Tietosuojavaltuutetun toimisto (Finland) - 1809/452/18

From GDPRhub
Tietosuojavaltuutetun toimisto - 1809/452/18
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Decided: 29.07.2020
Fine: None
Parties: n/a
National Case Number/Name: 1809/452/18
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

A housing cooperative had incorrectly judged that the use of an electric lock system did not process personal data. The Finnish DPA ruled that, as individuals could be indirectly identified, the housing cooperative had acted unlawfully and ordered to bring the data processing activities in line with GDPR.

English Summary


An applicant contacted the Finnish DPA, expressing data protection concerns over the housing cooperative's electric lock system and its implementation. According to the applicant, the residents were not informed about the details of the lock system. The electric lock system in question is installed at the entrance doors of the apartment building. According to the housing cooperative (controller), they do not receive any information from the lock, and the lock company that manages the system only allows access to the data at the request of the police. The housing cooperative therefore had made an assessment that the use of the electric lock system did not involve processing of personal data.



The door opening data is personal data. Data does not need to be directly linked to the data subject in order to qualify as personal data. Individuals that use the electric keys can be identified in instances where the key identification information is matched with a specific apartment. Especially those residents that are living alone, they can in practice be identified with a high degree of certainty.

The processing of personal data always requires a legal basis for processing, and compliance with the other data protection provisions. As the controller had assessed that no personal data was being processed, it had not defined the legal basis for processing the data, nor in any other way ensured the timely fulfillment of the obligations to the controller under the GDRP. The processing of the personal data has therefore been unlawful.

As per Article 58(2) d, the Finnish DPA ordered the housing cooperative to bring the personal data processing activities in line with GDPR.

The decision is not final.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.