Tietosuojavaltuutetun toimisto (Finland) - 1803/161/23

From GDPRhub
Tietosuojavaltuutetun toimisto - 1803/161/23
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 28(3) GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started: 01.09.2022
Decided: 02.08.2023
Published: 29.05.2024
Fine: n/a
Parties: City of Helsinki
National Case Number/Name: 1803/161/23
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA reprimanded the City of Helsinki for failing to conclude a data processing agreement with the company that maintained the city's online pupil welfare service, which allowed pupils to contact a school counsellor or school psychologist.

English Summary

Facts

The Finnish DPA was notified that the City of Helsinki (the controller) had not concluded a data processing agreement with the company that maintained an online pupil welfare service that allowed pupils to contact a school counsellor or school psychologist. The DPA then asked the controller to explain who was responsible for maintaining the service.

In response to the request, the controller clarified that it had no contractual documentation with the company maintaining the service regarding roles or data protection. The controller also stated that it no longer used the company to operate the service and that the service was now maintained by the controller.

Holding

On the basis of the information provided by the controller, the DPA considered that another company had carried out the regular maintenance of the online service on behalf of the controller and had thus acted as a processor of personal data. The DPA found that, in the absence of a data processing agreement between the parties, the company maintaining the service was not contractually bound, for example, to ensure security of processing or confidentiality.

On the basis of the information gathered, the DPA held that the controller had violated Article 28(3) GDPR by failing to comply with its obligation as controller to enter into a data processing agreement with the processor. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.

Comment

The DPA emphasised that the conclusion of a data processing agreement with the processor is one of the main obligations of the controller. Therefore, the DPA stated that an administrative fine could be imposed in such cases. However, according to Section 24(4) of the Finnish Data Protection Act, administrative fines cannot be imposed on public bodies.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

Personal data processing agreement in accordance with Article 28, paragraph 3 of the General Data Protection Regulation
Registrar

City
Background of the matter

As a result of the notification received, the Office of the Data Protection Commissioner has begun to investigate the data controller's processing of personal data in relation to the personal data processing agreement.

According to the notification, the registrar had a form on the online service website of the student welfare service, which the student can use to contact the school curator or the school psychologist. The site has been maintained by a site management company. Based on the notification, the data controller has not had a valid contract with the site administrator, which would have agreed on data protection or confidentiality and based on which the site administrator's employees would be bound by confidentiality.
Statement received from the registrar

On September 1, 2022 and February 21, 2023, the data protection commissioner's office has asked the data controller for clarification on the matter. In its responses to clarification requests on September 22, 2022 and March 20, 2023, the registrar has stated that it does not have contractual documents with the site operator company regarding acting as site operator or data protection. The registrar has also stated that it no longer uses the site management company as the site administrator and the forms are now under the registrar's own control.
On applicable legislation

According to Article 28(3) of the General Data Protection Regulation (EU) 2016/679, the processing carried out by the processor of personal data must be determined by a contract or other legal document in accordance with Union law or the legislation of a member state, which binds the processor of personal data in relation to the controller and which confirms the object and duration of the processing, the nature of the processing and purpose, type of personal data and groups of data subjects, obligations and rights of the controller. This contract or other legal document must specifically stipulate that the personal data processor

a) processes personal data only in accordance with documented instructions given by the data controller, which also applies to transfers of personal data to a third country or international organization, unless otherwise required by Union law or national legislation applicable to the personal data processor, in which case the personal data processor informs the data controller of this legal requirement prior to processing, unless such disclosure is prohibited by that law for important reasons of public interest;

b) ensure that the persons who have the right to process personal data are bound to comply with the duty of confidentiality or are subject to an appropriate statutory duty of confidentiality;

(c) take all measures required by Article 32;

d) comply with the conditions for using another personal data processor referred to in paragraphs 2 and 4;

e) taking into account the nature of the processing operation, to help the data controller with appropriate technical and organizational measures, as far as possible, to fulfill the data controller's obligation to respond to requests concerning the exercise of the data subject's rights provided for in Chapter III;

f) help the data controller to ensure that the obligations laid down in Articles 32 to 36 are complied with, taking into account the nature of the processing and the information available to the personal data processor;

g) at the choice of the data controller, delete or return all personal data to the data controller at the end of the provision of services related to the processing and delete existing copies, unless required by Union law or the legislation of a Member State to retain personal data;

h) makes available to the data controller all the information necessary to demonstrate compliance with the obligations stipulated in this article, and allows audits, such as inspections, performed by the data controller or another auditor authorized by the data controller, and participates in them.
Legal issues

The issue to be resolved is whether the controller has taken care of his obligation stipulated in Article 28, Section 3 of the General Data Protection Regulation to enter into a personal data processing agreement with the personal data processor.
Decision and reasons of the Deputy Data Protection Commissioner
Decision

The controller has not complied with his obligation stipulated in Article 28, Section 3 of the General Data Protection Regulation to enter into a personal data processing agreement with the personal data processor.

In this context, the Deputy Data Protection Commissioner does not give the data controller the order according to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities into compliance with the General Data Protection Regulation, because the data controller no longer uses the site management company as its site administrator.

The Deputy Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Section 2, Subsection b of the General Data Protection Regulation. The controller has not complied with its obligation stipulated in Article 28, Paragraph 3 of the General Data Protection Regulation to enter into a personal data processing agreement with the personal data processor.
Reasoning

According to Article 28(3) of the General Data Protection Regulation, the processing carried out by the processor of personal data must be determined by a contract or other legal document in accordance with Union law or the legislation of a Member State, which binds the processor of personal data in relation to the controller and which establishes the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the groups, obligations and rights of the controller.

According to the report received from the data controller, the site management company has handled the regular maintenance task of the online service on behalf of the data controller and has thus been in the position of a personal data processor. Based on the explanation presented in the case, there has been no agreement between the data controller and the site management company on the processing of personal data. Consequently, there has not been a personal data processing agreement required in Article 28, paragraph 3 of the General Data Protection Regulation, or any other legal document that would determine the processing by the personal data processor between the data controller and the site management company. The Deputy Data Protection Commissioner considers that the data controller has neglected its duty as a data controller to draw up the aforementioned agreement or other legal document.

The Deputy Data Protection Commissioner states that drawing up a personal data processing agreement with the personal data processor is one of the central responsibilities of the data controller. Its purpose is to ensure compliance with the General Data Protection Regulation when the personal data processor processes personal data on behalf of the controller. The deputy data protection commissioner considers that an administrative fine could also have come into question in this type of case. However, according to § 24 subsection 4 of the Data Protection Act (1050/2018), it is not possible to impose an administrative fine on a public administration organization.