview of the processing of personal data by the controller in the framework of loyalty in the context of its program. The EDPS considers that the information policy of the controller does not automatic decision-making under the program is the responsibility of the General Data Protection conditions laid down in Article 12 (1) of the Regulation. The controller has not demonstrated information elsewhere. Consequently, it has also not been able to demonstrate compliance with Article 12 of the Data Protection Regulation and Article 5 (2) of the General Data Protection Regulation in accordance with. 4. Actors involved in the processing of personal data According to Article 4 (7) of the General Data Protection Regulation, “controller” means the a list of any person or entity, authority, agency or other body, alone or jointly defines with others the purposes and means of the processing of personal data; if such processing purposes and means are defined in Union or Member State law, the controller or specific criteria for his appointment may be laid down in Union law or in the Member States. in accordance with national law. For the purposes of paragraph 8 of the same Article, natural or legal person, authority, agency or any other body which processes personal data on behalf of the controller. According to Article 26 of the General Data Protection Regulation 1. If at least two controllers jointly determine the purposes and means of processing, they shall: are joint registrars. They define each other in a transparent manner each area of responsibility in order to comply with the obligations laid down in this Regulation, the exercise of registered rights and the provision of information in accordance with Articles 13 and 14 unless and to the extent applicable to data controllers Union law or the law of a Member State defines the responsibilities of controllers areas. In connection with the arrangement, a contact point may be designated for data subjects. 2. The arrangement referred to in paragraph 1 shall duly reflect the common registers the real roles and relationships of keepers vis-à-vis data subjects. Key elements of the arrangement must be available to the data subject. 3. Notwithstanding the terms of the arrangement referred to in paragraph 1, the data subject may their rights under this Regulation in relation to each controller and each controller. will be opposed. Pursuant to Article 28 (3) of the General Data Protection Regulation, the processing of personal data processing shall be determined by agreement or other provision of Union law or of the law of a Member State. a legal instrument in accordance with national law which binds the controller in relation to the the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the controller. Here agreement or other legal instrument shall provide in particular that the personal data processor (g) process personal data only in accordance with the documented instructions issued by the controller transfer of personal data to a third country or unless the law of the Union applicable to the controller or the law of a Member State requires otherwise, in which case the personal data The controller shall inform the controller of this legal requirement before unless such information is prohibited by that law in the public interest. for important reasons; (h) ensure that persons entitled to process personal data have undertaken to comply with to be bound by an obligation of professional secrecy or are subject to appropriate legal the maintenance obligation; (i) take all measures required by Article 32; (j) comply with the conditions for the use of another processor referred to in paragraphs 2 and 4; tyksiä; (k) taking into account the nature of the processing operation, assist the controller in and organizational measures, as far as possible, to obligation on the operator to respond to requests for registration as provided for in Chapter III. exercise of the rights of the data subject; (l) assist the controller in ensuring that the obligations laid down in Articles 32 to 36 are complied with shall be complied with, taking into account the nature of the processing and the availability of personal data to the controller available information; (m) remove or restore processing services at the discretion of the controller upon completion of the provision, all personal data shall be transferred to the controller and deleted copies, unless required by Union law or the law of a Member State retain personal information; (n) make available to the controller all information necessary for the purposes of this Article. to demonstrate compliance with those obligations, and shall allow the controller or audits carried out by another auditor authorized by the controller, such as inspections, as well as participating in them. The EDPS considers that the controller has defined his role in the general in accordance with Article 4 (7) of the Data Protection Regulation. In addition, processors of personal data at least those operators with whom the controller has drawn up a personal data sittelysopimuksen. For software license providers of the registrar's mobile application, the registrar does not has not identified any operator as a processor of personal data and has not provided a clear the role of these actors in the processing of the controller’s personal data; or measures taken with them with regard to the processing of personal data. From public sources at least AdIT tracking and Facebook licensed by MIT SDK services basically include the processing of personal data. According to public sources, whereas the inclusion of these services in the application also requires some form of relationship; such as the conclusion of a contract or the acceptance of terms of use, the subscriber and its between. In its reply of 6 March 2020, the registrar has submitted the report submitted on 12 December 2019. by way of derogation, that the taxi driver undertakings covered by the controller do not would be processors of personal data but that they would act as independent controllers on the one hand and on the other hand, as joint controllers with the controller referred to in this case. registration According to the controller, the joint registrar would be concerned, for example, with taxi bookings. upon receipt and execution of orders. The controller has not the Office of the European Data Protection Supervisor in accordance with Article 26 of the General Data Protection Regulation. of these, an arrangement between it and the motorist companies or other clarification of the joint registrar to demonstrate. According to the registrar's reply of 6.3.2020, it will come in the future to clarify the arrangements between it and motorists, in particular as regards their handling operations, where it and the motorists jointly determine the purposes for which the personal data will be processed; and means. In his report, the controller has stated that the personal data processed by him are not outside the European Economic Area without an appropriate transfer basis. Help- In this context, the EDPS has not questions are limited to the field covered by this Decision. else- where. For the reasons described above, the EDPS considers that the controller is not in a position to have shown that it has defined the personal data which it processes as controller comprehensive processing of personal data involved in the processing. Similarly, the Deputy Data Protection Officer considers that the controller has not been able to demonstrate that: it would have defined the common register as required by Article 26 of the General Data Protection Regulation. the purposes and means of processing with the motorists they consider to be when they act as the joint registrar, as indicated by the controller. Registrar nor has it shown that it drafted the same article mutual agreement on the joint registrar with the joint registrar. Consequently, the controller has not been able to demonstrate the points of the Regulation described above in accordance with Article 5 (2) of the General Data Protection Regulation. 5. Description of processing operations According to Article 30 of the General Data Protection Regulation, each controller and, where the registrar's representative shall keep a record of the processing operations for which he is responsible. It- the statement must include all of the following information: (a) the identity of the controller and any joint controller, the representative of the controller and the the name and contact details of the security officer; (b) the purposes of the processing; (c) a description of the categories of data subjects and the categories of personal data; (d) the categories of recipients to whom the personal data have been or will be disclosed; including recipients in third countries or international organizations. JAT; (e) where applicable, information on the transfer of personal data to a third country or internationally organization, including information on which third country or international organization is appropriate safeguards in the case of Article 49 The transfer referred to in the second subparagraph of paragraph 1; (f) as far as possible, the planned deadlines for deleting the different categories of data; (g) as far as possible, a general description of the technical specifications referred to in Article 32 (1) and organizational security measures. That statement shall be in writing, including in electronic form. The register the keeper shall make the report available to the supervisory authority upon request. The obligation to maintain this description of processing operations does not apply to a company or organization with less than 250 employees, unless its processing is likely to jeopardize the data subject 's rights; and freedoms, the processing is not incidental or subject to the conditions referred to in Article 9 (1). specific categories of data or the convictions or infringements referred to in Article 10. personal data. According to recital 82 of the General Data Protection Regulation, the controller or the The controller should keep a register of the processing operations for which he is responsible. demonstrate that they comply with this Regulation. Registrars and personal information processors should be required to cooperate with the processing records on request in order to allow processing operations monitor on their basis. As described above, the controller has provided a general privacy statement, recordable a detailed privacy statement on security camera surveillance as well as a marketing detailed privacy statement. The data protection statements of the controller may be considered to cover the following information in accordance with Article 30 (1) (bd), (f) and (g) of the Safeguard Regulation. The same The information in points (a) and (e) of this Regulation is only partially clear. Information pursuant to Article 30 (1) (a) of the General Data Protection Regulation shall be the name and contact details of the controller and the contact details of the data protection officer. Representative of the controller the name of the controller and the data protection officer are missing. Also, no information can be found in the privacy statements in the reply provided by the controller on 6 March 2019. organ- isation. In accordance with Article 30 (1) (e) of the General Data Protection Regulation, the controller is included in the privacy statements information on transfers of personal data to third countries and applicable transfer criteria. The registrar's privacy statements, on the other hand, lack information the countries to which the personal data are transferred. The Assistant EDPS considers that the privacy statements provided by the controller are not meets the requirements of the General Data Protection Regulation as described above. the controller has thus not demonstrated that it has complied with Article 30 of the General Data Protection Regulation. obligations under this Article and has not been able to demonstrate compliance with in accordance with Article 5 (2) of the General Data Protection Regulation. The EDPS also considers, firstly, that the General Data Protection Regulation does not require that a report on the processing operations be drawn up in a specific form other than that in writing, including in electronic form. The report processing operations can therefore in any document format. The table published by the EDPS Office The advantages of this format can be seen in the clear structure and concise presentation, but it is however, only one example of report processing operations to prepare. Secondly, the general nor does the protection regulation require the document to be designated as a description of processing operations. Most importantly, however, the content of the document complies with Article 30 of the General Data Protection Regulation. conditions. However, it may be justified from the point of view of the registrar's document management designate documents according to which section of the General Data Protection Regulation the medication document is intended to show. Third, attention must be paid to the general The record of processing operations in accordance with Article 30 of the Data Protection Regulation is under Article 5 (2) of the General Data Protection Regulation. to the Authority on the one hand and the Authority on the other the primary evaluation document and the tool for obtaining an overall picture of the controller’s processing of personal data. 6. Data protection impact assessment According to Article 35 (1) of the General Data Protection Regulation, if a certain type of processing new technology is likely to cause - the nature, extent, the rights and freedoms of the natural person. high risk, the controller shall carry out an assessment of the planned the effects of processing operations on the protection of personal data. One estimate can be used in a similar similar high-risk treatment operations. A data protection impact assessment is required by Article 35 (3) of the General Data Protection Regulation in particular, inter alia, where the processing involves the death of natural persons systematic and comprehensive assessment of individual characteristics based on automatic processing, such as profiling, and leads to decisions legal effects or which have a similarly significant effect on a natural person. manner; and when the processing of personal data is a systematic area open to the public control. The data protection impact assessment is covered by the General Data Protection Regulation 35 accordance with Article 7 (7) (a) a systematic description of the treatment operations envisaged and the purposes of the treatment, including, where appropriate, the legitimate interests of the controller; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and (d) the measures planned to address the risks, including protection and security measures; mechanisms and mechanisms to ensure the protection of personal data and to demonstrate that taking into account the rights of data subjects and other interested parties, and legitimate interests. Pursuant to Article 99 (2) of the General Data Protection Regulation, the General Data Protection Regulation is to be initiated to apply on 25 May 2018. According to recital 84 of the General Data Protection Regulation, compliance with this Regulation in cases where processing operations are likely to involve natural persons. the high risk to the rights and freedoms of individuals, the controller should be responsible for impact assessment, in particular on the origin, to assess the specific nature and severity of the disease. The outcome of the evaluation should be taken into account determining the appropriate steps to be taken to demonstrate that the personal processing of personal data complies with the provisions of this Regulation. If the data protection assessment shows that there is a high risk of the operator cannot take appropriate measures to reduce the cost of available technology and the supervisory authority should be consulted prior to the processing. In its Guidance on Impact Assessments 9, the Data Protection Working Party has provided examples of where an impact assessment should be carried out. According to the guidelines, the data protection assessment must normally be carried out in accordance with Article 35 (3) of the General Data Protection Regulation in addition to processing operations, if the processing of personal data fulfills two of the following conditions criteria. The more of these criteria are met, the more likely it is that personal data will be high risk to the rights and freedoms of data subjects: • Evaluation and scoring of personal data (including profiling and forecasting) • Automatic decision-making with legal effects • Systematic monitoring of data subjects • Data belonging to specific categories of personal data or otherwise very personal processing • Large-scale data processing • Merging data sets • Processing of vulnerable personal data • Application of new technical or organizational solutions or innovative use 6.1. The general information contained in the location data impact assessment prepared by the controller compliance with Article 35 (1) and (7) of the Protection Regulation The registrar processes location information in connection with its MTI taxi brokerage software. It is the MTI system before the application of the General Data Protection Regulation. Location- an impact assessment on data processing was prepared on 4 December 2019. The impact assessment is thus drawn up when the matter under consideration has already been pending and the processing of personal data has taken place during the period of application of the General Data Protection Regulation for about one and a half years. 9 Guidance from the Data Protection Working Party on data protection impact assessments and ways to find out ‘high risk’ within the meaning of Regulation (EU) 2016/679 of 4 April 2017, revised and approved on 4 October 2017, p. 10 ff The controller has not identified this in its impact assessment on the processing of location data in accordance with Article 35 (7) (a) of the General Data Protection Regulation. the basis on which it processes personal data. A legitimate interest refers to a one of the specific interests pursued by the controller by means of data processing. Instead, the controller has recorded in the impact assessment the purpose of the processing and the need for the processing of personal data. For example, with regard to the process, it should be noted that customer relationship management, or the existence of a process, is not a legitimate interest of the controller. By contrast, the controller is not covered by Article 35 (7) (b) of the General Data Protection Regulation. assessed the proportionality of its processing operations as required by that processing purposes. Assessing the proportionality of the processing operations requires the Data Protection Team According to the Guidelines on Data Protection Impact Assessment 10, on the one hand, the on the one hand, and the characteristics of the personal data processed on the other, in particular in accordance with Article 5 (1) (c) and (e) of its Data Protection Regulation. In particular, the personal data processed are missing from the impact assessment provided by the controller assessment and justification of the general data protection regulation’s principle of minimization and in accordance with the principle of subsidiarity. According to Article 35 (7) (c) of the General Data Protection Regulation shall include an assessment of the rights and freedoms of data subjects referred to in paragraph 1. vista risks. According to the instructions of the Data Protection Group, risk means a scenario in which: describe the event and its consequences and assess their severity and probability. 11 In a data protection context, risk can thus be described as a real-life event that typically has negative effects on the exercise of the data subject's rights and freedoms. These events and their consequences have varying degrees of severity and probability. The registrar does not has not included in its assessment such scenarios or real-life events that would constitute risk to the data subject’s rights, even though the controller has the origin, nature, severity, risk management, threats and measures taken. Thus, they have not in fact been explicitly defined by the controller. risks to the controller’s rights and freedoms in accordance with Article 35 (7) (c) of the General Data Protection Regulation. In its assessment, the controller has identified measures that could measures pursuant to Article 35 (7) (d) of the General Data Protection Regulation. you to address the risks. However, these recorded measures cannot be taken into account assessing whether the controller’s impact assessment on the processing of location data substantive requirements of the General Data Protection Regulation, as there is no controller the risks associated with the processing of personal data have been properly identified as described above. In the absence of a definition of risks, there are also no related management and other measures possible to define in accordance with the General Data Protection Regulation. For the reasons set out above, the Assistant EDPS considers that it is not provided by the controller in the Impact Assessment on Data Protection on the Processing of Location Data shortcomings and has not been drafted in a timely manner in accordance with Article 35 (1) of the General Data Protection Regulation. in accordance with Similarly, the impact assessment does not comply with Article 35 of the General Data Protection Regulation. the conditions set out in paragraph 7 of this Article. 10 Data Protection Panel Impact Assessment Guide, Annex 2, p. 26 11 Data Protection Team Impact Assessment Guide, p. 7 6.2. Preparation of a data protection impact assessment on security camera surveillance in taxis cars under Article 35 (1) of the General Data Protection Regulation Elsewhere in his report, the controller has indicated that it deals with security camera surveillance. at least in the part covered by its transmission in taxi cars, in addition to image data, audio data for monitoring purposes. That personal information the purpose has been, as indicated by the controller, mainly to drivers and passengers safety and working conditions for drivers. For the purpose of that processing, the registrar has also identified damage situations and safety endangerment situations settlement. In addition, the controller has defined the purpose of the processing as control of their activities. The processing of personal data in the context of security camera surveillance is objective as a whole is about control. Collection of security cameras installed in taxi cars information can be used to verify a variety of security, personal and property damage and criminal incidents, as well as in taxi cars and their vicinity. events and practices more generally. Security by the controller camera surveillance must be considered systematic, as it has been introduced in all Taxi in taxi cars covered by the ham and carried out in a uniform manner in the continuous recording with security cameras. According to the Data Protection Working Party, sensitive or highly personal information does not 12 limited to specific categories of personal data under Article 9 of the General Data Protection Regulation. information on convictions or infringements referred to in Article 10. sensitivity of information of a very personal nature also covers others in a general sense sensitive personal data as they relate to household and private activities, or because they affect the exercise of a fundamental right or because their infringement involves clearly on the daily life of the registered person. It must be considered probable that, in the context of security camera surveillance, very personal information. For example, a telephone conversation during a taxi ride or traveling in a particular company may transmit information on data subjects which could cause harm to the data subject in their normal life. In addition considered likely that the majority of data subjects were not aware that in the car in which they have traveled may have been collected in connection with security camera surveillance. audio data and therefore may not have been able to take this into account. in taxi cars in their behavior. On the basis of the controller’s report, the the processing of personal data as a whole must be considered large-scale. This is especially supported by the amount of personal data processed, the large number of data subjects affected, the the number of taxis covered and the number of taxi rides provided per year. large-scale In addition, security cameras must store personal data not only of the passenger who booked the taxi ride, but also of the passengers traveling with him. in which case it is likely that security camera surveillance will in fact be subject to multiple times the number of natural persons compared to the registrars who placed the order. röityihin. In addition, it should be noted that personal data processed by security camera surveillance are not limited to video and audio recordings of natural persons who are already collect a wealth of different types of personal information about natural persons traveling in taxi cars 12 Guidance on the Impact Assessment of the Data Protection Team, p. 11 persons. In addition, according to a report provided by the controller, security camera surveillance The image and sound recordings collected in this connection are time- and place-dependent, which can be considered to further increase the amount of personal data processed, but also to emphasize the possible effects of the processing of personal data on data subjects. The duration and permanence of personal the report provided by the controller shows that the is part of its normal activities and the processing of personal data. The registrar is has taken steps to ensure that security camera audio recording is turned off off in December 2019. The geographical scope of the registrar's business is focused on the information available on its website for the Helsinki metropolitan area, but There are also taxi cars available elsewhere in Finland. The registrar is Finland’s largest taxi ride brokerage company. In addition, the data protection risk assessment of security camera surveillance shall take into account at least: processing of data on vulnerable data subjects. In a weaker there is an imbalance between the power relations between the data subjects and the controller; which may manifest itself, for example, as difficulties for vulnerable data subjects, or inability to exercise their data protection rights. Taxi ride services are provided in principle for all categories of persons and security camera surveillance is therefore children and the elderly, for example. Particularly disadvantaged the group of registered persons consists of taxi drivers who are employed in the with the motorist partners of the registrar. For the reasons set out above and in the light of the four Data Protection Working Groups, the that the security camera surveillance carried out by the controller Article 35 (1) of the General Data Protection Regulation rights and freedoms of the individual and should have been the subject of an information data protection impact assessment before initiating the procedure under assessment. and the controller has not been able to demonstrate compliance with that paragraph of in accordance with Article 5 (2) of the General Data Protection Regulation. Similarly, since the obligation to carry out an impact assessment can already be demonstrated by the As regards Article 35 of the basic Regulation, it is not necessary to examine whether the same processing operation should have been protection impact assessment on other grounds. The EDPS draws attention to the fact that automatic decision-making, including profiling, it is not appropriate to comply with Article 22 of the General Data Protection Regulation. appropriate before carrying out an impact assessment. 6.3. The data protection impact assessment for the controller loyalty program automatic decision-making, including profiling The application of Article 35 (3) (a) of the General Data Protection Regulation requires that: automatic processing, such as profiling, involves the personal identification of a natural person systematic and comprehensive assessment of the risks and that such automatic processing decisions which have legal effects on or affect a natural person to a natural person in a similar way significantly. Article 35 of the General Data Protection Regulation The list in paragraph 3 of the Directive is not exhaustive as described above, but the data protection impact. should also be carried out in other cases where the processing of personal data is likely to poses a high risk to the data subject's rights and freedoms taking into account the nature, extent, context and purposes of the processing. On the basis of the controller’s report, the personal data processed by it shall be including profiling, are limited to telephone numbers, orders placed with the application and whether the registrant has reached VIP level. A systematic and comprehensive assessment of a person’s personal characteristics with regard to the requirement for automatic decision-making, it should be noted that including profiling, the assessment of personal characteristics is limited to practical how often a particular person uses a taxi. Although the personal data carried out by the controller in connection with that processing operation the evaluation of the features takes place with each taxi order and can thus be considered systematic, not for taxi orders made by telephone or by means of an ordering application, their and the processing of VIP customer data can be considered as Article 35 of the General Data Protection Regulation. comprehensive characteristics of a natural person within the meaning of Article 3 (3) (a) evaluation. Since the first subparagraph of Article 35 (3) (a) of the General Data Protection Regulation the two cumulative requirements of this Directive are not met, its second registered requirement black, that is, the automatic decision - making of a decision with legal effect, or other significant effects should not be assessed in this context. For the reasons described above, the EDPS considers that the controller should not have come prepare a data protection impact assessment in accordance with Article 35 (3) of the General Data Protection Regulation in accordance with point (a). It remains to be seen whether it should have been drafted on data protection impact assessment pursuant to Article 35 (1) of the General Data Protection Regulation, ie if the processing of personal data may be considered likely to pose a high risk to natural freedoms and rights of the individual, taking into account the nature, scope, context and purposes of the processing taking. When assessing the obligation of the controller to carry out a data protection impact assessment pursuant to Article 35 (1) of the Data Protection Regulation, the Assistant Data Protection Supervisor pay attention to the personal characteristics defined by the Data Protection evaluation and scoring criteria, automatic decision-making has legal effects or similar significant effects on the large-scale processing of data and the processing of registered data on vulnerable data subjects. criteria. With regard to assessment and scoring based on personal characteristics, as described above, personal data processed in the context of automatic decision-making Dots manifest a person's qualities in terms of something other than the practice of how often he or she use taxi services. Based on the report provided by the registrar, it does not process other such information from registrants in the automated version of the loyalty program. in the context of its decision-making. On the basis of a report provided by the registrar, the VIP verification of the battery and the provision of its benefits to suitable persons the scoring of data subjects based on the number of taxi orders it places, no taxi service the frequency of use of the services is not apparent from the number of employees in the loyalty program. with regard to data processing, other than the verification of VIP membership. Apulaistieto- the EDPS considers that the processing of personal data concerning the scoring of persons does not occur likely high risk to the rights and freedoms of data subjects. Automatic decision-making, including profiling, based on tasks registered the legal and other significant effects of decisions on and the group has considered that such effects include, for example, outside individuals or discrimination, and the conditions of the criterion are not met if the effects of the treatment are natural persons are few or non-existent. 13 The controller has considered in his reply 6.3.2020 that the processing in question has no legal or other significant effects on the the data subjects. The EDPS notes that the decisions taken on the basis of this processing operation The actual effects of these are in principle limited to the fact that the person ordering the taxi receives a taxi ride either faster, slower or in an extreme case where he is queued in front of him becomes only VIP customers, he will only receive a taxi forwarded by the registrar for a long time after or not at all. Based on the effects described above, the Assistant Data Protection Supervisor Considers that this processing of personal data has mainly only a minor effect on the given that the controller has significant market power. Despite this, other taxi drivers and taxi services are also available service providers. The effects of such processing of personal data could be greater, if the services provided by the controller were the only pick-up services used by a particular group environment. The assessment of a large-scale processing must take into account, on the one hand, that the only limited types of personal data are covered. On the other hand, the processing of personal data the amount can be considered large. According to the controller’s report, the controller’s The center handles around four million taxi rides a year, with the majority of orders coming from digital subscription channels and about a third by telephone. In this case, taxi orders and the associated automatic processing of VIP-customers more than a million times a year. In addition, taking into account the processing of personal data can be considered as large-scale in this respect. In addition, it should be noted that this processing is part of the controller’s normal processing of personal data and has lasted since September 2018 as indicated by the controller. Kaen. 14 The geographical implications of the processing of the controller’s personal data are the metropolitan area, but the services it provides are available to both its registered may be located elsewhere. Automatic decision-making, including profiling, processing of personal data in the context of a controller loyalty program is as a whole. With regard to the processing of data relating to vulnerable data subjects, it may be as has been pointed out above with regard to security camera surveillance, that the controller is dealing with data on data subjects likely to be in that position. Automatic decision making, including profiling, it should also be noted that persons in this position may not be able to exercise their right to oppose the automatic decision against them. -making. If the condition specified by the two Data Protection Groups is met, the Assistant Data Protection Commissioner Considers that automatic decision-making by the controller, including profiling is likely to pose a high risk to the rights and pauksille. Accordingly, the EDPS considers that the controller should have drawn up automatic decision-making in the context of its loyalty program, in accordance with including profiling, in accordance with Article 35 (1) of the General Data Protection Regulation impact assessment before proceeding, taking into account the treatment nature, scope, context and purposes. Consequently, the controller has not been able to 13 Data Protection Team Impact Assessment Guide, p. 10 14 Registrar's press release on 6 September 2018https://www.taksihelsinki.fi/taksi-helsinki-oy/ajankohtaista/lehdis- release on / taxi-helsinki-launching a customer loyalty program-perched-sitting-vip customer / to demonstrate compliance with that paragraph of Article 5 of the General Data Protection Regulation In accordance with paragraph 2. Summary of the decision of the Assistant Data Protection Supervisor As described above, the processing of the controller’s personal data has revealed a general data protection serious shortcomings in compliance with this Regulation. The processing of personal data does not the processing conditions provided for in Articles 5, 6, 12, 26, 28, 30 and 35 of the Regulation. So extensive shortcomings in the processing of personal data are also reflected in Article 25 of the General Data Protection Regulation procedure and shortcomings in the built-in and default data protection technical and organizational measures required by Article 24. Signatures The Assistant _________________________ Anu Talus Inspector general _________________________ Jyri Poutala Decision of the Sanctions Chamber on the imposition and amount of the sanction fee Having regard to the decision of the Assistant Data Protection Supervisor on the infringement of the Regulation overall, the infringements reflect serious deficiencies in the processing of personal data. under Article 83 of the General Data Protection Regulation. effective, proportionate and dissuasive sanction imposition of a levy. The Sanctions Chamber of the Office of the Data Protection Officer lays down a general data protection regulation 58 accordance with Article 83 (2) (i) of the General Data Protection Regulation and Article 83 of the pursuant to section 24 of the Data Protection Act to the registrar 72,000.00 (seventy-two thousand) euros administrative penalty to be paid to the State. In assessing the amount of the administrative penalty fee, account has been taken of the aggravating and mitigating factors in accordance with Article 83 (2) thereof. The controller has not responded to the EDPS’s request for a hearing. that the corona situation would be a factor in reducing the administrative penalty. However, in assessing the amount of the administrative penalty payment, the exceptional situation. It is common knowledge that the corona situation is significantly into taxi operations. As these effects are not yet visible in the Sanctions be from the available information on the turnover of Taxi Helsinki, is the Sanctions College generally considered the effects of the corona situation as reducing the amount of the penalty payment factor. An administrative penalty fee is enforced, such as the execution of a fine (672/2002). Grounds for the decision of the Sanctions Chamber Pursuant to Article 58 (2) (i) of the General Data Protection Regulation, each supervisory authority the Authority has the remedial power to impose an administrative fine under Article 83 here in addition to or instead of the measures referred to in paragraph 1, in each individual case depending on its circumstances. According to Article 83 (1) of the General Data Protection Regulation, each supervisory authority must: ensure that the imposition of administrative fines for infringements of this Regulation in accordance with this Article in each individual case relationships and cautionary. Under Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed in accordance with the circumstances of each individual case in Article 58 (2) (a) to (h) and (j) in addition to or instead of the measures referred to in When deciding on the imposition of an administrative fine, the amount of the administrative fine must be taken in each individual case take due account of the following: (e) the nature, gravity and duration of the infringement, the nature, extent or purpose of the processing in question; the number of data subjects affected by the infringement. and the extent of the damage suffered by them; (f) willful misconduct or negligence; (g) the action taken by the controller or the processor on data subjects; to mitigate the damage caused; (h) the degree of responsibility of the controller or the processor, taking into account their 25 and the technical and organizational measures it has taken pursuant to Article 32; (i) any previous similar breaches by the controller or the processor; (j) the degree of cooperation with the supervisory authority in order to remedy the infringement and to mitigate adverse effects; (k) the categories of personal data affected by the breach; (l) the manner in which the infringement came to the notice of the supervisory authority, in particular the controller or processor of the breach and to what extent; (m) if the controller or processor concerned has previously been designated measures referred to in Article 58 (2) on the same subject, those measures compliance; (n) approved codes of conduct pursuant to Article 40 or approved codes of conduct pursuant to Article 42; compliance with ignited certification mechanisms; and (o) any other aggravating or mitigating factors applicable to the case, such as the any financial advantage derived directly or indirectly from the Commission or any losses incurred. Pursuant to Article 83 (3) of the General Data Protection Regulation, if the controller or the intentionally or negligently infringes the processing operations in the same or related processing operations. several provisions of this Regulation, the total amount of the administrative fine shall not exceed the fine imposed for the most serious infringement. Pursuant to Article 83 (5) of the General Data Protection Regulation, infringements of the following an administrative fine of up to EUR 20 000 000 shall be imposed in accordance with paragraph 2, or, in the case of an undertaking, 4% of its annual worldwide whichever is the greater: (a) the basic principles of processing referred to in Articles 5, 6, 7 and 9, the conditions for including operations; (b) the rights of data subjects in accordance with Articles 12 to 22; According to Article 24 of the Data Protection Act, the administrative procedure provided for in Article 83 of the Data Protection Regulation the fine (administrative penalty fee) shall be imposed by the Data Protection Officer and the a panel of sanctions formed jointly by the parties. The Data Protection Officer shall act on the Chairman. Consultation of the controller on the imposition of a penalty fee The controller has been consulted on the imposition of a penalty fee in a supplementary report submitted on 13 February 2020. request for consultation and consultation. In its reply of 6 March 2020, the controller submitted I find that the conditions for imposing a penalty payment are in no way met. Re- The Registrar considers that, in addition to rectifying the shortcomings identified in this case, swing note. In this respect, the controller refers to the Office of the Data Protection previous decisions which, in addition to rectifying deficiencies, have been sanctioned mautus. • In the case of security cameras, the controller considers that the imposition of a penalty fee Article 83 (2) of the General Data Protection Regulation. basis pay attention specially the following following: In the light of the explanation provided, the potential infringement has been minor and short-lived and no damage has been shown; • The possible violation has not been intentional and at most slightly negligent; ________________________________________ Page 31 31 (35) Office of the Data Protection Officer PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi • The controller has taken immediate action to remedy a possible breach. and mitigate adverse effects; • The data controller has himself informed the data subject of the possible infringement and its jaustoimista; • The controller has cooperated with TSV and taken steps to remedy the breach as well as to alleviate possible side effects, an immediate first TSV has been performed Taxi after a request for clarification to Helsinki; and • Taxi Helsinki has not committed any previous violations. For matters other than security cameras, the controller shall consider that the penalty fee Article 83 (2) of the General Data Protection Regulation the following points in particular: • In view of the explanation provided in the case, the possible infringement has been minor and not no damage has been shown; • The possible violation has not been intentional and at most slightly negligent; • Taxi Helsinki has immediately taken steps to rectify the possible violation and mitigate adverse effects; • Taxi Helsinki has co-operated with TSV to rectify the infringement and to mitigate possible adverse effects; and • Taxi Helsinki has not committed any previous violations. Assessment of the imposition of a penalty payment In accordance with Article 83 (1) of the General Data Protection Regulation, the imposition of a fine taking into account the specificities of the case at hand. registration In the course of the consultation, the EDPS has referred to previous decisions of the EDPS Office. in cases where no penalty payment has been imposed but the penalty has been imposed processing of personal data of the country in accordance with the General Data Protection Regulation and the note issued. Such decisions shall not have wider legal effects and consideration of the framework is made on a case-by-case basis. The amount of the penalty payment In this individual case, the decision to infringements of the General Data Protection Regulation decided by the EDPS and the on the basis of the information provided for in The administrative penalty payment must be effective, proportionate and dissuasive in the individual case deterrent. As regards efficiency, it should be noted that in the present case a mere provision under Article 58 (2) (d) of the General Data Protection Regulation sufficient consequence of the controller’s processing of personal data in breach of the General Data Protection Regulation. taking into account the Proceedings against the controller’s general data protection regulation are serious shortcomings in the General Data Protection Regulation and the data subject rights and freedoms. Apulaistietosuojavaltuu- According to the above summary, these shortcomings reflect the requirements of the General Data Protection Regulation. more comprehensive anti-trust procedure. An administrative penalty fee may be considers it an effective way to address the failure of the controller to intervene in the obligations under this Decision under the General Data Protection Regulation. neglect of victories. The amount of the administrative penalty payment shall be proportionate to the the business of the registrar and its financial situation. The administrative penalty fee account shall be taken of the annual worldwide accounts of the controller for the preceding financial year. konaisliikevaihto. In its reply of 6 March 2020, the registrar has stated the previous financial year ________________________________________ Page 32 32 (35) Office of the Data Protection Officer PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi total turnover of EUR 10.1 million. Financial statements for the previous financial year, ie 2019 had not yet been completed on the basis of the controller's reply. Notified by the controller the revenue data for the financial year 2019 must be considered credible as provided by the registrar According to the 2018 financial statements, net sales in 2018 were EUR 8.792 million and in 2017 EUR 7.325 million. The administrative penalty payment must be dissuasive in nature. Monetary The imposition of a fee shall have such an economic effect on the controller that: it is not indifferent to its business. The sanction should motivate the to avoid future breaches of the General Data Protection Regulation. Assessment of the maximum amount of the penalty payment The Assistant Data Protection Supervisor has considered in his decision that the controller had acted Articles 5, 6, 12, 26, 28, 30 and 30 of the General Data Protection Regulation. Articles 35 and 25 of the General Data Protection Regulation procedure contrary to this Article. Of these, breaches of Articles 5, 6 and 12 are the most serious breaches of the general data protection higher penalty category in accordance with Article 83 (5) of the Regulation. Consequently, the maximum amount of the administrative penalty applicable is determined by the general rules in accordance with Article 83 (5) of the Data Protection Regulation and shall not exceed the pursuant to Article 83 (3) of the Regulation. Assessment of aggravating and mitigating circumstances The nature, gravity and duration of the infringement, the nature, extent or purpose of the processing in question the number of data subjects affected by the infringement and to them the amount of damage caused Mitigating circumstances in accordance with Article 83 (2) (a) of the General Data Protection Regulation on the one hand, the fact that the controller has dealt with security camera surveillance can be considered as branches audio data for a limited time. In addition, the controller has undertaken security camera following a request for clarification addressed to it. On the other hand, the controller should have assessed and placed in the context of security camera surveillance processing of persons in accordance with the general data protection regulation by the time when the General Data Protection Regulation came into force, and to take into account and ensure its requirements before the introduction of new devices with sound recording. It should also be borne in mind that the processing of personal data is a key condition for the business of the controller and has acted in breach of the general data protection regulation systematically in the normal course of business. The controller shall process the and the processing of personal data involves a significant number of data subjects and kilötietotyyppejä. Damage to data subjects is limited to the availability of personal data concerning them processed unlawfully, which is likely to create a sense of insecurity and privacy. feeling of loss of protection. Likewise, the general privacy regulation of the controller As a result of the antitrust proceedings, data subjects have been in a worse position to control them the lawfulness of the processing of personal data concerning In addition, account must be taken of the fact that the controller can be considered as processing in the normal way ________________________________________ Page 33 33 (35) Office of the Data Protection Officer PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi information on vulnerable data subjects. For registered no financial damage has been identified during the investigation. Intentional or negligent infringement Proceedings contrary to the controller's regulation must be considered negligent. productivity the imposition of an administrative penalty must be regarded as as a supporting factor. Aggravating in terms of imposing an administrative penalty payment it may be considered that, pending the outcome of the case, the controller 's conduct is revealed a number of fundamental shortcomings in the processing of personal data. Actions taken by the controller or processor of data subjects to mitigate the damage As mitigating circumstances for the imposition of a penalty payment, account shall be taken of the registrar has voluntarily discontinued and sought to ensure that the security camera surveillance no longer process audio files and has, on the basis of its report, committed itself to to share shortcomings in the processing of personal data. On the other hand, it should be noted that the controller has taken action and is committed to rectifying the deficiencies only to the controller following a request for clarification. For other irregularities, the fact that the by or after the date of application of this Regulation. that the processing of personal data would comply with the general data protection regulation. The degree of responsibility of the controller or processor, taking into account their 25 and 32 technical and organizational measures taken pursuant to this Article The mitigating liability of the controller may be considered to be the measures it indicates before and during the investigation. On the other hand, the breaches of the protection regulation show serious disregard for the processing of personal data the effects on data subjects, in which case the security of processing subsequent measures have not been based on a proper assessment. Any previous similar breaches by the controller or processor There are no previous similar infringements against the controller. Degree of cooperation with the Authority to remedy the breach and its possible to mitigate side effects A mitigating circumstance is that the controller may be considered to have acted in a in cooperation with the Authority and on the basis of its report remedial action. Groups of personal data affected by the breach An aggravating circumstance is the fact that the controller deals with large-scale personal data relating to data subjects. In particular, location and imagery of data subjects and there is a higher than usual risk involved in processing audio data. ________________________________________ Page 34 34 (35) Office of the Data Protection Officer PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi The manner in which the breach came to the attention of the supervisory authority, in particular whether the controller reported or the controller of the personal data breach and to what extent The Office of the Data Protection Officer was initially informed of the case concerning the controller. dose made by the anonymous registrant concerned. The case concerning the controller and was opened as an own-initiative inquiry. Any other aggravating or mitigating factors applicable to the case, such as the any economic advantage derived directly or indirectly from the infringement or any losses A mitigating circumstance may be considered to be the fact that the controller has demonstrated its commitment to improving its data protection in the future. In the light of the above, the Sanctions Chamber of the Office of the Data Protection Officer proceedings against the controller in the context of the general data protection regulation in accordance with Article 58 (2) (d) of the General Data Protection Regulation in accordance with Article 58 (2) (i) of the General Data Protection Regulation administrative penalty fee. The College of Sanctions considers that the infringements of the General Data Protection effective, proportionate and dissuasive penalty EUR 72,000.00 (seventy-two thousand). Applicable law The explanatory memorandum shows. Appeal According to section 25 of the Data Protection Act (1050/2018), the Deputy Data Protection Commissioner and the Sanctions Chamber decisions may be appealed to an administrative court in accordance with the law of the administrative proceedings (808/2019). The appeal is made to the administrative court. The notice of appeal is attached. Service The decision will be notified by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against. More information For more information on this decision, please contact Anu Talus, Deputy Data Protection Commissioner, anu.talus@om.fi.