Tietosuojavaltuutetun toimisto (Finland) - 2889/161/21

From GDPRhub
Tietosuojavaltuutetun toimisto (Finland) - 2889/161/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 28(3) GDPR
Article 58(2)(b) GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 24.06.2021
Published: n/a
Fine: None
Parties: Anonymous (X & Y)
National Case Number/Name: 2889/161/21
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finish DPA (in FI)
Initial Contributor: Florence D'Ath

The Finnish DPA found that a controller (X) and a processor (Y) had failed to enter into a data processing agreement pursuant to Article 28(3) GDPR. It decided not to impose a fine firstly because the data processing operations had already ended, and secondly due to the very low turnover of Y and the fact that it had already filed for bankruptcy.

English Summary[edit | edit source]

Facts[edit | edit source]

Between 4 September 2018 and 3 June 2019, four complaints were lodged with the Finnish DPA concerning unsolicited direct marketing calls made by automated calling systems (commonly referred to as 'Robocalls'). Company Y was conducting these robocalls on behalf of Company X. Having regard to the facts of the case, Y was thus acting as a processor in the sense of Article 4(8) GDPR, while X was acting as a controller in the sense of Article 4(7) GDPR.

The Finnish DPA had already discussed and ruled on the lawfulness of X and Y's data processing operations in two other cases (case n°2890/161/2021, and case n°2889/161/21 respectively). In the context of these proceedings, it had become apparent that X and Y had not signed a data processing agreement, as normally required by Article 28(3) GDPR. The Finnish DPA therefore decided to analyse this specific point separately.

Holding[edit | edit source]

Taking into account all the information collected from both parties, the Finnish DPA came to the conclusion that there was no personal data processing agreement between X and Y at the time when Y processed personal data on behalf of X. The Finnish DPA therefore concluded that Article 28 (3) GDPR had been breached.

Regarding the possibility to impose a fine on Y, the Sanction Chamber of the Finnish DPA, after considering all the relevant circumstances, concluded that imposing a pecuniary sanction would not be proportionate. The Sanction Chamber of the Finnish DPA considered those facts in particular: (1) the fact that the duty to enter into a data processing agreement mainly lies with the controller (X) rather than the processor (Y); (2) the fact that Y had a very low annual turnover (i.e. only 839.33 EUR for the year 2020) and; (3) the fact that Y had already ceased all processing operations on 1 March 2021 and had filed for bankruptcy on 18 June 2021.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Agreement on the processing of personal data and the processing of personal data by the processor on behalf of the controller
    Thing
    Agreement on the processing of personal data pursuant to Article 28 (3) of the General Data Protection Regulation
    Processor of personal data
    According to the information received from the Insolvency Register and the Ostrobothnian District Court, the bankruptcy application concerning Y Oy was initiated in the Ostrobothnian District Court on 20 May 2021. On 18 June 2021, the bankruptcy case was in the notification stage. No decision has therefore been taken to declare bankruptcy.
    Background
    Between 4 September 2018 and 3 June 2019, four complaints were lodged with the Office of the Data Protection Officer concerning unsolicited direct marketing calls made by automated calling systems (so-called robots). The publisher of the magazine is XX Oy, on whose behalf Y Oy has carried out direct marketing of the magazine.
    In connection with the handling of complaints concerning XX Oy, it has become apparent that XX Oy and Y Oy, which carried out direct marketing on its behalf, have not drawn up an agreement or other legal document pursuant to Article 28 (3) of the General Data Protection Regulation.
    Y Oy has acted as a registrar with regard to the processing of personal data. However, in this case, Y Oy's operations are assessed only in so far as it has been the processing of personal data and the processing agreement performed on behalf of XX Oy. Also in connection with this matter, the processing of personal data by Y Oy has not been clarified in other respects.
    The Data Protection Commissioner discusses and evaluates the operations of XX Oy (dnro 2890/161/2021) and Y Oy (dnro 2889/161/21) in separate decisions.
    Report received from Y Oy
    With the request for clarification dated 10 September 2019 and the request for additional clarification dated 26 February 2020, the Office of the Data Protection Commissioner has asked Y Oy for an explanation of its role as a processor of personal data with regard to direct marketing of the magazine. Y Oy has issued responses to the reports on 1 December 2019 and 22 April 2020.
    In its reports, Y Oy has stated, among other things, that it makes telemarketing calls on behalf of its principals. One of the principals has been XX Oy.
    In its reply dated 22 April 2020, Y Oy has also stated the following about the personal data processing agreement: “XX Oy has terminated the co-operation agreement with Y Oy in June 2019. Y Oy does not have an attached made. According to the signed memo, the processing instructions have also been available on XX Oy's website electronically. ”
    
    Report received from XX Oy
    Prior to the request for clarification submitted to Y Oy, the Office of the Data Protection Commissioner has requested clarification from XX Oy with a request for clarification dated 4 April 2019 and a request for additional clarification dated 5 July 2019. XX Oy has provided answers to the reports on 10 June 2019 and 12 August 2019. In addition, by a request for consultation dated 26 January 2021, the Office of the Data Protection Commissioner has reserved an opportunity for XX Oy to comment on the facts presented in the request for consultation of the Office of the Data Protection Officer pursuant to section 34 of the Administrative Procedure Act (434/2003). XX Oy submitted its response to the request for a hearing on 22 March 2021.
    XX Oy has said the following, among other things.
    Y Oy has acted as a processor of personal data on behalf of XX Oy with regard to direct marketing of the magazine from the end of 2017 until 25 June 2019.
    XX Oy has submitted to the Office of the Data Protection Commissioner a sales agreement between Y Oy and XX Oy, which has been in force from 23 April 2019 to 31 August 2019. However, the co-operation between Y Oy and XX Oy ended on 25 June 2019. According to the sales contract submitted to the Office of the Data Protection Officer, “XX Oy owns all the addresses allocated to the company. Only XX Oy's information is to be provided to shared addresses. The company acts as the processor of the register and undertakes to keep the personal data and other information included in the register confidential and to destroy the data for its own part at the end of the processing. The parties undertake to comply with the applicable EU national legislation on the processing of personal data and the protection of privacy when processing personal data. The company can use electronic direct marketing for sales. ” In the sales agreement, the company refers to Y Oy.
    In the request for consultation dated 26 January 2021, XX Oy has the opportunity to respond to the fact presented in the request for consultation of the Office of the Data Protection Commissioner that there was no personal data processing agreement between Y Oy and XX Oy pursuant to Article 28 (3) of the General Data Protection Regulation. XX Oy has acknowledged that the course of events presented in the request for consultation is largely correct and has not considered it necessary to provide additional information in the matter.
    Consultation of Y Oy and the facts presented in the request for consultation
    With regard to the activities carried out by Y Oy, Y Oy is expressly reserved the opportunity to be heard referred to in section 34 of the Administrative Procedure Act and to present an opinion on the preliminary assessment of the rapporteur of the Data Protection Commissioner and the facts presented in the request. Y Oy has the opportunity to provide its explanations on such claims and explanations that may affect the resolution of the matter. At the same time, Y Oy has been given the opportunity to raise such matters referred to in Article 83 (2) of the General Data Protection Regulation which, in its view, should be taken into account when making a decision and imposing a possible administrative penalty fee. A request for consultation sent to XX Oy has also been sent to Y Oy upon request.
    In the request for consultation submitted to Y Oy, the following have been presented as facts.
    From the end of 2017 until 25 June 2019, Y Oy has been engaged in direct marketing of the magazine on behalf of XX Oy. The general data protection regulation has been applied since 25 May 2018. Y Oy and XX Oy have not drawn up a sales agreement for direct marketing until 22 April 2019, although Y Oy has processed personal data on behalf of XX Oy since 2017. In addition, in the request for consultation, the rapporteur has considered that there has been no personal data processing agreement between Y Oy and XX Oy in accordance with Article 28 (3) of the General Data Protection Regulation.
    Y Oy has responded to the request for consultation on 27 May 2021. Y Oy has stated the following in its defense.
    Y Oy has stated that it has not entered into a direct agreement with XX Oy at any stage between 2017 and April 2019. Y Oy has also not had a direct contractual relationship with XX Oy during that period. Y Oy has stated that it did not co-operate directly with XX Oy before concluding the sales agreement. Y Oy has stated that it subcontracted newspaper subscriptions to XX Oy during that period. Y Oy says, however, that it has not entered into a subcontracting agreement with XX Oy. However, in order to carry out the subcontracting, Y Oy has had an agreement with XX Oy regarding the “general data protection regulation”.
    Y Oy further submits that it did not operate in a contractual relationship with XX Oy prior to the sale agreement. Contrary to what Y Oy has previously submitted, in its reply dated 27 May 2021, Y Oy has submitted to the Office of the Data Protection Commissioner that it has had an “agreement on the general data protection regulation” with XX Oy. Y Oy submits that the Data Protection Commissioner has never requested an agreement for the above-mentioned period, so it has not been possible to deliver it. Y Oy considers that the Data Protection Commissioner has drawn the conclusions of the consultation request without asking Y Oy to submit the agreement. Y Oy has submitted its response as an appendix to the agreement dated 24 May 2018 “Agreement on the General Data Protection Regulation”. The agreement states the following: “XX Oy owns all the addresses allocated to the company. Only XX Oy's information is to be provided to shared addresses. The company acts as the processor of the register and undertakes to keep the personal data and other information included in the register confidential and to destroy the data for its own part at the end of the processing. Both Parties shall implement and maintain appropriate organizational, operational, administrative, physical and technical measures to protect personal data and any other information against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access.
    
    
      The parties undertake to comply with XX Oy's instructions when processing personal data, which can be read in their entirety at xxxx-lehti.fi/rekisteriseloste.
    
    
      Both parties have become acquainted with the legislation and XX Oy's guidelines and undertake to comply with the EU national legislation on the processing of personal data and the protection of privacy in force at the time when processing personal data. The company can use electronic direct marketing for sales. ”
    In addition, Y Oy has stated that Y Oy has been removed from the VAT, withholding tax and employer register and the company's operations have been dated in the Business Information System of the Trade Register as of 1 March 2021. The company's turnover for the current financial year is estimated at EUR 0.00.
    Y Oy's turnover in the period 1.1.2020-31.12.2020 has been EUR 839.33.
    In order to clarify the matter, the Office of the Data Protection Commissioner has reserved an opportunity for Y Oy to submit additional information on the following matter with a request for additional information dated 27 May 2021. Complaints lodged with the Office of the Data Protection Officer and the compilation of the Finnish Competition and Consumer Authority have mentioned telephone numbers from which the magazine's direct marketing calls were made between July 2018 and September 2019. These numbers were 02 4334000, 02 4334001, 02 4334002 and 02 433400 all the above-mentioned numbers have been in the name of the company Y Oy during the above-mentioned period.
    Y Oy has provided a response to the additional report on 30 May 2021. In the additional investigation, Y Oy states that it has never denied that the company had subcontracted magazine calls. Y Oy has also stated that the numbers provided by the Data Protection Commissioner may be those for which marketing has been done. However, according to Y Oy, the Data Protection Officer's statement about a direct sales agreement before April 2019 is not true.
    Y Oy considers that the report issued by it and XX Oy shows that the co-operation ended in June 2019. According to the report, Y Oy has not made any calls on behalf of XX Oy since June 2019.
    Applicable law
    General Data Protection Regulation (2016/679)
    Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) has been applicable since 25.5.2018. According to section 8 of the Data Protection Act (1050/2018), the Data Protection Commissioner acts as the national supervisory authority referred to in the General Data Protection Decree.
    Pursuant to Section 24 of the Data Protection Act, the administrative fine (administrative penalty fee) provided for in Article 83 of the General Data Protection Regulation is imposed by a sanction panel formed jointly by the Data Protection Commissioner and the Deputy Data Protection Commissioners.
    According to Article 4 (7) of the General Data Protection Regulation, “controller” means any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are defined in Union or Member State law, the controller or the specific criteria for his appointment may be established in accordance with Union law or the law of a Member State.
    According to Article 4 (8) of the General Data Protection Regulation, “processor” means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
    According to Article 28 (3) of the General Data Protection Regulation, the processing carried out by the controller must be determined by an agreement or other legal instrument under Union law or national law binding the controller vis-à-vis the controller. groups, responsibilities and rights of the controller. This agreement or any other legal instrument shall provide in particular that the controller
    (a) process personal data only in accordance with documented instructions issued by the controller, including transfers to third countries or international organizations, unless otherwise required by Union law or national law applicable to the controller, in which case the controller shall inform the controller of this legal requirement before processing; that information is prohibited by that law for overriding reasons in the public interest; (b) ensure that persons having a right to process personal data have undertaken to comply with an obligation of professional secrecy or are subject to an appropriate legal obligation of professional secrecy; (c) take all measures required by Article 32; (d) comply with the conditions for the use of another processor referred to in paragraphs 2 and 4; (e) taking into account the nature of the processing operation, assist the controller by appropriate technical and organizational measures, as far as possible, in fulfilling the controller 's obligation to respond to requests concerning the exercise of the data subject' s rights under Chapter III; (f) assist the controller in ensuring that the obligations laid down in Articles 32 to 36 are complied with, taking into account the nature of the processing and the information available to the controller; (g) at the choice of the controller, delete or restore all personal data to the controller upon termination of the processing services and delete existing copies, unless Union law or the law of a Member State requires the storage of personal data; (h) make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow and participate in audits, such as inspections, by the controller or another auditor authorized by the controller.
    Under Article 58 (2) (b) of the General Data Protection Regulation, each supervisory authority has the right to issue a notice to the controller or processor if the processing operations have infringed the Regulation.
    Pursuant to Article 58 (2) (i) of the General Data Protection Regulation, the Supervisory Authority may impose an administrative fine under Article 83 in addition to or instead of the measures referred to in the General Data Protection Regulation, depending on the circumstances of each individual case.
    According to Article 83 (1) of the General Data Protection Regulation, the imposition of an administrative penalty for a breach of the General Data Protection Regulation must be effective, proportionate and dissuasive in each individual case.
    Under Article 83 (2) of the General Data Protection Regulation, an administrative penalty fee is imposed according to the circumstances of each individual case in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j).
    Infringements under Article 83 (4) (ac) of the General Data Protection Regulation shall be subject to an administrative penalty of up to EUR 10 000 000 or, in the case of an undertaking, 2% of its annual worldwide turnover in the preceding financial year, whichever is the greater. is larger. Under paragraph 4 (a) of that article, an administrative penalty may be imposed for infringement of Article 28.
    Legal issues
    The Data Protection Officer will resolve the matter as set out above under the General Data Protection Regulation and the Data Protection Act. The following legal issues are pending:
    
      1. whether Y Oy and the controller (XX Oy) have drawn up an agreement on the processing of personal data in accordance with Article 28 (3) of the General Data Protection Regulation; and
    
      2. If Y Oy, as a processor of personal data, has failed to comply with the obligation under the General Data Protection Regulation to draw up a personal data processing agreement, the Data Protection Commissioner must assess what sanction to be imposed on Y Oy pursuant to Article 58 (2) of the General Data Protection Regulation.
    Decision and justification of the EDPS
    Decision
    There has been no personal data processing agreement or other legally binding document pursuant to Article 28 (3) of the General Data Protection Regulation between XX Oy, which acted as the registrar, and Y Oy, which acted as the processor of personal data. Y Oy has neglected its obligation as a processor of personal data to draw up the above-mentioned agreement or other legal document.
    As Y Oy's business has been explicitly based on telemarketing and thus the processing of personal data on behalf of its principals, Y Oy has failed to comply with the General Data Protection Regulation by requiring the Sanctions Board to assess whether administrative penalty fee in accordance with Taking into account in particular the nature of Y Oy's business, the Data Protection Commissioner considers that Y Oy's breach has not been minor. In any case, the infringement requires a remark.
    Pursuant to Article 58 (2) (b) of the General Data Protection Regulation, the Data Protection Officer notifies Y Oy of a breach of a provision pursuant to Article 28 (3) of the General Data Protection Regulation.
    Reasoning
    According to Article 4 (8) of the General Data Protection Regulation, "processor" means, inter alia, a natural or legal person who processes personal data on behalf of the controller. According to Article 4 (7), "controller" means, inter alia, a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
    
      Processing of personal data by the controller
      this chapter refers first to the activity where an actor separate from the controller processes personal data for the benefit of the controller. The processing of personal data on behalf of the controller means serving the interests of another. Similarly, the processing of personal data on behalf of the controller means the processing in which the controller processes personal data explicitly on behalf of the controller in order to serve the interests of the controller.
    Y Oy has stated that it has subcontracted telemarketing on behalf of XX Oy. The activities of Y Oy must therefore be considered to have specifically served the interests of XX Oy with regard to the treatment referred to here.
    Some of the complaints lodged with the Office of the Data Protection Officer and some of the complaints filed by the Competition and Consumer Agency contain telephone numbers from which the magazine has been directly marketed. The telephone numbers in the name of Y Oy have been called on 23 July 2018, 8 August 2018 and 3 September 2018. However, in those complaints where the telephone number was not mentioned, it was reported that the call had a marketed magazine and the call sounded like a robot or a vending machine. In four complaints lodged with the Office of the Data Protection Officer, direct marketing calls took place before 25 June 2019. Y Oy has also stated that it has carried out the magazine's direct marketing calls on behalf of XX Oy.
    Y Oy has stated that it has not entered into a direct sales agreement, nor has it had a direct contractual relationship with XX Oy between the end of 2017 and April 2019. Y Oy has stated that it has not cooperated directly with XX Oy before concluding the sales agreement. . Y Oy also considers that it has not been in a direct contractual relationship before the conclusion of the sales contract, ie before 23 April 2019.
    When assessing whether Y Oy has acted as a processor of personal data on behalf of XX Oy since the application of the General Data Protection Regulation until 25 June 2019, the “General Data Protection Regulation Agreement” dated 24 May 2018 submitted by Y Oy must also be taken into account. among other things, the following “XX Oy owns all the addresses distributed to the company. Only XX Oy's information is to be provided to shared addresses. The company acts as a registrar [-] '. Taking into account the above criteria and the explanation received in the matter in its entirety, the Data Protection Commissioner considers that Y Oy has acted as a processor of personal data in accordance with Article 4 (8) of the General Data Protection Regulation with regard to direct marketing processing. It should be noted that there may have been a relationship between XX Oy and Y Oy (later also the “parties”) between the controller and the processor of personal data, even if there was no above-mentioned sales agreement or other direct agreement between the parties. Thus, the existence of an agreement is not a decisive factor in assessing whether there has in fact been a relationship between the controller and the controller.
    Based on the above, the Data Protection Commissioner considers that Y Oy has acted as a processor of personal data on behalf of XX Oy. It is therefore necessary to assess whether there has been an agreement between the parties on the processing of personal data pursuant to Article 28 (3) of the General Data Protection Regulation, which should have existed between the parties after the application of the General Data Protection Regulation.
    According to Article 28 (3) of the General Data Protection Regulation, the contract or other legal instrument must specify the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the controller's obligations and rights. The contract or other legal instrument shall specify in particular the matters referred to in Article 28 (3) (a) to (h). The obligation to draw up a contract for the processing of personal data or any other legal document applies to both the controller and the processor. Under Article 83 (4) (a) of the General Data Protection Regulation, an infringement of Article 28 of the General Data Protection Regulation may lead to the imposition of an administrative penalty fee. Pursuant to Article 58 (2) (i) of the General Data Protection Regulation, the supervisory authority may impose an administrative penalty fee on both the controller and the processor, depending on the circumstances of the case.
    XX Oy has delivered a sales agreement between Y Oy and XX Oy, which has been valid from 23 April 2019 until 25 June 2019. XX Oy has stated that the sales agreement is the only agreement that has existed between the parties. The sales contract states, inter alia, the following.
    “XX Oy owns all the addresses distributed to the company. Only XX Oy's information is to be provided to shared addresses. The company acts as the processor of the register and undertakes to keep the personal data and other information included in the register confidential and to destroy the data for its own part at the end of the processing. The parties undertake to comply with the applicable EU national legislation on the processing of personal data and the protection of privacy when processing personal data. The company can use electronic direct marketing for sales. ”
    In the sales agreement, the company refers to Y Oy.
    
    
      
        Y Oy has submitted that there has been no direct agreement between it and Xx Oy, nor a sales agreement, between the end of 2017 and April 2019. Y Oy has also stated that it has not cooperated directly with XX Oy before concluding the sales agreement. However, Y Oy has stated that it has subcontracted orders to XX Oy during the above-mentioned period, but no subcontracting agreement has been entered into. The Data Protection Commissioner states that it follows from the above-mentioned arrangement that Y Oy has acted as a processor of personal data in relation to XX Oy. Y Oy has later stated that there has been a “general data protection regulation agreement” dated 24 May 2018 between the parties for the implementation of the above-mentioned subcontracting. The said agreement has been signed by the Chairman of the Board of Y Oy, who has also served as the Chairman of the Board of XX Oy. (Until 25 June 2019, the Chairman of the Board of Y Oy has been responsible for XX Oy's operations)
      
    
    
      
        “XX Oy owns all the addresses distributed to the company. Only XX Oy's information is to be provided to shared addresses. The company acts as the processor of the register and undertakes to keep the personal data and other information included in the register confidential and to destroy the data for its own part at the end of the processing. Both Parties shall implement and maintain appropriate organizational, operational, administrative, physical and technical measures to protect personal data and any other information against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access.
        
      
    
    
      
        
          The parties undertake to comply with XX Oy's instructions when processing personal data, which can be read in their entirety at xxxx-lehti.fi/rekisteriseloste.
        
      
    
    
      
        
          Both parties have become acquainted with the legislation and XX Oy's guidelines and undertake to comply with the EU national legislation on the processing of personal data and the protection of privacy in force at the time when processing personal data. The company can use electronic direct marketing for sales. ”
      
    
    
      
        In its reply to the request for consultation of 27 May 2021, Y Oy has stated that it has not previously submitted an “agreement on the general data protection regulation” to the Office of the Data Protection Commissioner, as it has not been directly requested. According to Y Oy, it was not until May 2021 that he understood to submit the agreement to the Office of the Data Protection Commissioner.
      
    
    
      
        In a request for additional information dated 26 February 2020, the Office of the Data Protection Commissioner has requested Y Oy to submit the personal data processing agreement entered into between XX Oy and Y Oy. The request for additional clarification has explicitly stated that additional clarification has been requested regarding the issue concerning the personal data processing agreement for the entire period of Y Oy's operations. In its reply to the request for additional information issued on 22 April 2020, Y Oy stated that it had terminated the co-operation agreement in June 2019, and at the time of submitting the additional information no Since 27 May 2021, Y Oy has submitted the agreement dated 24 May 2018 to the Office of the Data Protection Commissioner. Y Oy has submitted the agreement in response to the fact presented by the Office of the Data Protection Commissioner in the request for consultation that there was no personal data processing agreement between Y Oy and XX Oy pursuant to Article 28 (3) of the General Data Protection Regulation. The Data Protection Commissioner states that the answers given by Y Oy on 22 April 2020 and 27 May 2021 regarding the personal data processing agreement are not consistent.
      
    
    
      
        It is not clear from the report provided by Y Oy whether Y Oy's “agreement on the general data protection regulation” dated 24 May 2018 was intended to correspond to the agreement on the processing of personal data pursuant to Article 28 (3) of the general data protection regulation. According to that paragraph, the contract or other legal instrument must specify the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the controller. The contract or other legal instrument shall specify in particular the matters referred to in Article 28 (3) (a) to (h). In any case, the “general data protection regulation” submitted by Y Oy does not fulfill the elements of an agreement under Article 28 (3) of the general data protection regulation, so the agreement cannot be considered as an agreement under Article 28 (3) of the general data protection regulation and therefore has no effect. to the case pending.
      
    
    
      
        Finally, the EDPS notes that the explanations provided by XX Oy and Y Oy on the existence of a personal data processing agreement differ.
      
    
    
      
        Taking into account the report received in its entirety, the EDPS considers that there was no personal data processing agreement between XX Oy and Y Oy in accordance with Article 28 (3) of the General Data Protection Regulation at the time when Y Oy processed personal data on behalf of XX Oy.
      
    
    
      
        The decision has been made by Data Protection Commissioner Anu Talus and presented by Senior Inspector Mari-Ilona Korhonen.
      
    
    
      
        According to section 24 of the Data Protection Act, the administrative penalty fee is determined by the sanction college, which has issued the following decision on the imposition of the penalty fee.
      
    
    
      
        Decision of the Sanctions Chamber
      
    
    
      
        As a processor of personal data, Y Oy has failed to comply with the obligation under Article 83 (4) (a) of the General Data Protection Regulation to draw up a personal data processing agreement pursuant to Article 28 (3) of the General Data Protection Regulation. Infringements of that Article may be subject to an administrative penalty fee for both the controller and the processor. In the present case, Y Oy has acted as a processor of personal data.
      
    
    
      
        According to Article 83 (1) of the General Data Protection Regulation, the imposition of administrative penalties must be effective, proportionate and dissuasive in each individual case. According to paragraph 2 of the same Article, an administrative penalty fee shall be imposed in accordance with the circumstances of each individual case in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j).
      
    
    
      
        Article 83 of the General Data Protection Regulation divides infringements into two categories of severity. The controller 's infringement has been committed in accordance with Article 83 (4) (a), which is a less serious infringement.
      
    
    
      
        With regard to efficiency, proportionality and deterrence, it should be noted that Y Oy's business has been explicitly based on the fact that Y Oy has processed personal data on behalf of its various principals. It should be noted that the processor of personal data should not have a basis for processing personal data under Article 6 of the General Data Protection Regulation insofar as personal data are processed on behalf of the controller. Similarly, the legal basis of the controller to process personal data is based on the fact that the processing of personal data takes place in accordance with the agreement with the controller and in accordance with the controller's instructions. The processing of personal data must therefore be determined by agreement. It should also be noted that Article 28 (10) of the General Data Protection Regulation states that if a processor processes personal data contrary to what has been agreed with the controller by determining the purposes and means of the processing itself, the controller shall be considered a controller. Based on the above, the Sanctions Chamber considers that Y Oy's violation has not been minor and that Y Oy should be ordered to pay an administrative penalty fee.
      
    
    
      
        In assessing what is effective, proportionate and dissuasive in each case, account must also be taken of the objective of the remedy chosen, namely either to restore compliance or to penalize the non-compliance (or both). Y Oy has already stopped processing personal data on behalf of XX Oy. Thus, a provision to bring the processing of personal data in line with the General Data Protection Regulation would not be effective, proportionate and dissuasive in the present case. As regards effectiveness, proportionality and dissuasiveness, a mere statement by the EDPS under Article 58 (2) (b) of the General Data Protection Regulation would not in principle be sufficiently effective and dissuasive in the present case, as Y Oy's infringement was not minor. Taking into account the business conducted by Oy and the nature of the processing of personal data. Likewise, an administrative penalty payment would be effective and dissuasive in the present case.
      
    
    
      
        In terms of efficiency, proportionality and deterrence, the present case must also take into account the fact that Y Oy has announced that it has ceased operations on 1 March 2021. According to the information received from the Insolvency Register and the Ostrobothnian District Court on 18 June 2021, the creditor's bankruptcy application was filed with the District Court on 20 May 2021. The bankruptcy case concerning Y Oy has been in the notification phase on 18 June 2021 and bankruptcy proceedings have therefore not yet been initiated. Y Oy's turnover in the period 1.1.2020-31.12.2020 has been EUR 839.33.
      
    
    
      
        The Sanctions Chamber considers that an administrative penalty fee should be imposed on Y Oy pursuant to Article 58 (2) (i) and Article 83 (4) (a) of the General Data Protection Regulation. The Sanctions Chamber considers that Y Oy's breach was serious in nature and that Y Oy has knowingly failed to draw up an obligation to draw up a personal data processing agreement in accordance with Article 28 (3) of the General Data Protection Regulation. These factors would justify the imposition of an administrative penalty fee. However, the Sanctions Chamber considers that the imposition of an administrative penalty payment in the present case is disproportionate. However, the Sanctions Chamber considers that the main responsibility for drawing up the personal data processing agreement lies with the controller, as this is the processing of personal data on behalf of the controller. In addition, the assessment must take into account Y Oy's turnover and the bankruptcy application filed with the district court.
      
    
    
      
        Pursuant to Article 58 (2) (i) of the General Data Protection Regulation, the Sanctions Chamber does not order Y Oy to pay an administrative penalty fee. Therefore, the exercise of remedial powers is subject to the decision of the EDPS.
      
    
    
      
        The decision to impose an administrative penalty fee has been made by the members of the Sanctions Chamber of the Data Protection Commissioner, Data Protection Commissioner Anu Talus, Assistant Data Protection Commissioner Jari Råman and Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa. Chief Inspector Mari-Ilona Korhonen presented the matter
      
    
    
      
        Applicable law
      
    
    
      
        Article 4 (7) and (8), Article 28 (3), Article 58 (2) (b) and (i), Article 83 (1), (2), (4) (a) of the EU General Data Protection Regulation (2016/679)
      
    
    
      
        Sections 8 and 24 of the Data Protection Act (1050/2018)
      
    
    
      
        Section 34 of the Administrative Procedure Act (434/2003)
      
    
    
      
        The decision is final.