Tietosuojavaltuutetun toimisto (Finland) - 2245/163/2019

From GDPRhub
Tietosuojavaltuutetun toimisto (Finland) - 2245/163/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 25 GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.02.2022
Published: 24.02.2022
Fine: None
Parties: Company X
National Case Number/Name: 2245/163/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Giel Ritzen

The Finnish DPA held that a parking services provider violated Article 5(1)(c) and Article 25 GDPR because, in cases where a technical failure occurred with the payment machine, data subjects were prompted to provide their phone number to receive the receipt via SMS, and were not adequately informed that they could also opt for a printed copy without having to provide their phone number.

English Summary

Facts

The controller is X Oy, a provider of parking services. When paying at a payment machine, the customer could choose to receive a digital receipt, a paper receipt, or no receipt. If the customer wanted a digital receipt, they had to give their phone number, so the receipt would have been delivered via SMS. However, when the receipt-printer in a payment machine had a technical failure, the customer was left with the impression that their only option to receive a receipt, was via SMS. Although the customer could have also requested a paper receipt from the customer service, they were not informed of this option.

The data subject did not have the opportunity to receive a paper receipt (due to a technical failure) and filed a complaint with the Finnish DPA.

Holding

The DPA noted that it is not necessary to provide a phone number to receive a receipt, since, even in case of a technical failure, one can contact the customer support to receive a receipt. However, customers knew not about this possibility because the payment machines, in case of a technical default, did not inform the customer that they could do so. Moreover, the DPA considered that, according to Article 25(2), the controller had to implement appropriate technical and organisational measures to ensure that, even in case of a technical failure, it would not collect more data than necessary. Since the controller neglected to implement those measures, the DPA found that the controller violated Article 5(1)(c) and Article 25 GDPR.

In accordance with Article 58(2)(d) GDPR, the DPA ordered the controller to bring its processing operations into compliance with the GDPR. Hence, the controller has to implement such measures that, in case of a technical failure in a payment machine, the customer will not have the impression that they would need to provide their phone number in order to receive a receipt.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Minimize data in the event of a parking machine failure

Keywords: Data minimization
Parking company
Telephone number

Legal basis: Decision in accordance with the EU General Data Protection Regulation

Diary number: 2245/163/2019

Thing

Data minimization

Registrar

On 18 March 2019, a matter was initiated in the Office of the Data Protection Officer concerning the issue of data minimization. The initiation document states that X Oy is a major provider of parking services in Helsinki. The company is still reported to use a service called Y in some car parks, where the identification of the vehicle is based on the description of the registration plate during entry and exit. It is possible to pay for parking, for example, with a vending machine. The document initiated states that in order to receive a receipt for a payment transaction made with a payment machine, the person must provide his or her mobile phone number, after which the receipt will be delivered to the customer via SMS. However, according to the initiator, the mobile phone number is not mentioned as personal data processed in X Oy's register description. According to the initiator, the mobile phone number is also not mentioned in the payment machine itself. The initiation document states that it is not possible to obtain a paper receipt from the ATM.

Statement received from the controller

The controller has been asked for clarification by the Office of the Data Protection Officer. The registrar submitted his report on 13.5.2020 and 9.3.2021.

The registrar has been asked to explain why the description of the company's customer register in the company's customer register, which can be found on its website, does not indicate that X Oy processes telephone number data and not on the basis of which this data is processed. It has been stated in the report that X Oy acts as a joint registrar with a company named Z in accordance with Article 26 of the General Data Protection Regulation in the processing of customers' personal data related to short-term parking. The report also states that when making a payment order with an ATM, the customer can also register as a customer of the above-mentioned company. In connection with a payment order, the customer is offered two alternative ways to receive a receipt for the payment made. The customer can choose either a paper or SMS receipt. Phone number information is only requested when the customer wants the latter option, i.e. a text message receipt. The report states that the mobile phone number information is not processed for any purpose other than sending a text message receipt to the customer. According to the data controller, the telephone number information will not be stored in the register for longer than is necessary for the processing. The telephone number information is destroyed when the processing criterion has expired. Phone number information is reported to be retained in logs and messaging for 90 days. It has further been stated that the Registry Statement available on X Oy's website had not been updated, but the statement has since been updated.

Consignor 's counterpart

The initiator has been provided with a statement issued by the data controller, after which the initiator has been in contact with the Office of the Data Protection Officer on 23 January 2021. Among other things, the sender has stated that there is no mention in the car park or ATM that in order to receive the receipt, the customer must provide the data controller with his mobile phone number. The initiator has also referred to the Consumer Protection Act and expressed the view that the service provider must provide a receipt to the customer on his own initiative, without the customer's express request.

Review

The initiator has stated that the registrar has not offered its customers the possibility to obtain a paper receipt for the parking fee paid by the parking machine. The report, for its part, states that the customer may also obtain a paper receipt if he so wishes. Due to differing reports regarding the availability of receipt options, a review was held on June 23, 2021. According to section 38 of the Administrative Procedure Act (434/2003), the authority may submit a review if it is necessary to clarify the matter.

In the review, the operation of one of X Oy's parking machines has been introduced. When paying for parking, the “Pay and Source” button will appear on the display of the parking machine. In the payment phase, the customer is offered the opportunity to enable automatic debiting, which requires the registration of a Y-profile. However, the customer has the option to opt out by selecting the option "Not now." If the customer selects the “Not Now” option, the payment transaction proceeds to the step where the device prompts the customer to insert the payment card and follow the instructions on the payment terminal. The display at the top will then read "You are now paying for parking the vehicle [registration number]." Once the payment card has been debited, the machine will announce that the payment has been made and ask if the customer wants a receipt. The customer is then offered three options on the touch screen: "No thanks", "Yes, on paper" and "Yes, on text message." When you select a paper receipt, the receipt is printed in the space in the lower left corner of the machine.

However, if, for example, there is a technical problem with the machine's printer, it will completely remove the paper receipt option mentioned above and leave the customer with only a text message receipt. However, according to the registrar's representative, in this type of situation, the customer always receives the paper receipt afterwards by requesting it from the registrar's customer service. However, customers have not been specifically informed about this possibility.

Additional explanation received from the controller

Following the review, the controller has been asked for further clarification. The registrar submitted his report on 11 August 2021.

Among other things, the registrar has been asked to explain how it informs customers of the possibility of obtaining a paper receipt in the event of a technical failure. The registrar has also been asked to explain how long it retains the telephone number information provided for SMS receipts. In addition, the registrar has been asked for numerical information on technical failure situations where the customer has not had a paper receipt at all.

The additional explanation provided states that the system developer has been asked to update the existing system so that in the future, in the event of a technical failure, the display of the parking machine will show that it is not possible to obtain a paper receipt at this time. In addition, in the future, customers will also be offered the option of an email receipt. It has further been stated that the controller has left the assumption that the customer is in contact with the controller's customer service if he has not received the paper receipt.

The additional explanation provided states that the data controller will keep the telephone number data for 90 days. The information will not be used for any purpose other than the delivery of a receipt. The additional explanation provided also states that the controller issues hundreds of SMS receipts each year in situations of technical failure where the customer has not had a paper receipt at all. Millions of parking events have been reported on an annual basis.

Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The provision is a directly applicable law in the Member States. The General Data Protection Regulation contains national leeway, which allows national law to supplement and clarify matters specifically defined in the Regulation.

Legal question

The EDPS will assess and resolve the matter on the basis of the General Data Protection Regulation (EU) 2016/679 mentioned above.

It is necessary to assess whether the controller has complied with the data minimization principle set out in Article 5 (1) (c) of the General Data Protection Regulation and provided adequate organizational or technical measures in accordance with Article 25 (2) of the General Data Protection Regulation. personal data necessary for this purpose.

Decision of the EDPS

The controller has not complied with the data minimization principle set out in Article 5 (1) (c) of the General Data Protection Regulation and has not taken adequate organizational or technical measures in accordance with Article 25 of the General Data Protection Regulation to ensure that the data protection principles are complied with. have been integrated into the processing of personal data and in order for the processing to comply with the requirements of this Regulation and to protect the rights of data subjects.

The EDPS instructs the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the above processing operations in line with the provisions of the General Data Protection Regulation. The controller shall respect the principle of data minimization and the built-in and default data protection when processing personal data in connection with its parking machines.

Providing a receipt and the case at hand

It should be noted at the outset that the EDPS is not competent to monitor, for example, the application of the Act on the Obligation to Provide Receipts in Cash Transactions (658/2013) (hereinafter also the “Receipt Act”). According to section 5 (1) of the above-mentioned law, the tax administration and the police monitor compliance with the Receipt Act. It should be noted, however, that according to section 3 (1) (1) of the Receipts Act, the Act on the Obligation to Provide Receipts in Cash Transactions does not apply to automatic sales. According to section 4 (1) of the Receipt Act, a receipt may also be offered electronically.

The review has shown that, in the context of short-term parking, the controller has offered its customers two alternative ways to obtain a receipt for a payment transaction. It has been possible for the customer to receive either a text message or a paper receipt.

In connection with the debit, the machine announces that the payment has been made and asks if the customer wants a receipt. The customer is then offered three options on the touch screen: "No thanks", "Yes, on paper" and "Yes, on text message." However, if there has been a technical fault, the machine has not provided the customer with the above-mentioned paper receipt option at all. In this case, the customer only has a text message receipt to choose from. In such situations, however, it has been possible for the customer to obtain a paper receipt by contacting X Oy's customer service. However, customers have not been specifically informed about this possibility.

With reference to the above, it can be stated that the controller has not, in principle, only offered a receipt to customers who have provided it with their mobile phone number. In practice, however, in the event of a technical failure, customers have only been offered a text message receipt by the controller. The existence of a technical defect has not been perceptible to the customer, as a result of which the customer has rightly been left with the impression that the SMS receipt was the only possible form of receipt.

The principle of data minimization and the present case

Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.

The personal data processed must be necessary for the purpose of the processing of the personal data as defined above. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of the processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are further processed (HE 96/1998 vp. P.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may be processed only if the purpose of the processing cannot reasonably be achieved by other means. The controller must therefore determine in advance which properties and parameters of the processing systems and the functions supporting them are permitted.

The European Data Protection Board has provided practical guidance on the principle of minimization in the context of its guidance on privacy by design and default. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means. In practice, therefore, as little personal data as possible should be collected in each situation.

As can be seen from the above, it has been possible to obtain both a paper and a text message receipt from X Oy's parking machines. It is therefore not even claimed that the telephone number information is necessary for the receipt of the receipt. Nevertheless, in the event of a technical failure, customers may have been left with the impression that a text message receipt is the only possible form of receipt.

Built-in and default privacy and the case at hand

Article 25 of the General Data Protection Regulation provides for built-in and default data protection. Given the state of the art and the cost of implementation, as well as the risks to the rights and freedoms of natural persons with varying probability and severity of processing, the controller shall effectively implement appropriate data protection principles, such as data minimization, measures, such as pseudonymisation of the data and the necessary safeguards to ensure that they are included in the processing and that the processing complies with the requirements of this Regulation and that the rights of data subjects are protected.

Article 25 (2) of the General Data Protection Regulation requires the controller to take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability.

The controller must therefore include data protection in the processing of personal data by default. At the heart of this provision is to ensure appropriate and effective data protection, both built-in and default. The controller must therefore be able to demonstrate that appropriate safeguards are in place for the processing of personal data to ensure, inter alia, compliance with data protection principles.

The default data protection implies that, by default, only personal data necessary for each specific purpose of the processing will be processed. Thus, by default, the controller should not collect more data than is necessary. It should be noted that this has not been the case in cases of technical failure of the controller's parking machines, where the customer would have wanted a paper receipt instead of a text message receipt for his payment. X Oy has not taken sufficient organizational or technical measures in accordance with Article 25 of the General Data Protection Regulation to ensure that the implementation of data protection principles is part of the processing of personal data and that the processing complies with the requirements of this Regulation and the rights of the data subject. protected.

Applicable law

Mentioned in the explanatory memorandum.

Appeal

According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court.

Service

The decision shall be served by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt.

Further information on this decision will be provided by the rapporteur

Laura Varjokari, tel. 029 566 6771.