Tietosuojavaltuutetun toimisto (Finland) - 2368/182/20

From GDPRhub
Tietosuojavaltuutetun toimisto (Finland) - 2368/182/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 6 GDPR
Article 9 GDPR
Article 25 GDPR
Article 58(2) GDPR
Type: Complaint
Outcome: Upheld
Decided: 06.08.2021
Published: 06.08.2021
Fine: None
Parties: n/a
National Case Number/Name: 2368/182/20
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: finlex.fi (in FI)
Initial Contributor: Frederick Antonovics

The Finnish DPA issued a warning against a housing company that required residents diagnosed with coronavirus to inform the property manager. It considered other measures unnecessary because no such data was actually collected.

English Summary[edit | edit source]

Facts[edit | edit source]

The Finnish Office of the Data Protection Ombudsman received a complaint "according to which a press release issued by the housing company in March 2020 stated that a resident diagnosed with coronavirus is obliged to inform the property manager". The DPA asked the housing company for clarification as it was understood to be the controller in this case. It responded that infections should be reported to improve cleaning services it provided. It did not intend to collect residents' health data and no cases were reported.

Holding[edit | edit source]

The DPA held that no processing basis had been defined by the company for the processing of residents' personal data concerning coronavirus infections. It laid out the rules for general processing of personal data regarding residents by a housing company, and emphasised that coronavirus infection information is health information in accordance with Article 4(15) GDPR, and thus belongs to a specific category of data per Article 9(1) GDPR.

It found that the controller had neither:

  • made an assessment of whether it could collect residents' health data in the present case;
  • assessed in a timely manner whether there was a legal basis for the processing of such personal data;
  • evaluated whether this processing would conflict with the principle of data minimisation under Article 5(1)(c) GDPR;
  • checked this requirement again that for built-in and default data protection in line with Article 25 GDPR.

Thus, it issued a warning against the company. It considered the exercise of other coercitive powers unnecessary since no data had actually been collected.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Collection of corona infection data by residents by the housing association
    Decision of the Assistant Data Protection Supervisor on data minimization, lawfulness of processing and built-in and default data protection
    Thing
    Collection of corona infection data by residents by the housing association
    Statement from the complainant
    On 25 March 2020, a complaint was lodged with the Office of the Data Protection Officer, according to which a housing company statement issued in March 2020 stated that a resident who is diagnosed with a coronavirus is obliged to notify the property manager.
    Statement received from the controller
    The Office of the Data Protection Officer has requested clarification from the controller with a request for clarification dated 13 July 2021. The registrar issued a report on 22 July 2021.
The registrar has said that residents have been asked to report the infection in order to make cleaning more efficient in the housing association. According to the registrar, it was not intended to collect health information from residents, and no reports of infection have been received by the property manager.
    Applicable law
    General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) has been applied since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The Data Protection Regulation contains a national margin of maneuver, on the basis of which national law can supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).
    According to Article 5 (1) (c) of the General Data Protection Regulation, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed (data minimization).
    Article 6 of the General Data Protection Regulation provides for the lawfulness of processing. For the processing of personal data to be lawful, it must have a basis for processing in accordance with Article 6 of the General Data Protection Regulation.
    Article 9 of the General Data Protection Regulation provides for the processing of specific categories of personal data. According to paragraph 1, the processing of personal data belonging to specific categories of personal data is prohibited. According to paragraph 2, paragraph 1 shall not apply if one of the criteria in paragraph 2 applies.
    Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1, taking into account state-of-the-art technology and implementation costs, as well as the nature, extent, context and purposes of processing and the varying probability and severity of appropriate technical and organizational measures for implementation. Paragraph 2 requires the controller to take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed.
    Legal issue
    The Assistant Data Protection Officer assesses and decides the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).
    The Deputy Data Protection Supervisor must decide whether remedial powers under Article 58 (2) of the General Data Protection Regulation should be exercised, such as issuing an alert under Article 58 (2) (a) of the General Data Protection Regulation.
    Decision of the Assistant Supervisor
    A warning is given to the controller in accordance with Article 58 (2) (a) of the General Data Protection Regulation that the processing of residents' coronary infection data in this case would be contrary to the provisions of the General Data Protection Regulation without a legitimate basis and without respecting data protection principles.
    Reasoning
    Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization, which requires that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.
    The principle of data minimization is part of the requirement for built-in and default data protection underlying the General Data Protection Regulation (Article 25 of the General Data Protection Regulation), which requires the controller to take data protection into account from the outset. The implementation of built-in and default data protection requires that the controller effectively implements data protection principles, such as the principle of data minimization.
    Article 6 of the General Data Protection Regulation provides for the lawfulness of processing. For the processing of personal data to be lawful, it must have a basis for processing in accordance with Article 6 of the General Data Protection Regulation.
    Article 9 of the General Data Protection Regulation provides for the processing of specific categories of personal data. According to paragraph 1, the processing of personal data belonging to specific categories of personal data is prohibited. According to paragraph 2, paragraph 1 shall not apply if one of the criteria in paragraph 2 applies. The processing of data belonging to specific categories of personal data therefore requires that there is a basis for processing in accordance with Article 6 of the General Data Protection Regulation and that one of the conditions of Article 9 (2) of the General Data Protection Regulation is also met.
    In the present case, the housing association, in a notice issued to residents in March 2020, has indicated to residents that they have an obligation to provide the property manager with information about the coronary infection. On 22 July 2021, the controller submitted a report to the Office of the Data Protection Officer, according to which no processing criterion has been defined for the processing of personal data concerning coronary infection in accordance with the General Data Protection Regulation. The registrar has stated in his report that the purpose of the data collection has been to increase the efficiency of cleaning in the event of an infection.
    It should be noted in general that there is a resident relationship between the housing association and the resident, in order to perform the resulting tasks the housing association processes the resident's personal data. In this case, personal data may be processed, for example, on the basis of an agreement between the housing association and the resident or on the basis of a legal obligation of the housing association. Corona infection data, on the other hand, are health data within the meaning of Article 4 (15) of the General Data Protection Regulation, which belong to specific categories of personal data under Article 9 (1) of the General Data Protection Regulation. There must therefore be a legal basis for processing in accordance with both Articles 6 and 9 of the General Data Protection Regulation.
    The EDPS considers that in the present case the controller has not assessed whether he can collect residents' health data and has not assessed in due time whether there is a legitimate basis for processing personal data (Articles 6 and 9 of the General Data Protection Regulation). Furthermore, the controller has not assessed whether the collection of residents' health data would be in conflict with the data minimization principle under Article 5 (1) (c) of the General Data Protection Regulation or the built-in and default data protection requirements of Article 25.
    As no personal data have actually been collected, the EDPS does not consider it appropriate to consider the use of other remedies in addition to issuing an alert under Article 58 of the General Data Protection Regulation.
    Applicable law
    Mentioned in the explanatory memorandum.
    Appeal
    According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court.
    Service
    The decision is notified by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against a receipt.
    The decision is not final.