Tietosuojavaltuutetun toimisto (Finland) - 1011/161/22

From GDPRhub
Tietosuojavaltuutetun toimisto - 1011/161/22
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started: 19.01.2022
Decided: 11.08.2023
Published: 16.02.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 1011/161/22
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA found a school to have breached the principle of data minimisation for processing the bank account numbers of all its students for the purpose of awarding possible scholarships concerning only some of them.

English Summary

Facts

The Finnish DPA was notified that a school (the controller) had requested the guardians of all its students to provide the students' bank account numbers for the payment of a possible scholarship. The DPA then asked the controller to explain for what purpose it processed the bank account numbers of all its students.

In response to the request, the controller clarified that scholarships were usually physically awarded to the recipients at the end of the semester. Due to the pandemic, it was decided to pay the scholarship directly to the student's bank account. The controller also stated that it did not want to reveal in advance which students would receive the scholarships. Thus, to speed up the process, the controller requested the bank account numbers of all its students.

Holding

On the basis of the information provided by the controller, the DPA considered that personal data shall not be processed and stored only for the sake of certainty and for future use. The controller had unnecessarily processed the bank account numbers of all its students for the purpose of awarding the scholarships, even though these would have been awarded only to some students.

The DPA emphasised that it would have been possible for the controller to award the scholarships in a less intrusive manner and therefore the controller violated the principle of data minimisation enshrined in Article 5(1)(c) GDPR by processing the bank account numbers.

As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to erase the bank account numbers since there were no legal grounds for the processing.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Deputy Data Protection Commissioner
Thing

Processing of all student account numbers for the payment of scholarships.
Registrar

City (institution responsible for the operation)
Information received from the informant

On January 19, 2022, the office of the data protection commissioner initiated a matter according to which the guardians of all students in elementary schools should have been asked to provide the student's account number. According to the contact, the guardians were sent the following message via the Wilma system with the title Dear guardians (for the information of the staff): "The city's way of distributing scholarships changed last spring. City scholarships are not distributed to students in cash, but the scholarships are paid to the students' accounts. If the student does not have an account, the scholarship is paid as a gift card. For this reason, we ask the guardians to check that the student's Wilma has an account number for the payment of a possible scholarship."
Statement by the registrar

The Office of the Data Protection Commissioner has requested clarification from the data controller with a request for clarification dated February 1, 2022. The registrar has issued a report on the matter on 25 February 2022.

According to the report given by the registrar, the processing of personal data is related to the distribution of scholarships in the organization of basic education, which is a decades-old custom in the country as part of rewarding those who have merited their studies. The traditions of teaching include taking students' progress in their studies into account. Normally, the scholarships are physically distributed to their recipients at the school's graduation ceremonies. The extraordinary circumstances and the subsequent extensive distance learning contributed to the fact that large-scale closing parties were not organized. Because of the corona, the city decided to give out a lot of scholarships, unlike usual years. It was decided to pay the scholarship money directly into the account. However, the city did not want to reveal in advance who all will receive the scholarship. Therefore, in order to speed up the payment of scholarships, account numbers were requested from everyone. Guardians were sent a notice about this via the Wilma information system in the spring of 2021 before the scholarships were awarded.

The report stated that the account number is stored in the teaching information system in such a way that only a very limited number of personnel can process it, and log information remains from the processing. The account number is not confidential information in Finland, but the controller treats it in the same way as confidential information.
On applicable legislation

The general data protection regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) applies to the processing of personal data. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The data protection regulation is specified in the national data protection act (1050/2018).

According to Article 5(1)(c) of the Data Protection Regulation, personal data processed must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization). According to paragraph 2 of the same article, the data controller is responsible for it and must be able to demonstrate that the data protection principles according to paragraph 1 have been complied with (obligation to demonstrate).

According to Article 25, paragraph 1 of the Data Protection Regulation, taking into account the latest technology, implementation costs and the nature, scope, context and purposes of the processing, as well as the varying probability and severity of risks caused by the processing to the rights and freedoms of natural persons, the controller must, both in connection with determining the processing methods and the processing itself, implement appropriate technical and organizational measures, such as pseudonymization of data, for the effective implementation of data protection principles, such as data minimization, in order to include the necessary safeguards as part of the processing and to ensure that the processing complies with the requirements of this regulation and the rights of data subjects are protected.

According to paragraph 2 of the same article, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.

The processing of personal data may also be affected by other legislation applicable to the activity. The Basic Education Act (628/1998) provides for the organization of basic education, which is the subject of the case.
A legal question

The Deputy Data Protection Commissioner assesses and resolves the matter as mentioned above on the basis of the Data Protection Regulation (EU) 2016/679, the Data Protection Act and the Basic Education Act. The matter must be resolved:

1. Has the data controller (organizer of basic education) complied with Article 5(1)(c) of the Data Protection Regulation (minimization of data) and the provisions of Article 5(2) and Article 25(1) and (2) when it has processed student account numbers?
Decision of the Deputy Data Protection Commissioner
Decision

The registrar (the organizer of basic education) collected the account number information of all students in advance for the purpose of distributing the scholarships, even though the scholarships are awarded to some of the students based on academic success. The organizer of the education has unnecessarily collected the account numbers of the students who have not received a scholarship. The deputy data protection commissioner considers that the data controller has not complied with Article 5, paragraph 1, subparagraph c (minimization of data) of the data protection regulation when it has processed the account numbers of all students in accordance with the rules.

The basis for processing personal data has not been assessed in the case. The data minimization principle stipulated in Article 5(1)(c) of the Data Protection Regulation applies regardless of the basis on which personal data is processed.
Note

The data controller is given a notice in accordance with Article 58, paragraph 2, subparagraph b of the data protection regulation regarding processing actions contrary to the data protection regulation in the processing of students' account numbers.
Regulation

The controller is also given an order in accordance with Article 58, paragraph 2, subparagraph d of the Data Protection Regulation to bring the processing operations in accordance with the provisions of the Data Protection Regulation with regard to the processing of student account numbers and to delete the collected account numbers in those parts where there are no legal grounds for the processing.
Reasoning
Registrar

The case concerns the organization of basic education, which is regulated in the Basic Education Act (628/1989). The registrar's responsibility in the processing of personal data is regulated at a general level in Article 24 of the Data Protection Regulation, which is interpreted together with other regulations regarding the registrar's obligations.
Data minimization

The processing of personal data is legal only if one of the processing grounds according to 6 of the Data Protection Regulation is met. In addition, the data protection principles laid down in Article 5 must be followed, which is also the minimization of data in accordance with Article 1, subparagraph c (See KHO's decision (1671/23) of 5 June 2023, paragraphs 31-33, 35, 40 and 42.)

Personal data must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed, according to Article 5, paragraph 1, letter c of the Data Protection Regulation. According to section 39 of the preamble of the Data Protection Regulation, personal data must be sufficient and essential and limited to what is necessary for the purpose of their processing. Personal data must only be processed if the purpose of the processing cannot reasonably be achieved by other means (See European Data Protection Board Guidelines 4/2019 on built-in and default data protection pursuant to Article 25 (Version 2.0 Issued on October 20, 2020) section 3.5. EDPB's jurisdiction is provided for in TSA Article 70 .)

The registrar has noted that account numbers were exceptionally used to pay scholarships to students' bank accounts. However, according to the registrar's report, the city did not want to reveal in advance who all will receive the scholarship, which is why, in order to speed up the payment of the scholarships, the account numbers were requested from all students.

The Deputy Data Protection Commissioner draws attention to the fact that the data protection principles laid down in the Data Protection Regulation must be taken into account when collecting personal data. Taking into account the minimization principle according to Article 5, paragraph 1, subparagraph c of the Data Protection Regulation, it is not legal for the controller to collect such personal data from the registered persons, the necessity of which cannot be presented with appropriate grounds. In the case at hand, in order to speed up the payment of scholarships, the registrar has regularly collected the account numbers of all students in case some of them will be awarded a scholarship. The necessity of the data must be assessed on a case-by-case basis, and personal data cannot, for example, be collected and stored just to be sure, in case of the future. The registrar's report does not reveal any reasons why the account numbers of all students would be necessary information for the payment of scholarships. It is also possible to pay scholarships in other ways.

The Deputy Data Protection Commissioner gives the data controller a notice referred to in Article 58, paragraph 2, letter b of the General Data Protection Regulation, because the processing operations, as described above, have been in violation of the provisions of the Data Protection Regulation. The registrar has unnecessarily collected the account numbers of all students in order to pay the scholarships, even though the scholarship is paid to some of the students. In addition, the deputy data protection commissioner gives the data controller the order referred to in Article 58, paragraph 2, letter c of the data protection regulation to bring the processing operations into compliance with the data protection regulation in these parts and to remove the collected account numbers in those parts where there are no legal grounds for the processing.