Tietosuojavaltuutetun toimisto (Findland) - 531/161/20

From GDPRhub
Tietosuojavaltuutetun toimisto - 531/161/20
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 25 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Published: 18.5.2020
Fine: 16000 EUR
Parties: n/a
National Case Number/Name: 531/161/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: n/a

Finnish DPA held that the controller should have conducted a DPIA to assess the privacy risks of processing employee location data and therefore did not comply with its obligations under Article 35.

English Summary[edit | edit source]

Facts[edit | edit source]

A company monitored employees’ working hours by using location data from vehicle information systems. The controller had not performed a DPIA for the data processing activity as it had not identified the obligation or need to carry out the assessment.

Dispute[edit | edit source]

The main legal arguments were as follows: 1. Did the data processing fall within the meaning of Article 35 GDPR, which requires the controller to carry out DPIA? 2. If yes, has the controller complied with its obligations under Article 35 GPDPR? 3. Has the controller taken adequate organisational and/or technical measures in accordance with Article 25 GDPR.

Holding[edit | edit source]

The Finnish DPA held that the data processing activities fell within the meaning of Article 35, and that the controller did not comply with its obligations under Article 35. A DPIA should be mandatory if the data processing is likely to be a high risk to the individuals’ rights. In this context, the processing was deemed likely to result in high risk due to the employee – employer relationship and the fact that location data was systematically monitored. Furthermore, the controller has not taken adequate organisational or technical measures within the meaning of Article 25 GDPR. A fine of EUR16,000 was imposed for the controller’s privacy violations.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.