Tietosuojavaltuutetun toimisto (Finland) - 3116/163/20: Difference between revisions

From GDPRhub
No edit summary
(fixed grammar and narrative in the summary and facts. Holding required some more significan changes.)
Line 65: Line 65:
}}
}}


During COVID-19 pandemic a pre-school sent an inquiry to families regarding to changes due to pandemic. In inquiry it was unclear if replying to the inquiry was voluntary and what was legal justification for data handling.
After circulating a survery to parents regarding COVID-19 pandemic changes to learning and teaching, a pre-school was found to have violated Articles 5, 12 and 13 GDPR. The investigation discovered that it was not made clear whether returning the firm was mandatory, and information specifying the legal basis for processing of personal data was not provided.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On April 2020 a early childhood education unit (pre-school) sent an inquiry along with a informational letter about activities to prevent COVID-19 spreading. In the inquiry families was asked if they could arrange childcare in home during the pandemic. In inquiry form included personal data, such as child's social security number. In Finnish national Data Security Act defines social security number as a sensitive data (Data Security Act 28 §).   
On April 2020 an early childhood education unit (pre-school) sent an inquiry along with a informational letter about activities to prevent COVID-19 spreading. The families were asked to return the form, providing personal data (including the child's social security number) and stating whether they could arrange childcare at home during the pandemic.   


A letter which was given with inquiry form stated that handling personal data is based on consent and data subject gives consent by returning the form. In reality many parents was told that returning the inquiry was mandatory. DPA evaluated the form used and it was unclear if returning was voluntary or mandatory. The usage of collected data was also unclear on the form and attached letter provided to data subjects (parents).
A letter which was given with inquiry form stated that handling personal data is based on consent and data subject gives consent by returning the form. In reality many parents were told that returning the questionnaire was mandatory.


In their statement Controller said that returning inquiry form was voluntary but strongly desirable. The information was needed to arrange activities during exceptional circumstanced due to COVID pandemic. Controller agrees that voluntary nature of inquiry could have been more clearly said. Controller says that employees has been given general guidelines for handling personal data, but not specific guidelines for this particular situation.  
The controller responded to the DPA's request for information, stating that returning the inquiry form was voluntary but strongly desirable. The information was needed to arrange activities during exceptional circumstances due to the COVID pandemic. The controller agreed that the voluntary nature of the inquiry could have been more clearly communicated. They also explained that employees had been given general guidelines for handling personal data, but not specific guidelines for this particular situation.  


In controller statement it refers legal obligation as lawfulness of processing. They needed the information asked to arrange early childhood education as small groups as possible and also for refund families if a child was not attending the activities due to the pandemic. Controller agrees that child's social security number was not necessary piece of information, only child's age would have been enough.
The controller identified Article 6(1)(c) GDPR (necessary for compliance with a legal obligation) as the legal basis for processing of personal data. Their statement asserts that they needed the information in order to arrange early childhood education, account for students learning from home and arrange lessons in small groups where possible. They also claimed that they required the information to refund families if a child was not attending the activities due to the pandemic. However, the controller agreed that a child's social security number was not a necessary piece of information, amnd that their age would have been enough.


=== Holding ===
=== Holding ===
DPA considered if data subjects was informed about voluntary nature of inquiry and usage of collected personal data. DPA based it's decision on GDPR 5(1)(a) which states that processing have to be lawful, fair and transparent as well as GDPR 12(1) about controller's responsibility to communicate in a concise, transparent, intelligible and easily accessible form using clear and plain language.
The DPA considered whether data subjects were informed in the survery of the purpose and legal basis of the processing of personal data, and the voluntariness of responding to the inquiry. This decision was based on Article 5(1)(a) GDPR (principle of lawfulness, fairness, and transparency); Article 12(1) GDPR (controller's responsibility to communicate in a concise, transparent, intelligible and easily accessible form using clear and plain language); and Article 13 GDPR (detailing the information to be provided to the data subject).


Based on the material submitted to the DPA, the purpose of the processing of personal data may have remained unclear in the case, and at the same time also the conditions under which the child can continue to participate in early childhood education. There is no transparent information on the form or in the information provided with it that personal data is processed to map how many children need day care. According to the registrar, absence information was needed to process payment refunds. The information sent with the form instructs customers to arrange care for their children at home, if possible, but it does not explicitly say what the meaning of the answer is (whether a child's daycare can be denied based on the answers on the form). In the light of the materials submitted to the office of the data protection commissioner, it is not clear whether the purpose of the processing of personal data was to determine the arrangement of child care at home, the processing of payment refunds, or both.
The DPA evaluated the inquiry form used and found that it was unclear whether returning was voluntary or mandatory. Furthermore, neither the form nor the accompanying information sheet sufficienelty clarified how the data would be used. No information was provided to explain that the collection of the personal data was needed to identify how many children required day care, and the information did not clarify whether day care could be denied based on the answers provided. In its response to the investigation, the controller had stated that information was required in order to process refunds if children were not attending day care. However, it was not clear whether the personal data would be processed to determine the arrangement of child care at home, the processing of payment refunds, or both.


Taking into account the above-mentioned points, the Deputy Data Protection Commissioner considers that the purpose of personal data processing has not been sufficiently transparently informed as required by the Data Protection Regulation. Therefore, the controller is given a notice in accordance with Article 58(2)(b) of the TSA.
Taking into account the above-mentioned points, the DPA found that the purpose of personal data processing had not been sufficiently communicated, and that the controller had infringed their transparency obligations under Articles 5(1)(a), 12, and 13 GDPR. Accordingly, the controller was reprimanded pursuant to Article 58(2)(b) GDPR.


== Comment ==
== Comment ==

Revision as of 15:05, 7 February 2023

Tietosuojavaltuutetun toimisto - 3116/163/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1) GDPR
Article 12(1) GDPR
Article 13(1)(c) GDPR
1050/2018 Data Protection Act
Type: Investigation
Outcome: Violation Found
Started: 23.04.2020
Decided: 18.01.2023
Published: 25.01.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 3116/163/20
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Eetu Salpaharju

After circulating a survery to parents regarding COVID-19 pandemic changes to learning and teaching, a pre-school was found to have violated Articles 5, 12 and 13 GDPR. The investigation discovered that it was not made clear whether returning the firm was mandatory, and information specifying the legal basis for processing of personal data was not provided.

English Summary

Facts

On April 2020 an early childhood education unit (pre-school) sent an inquiry along with a informational letter about activities to prevent COVID-19 spreading. The families were asked to return the form, providing personal data (including the child's social security number) and stating whether they could arrange childcare at home during the pandemic.

A letter which was given with inquiry form stated that handling personal data is based on consent and data subject gives consent by returning the form. In reality many parents were told that returning the questionnaire was mandatory.

The controller responded to the DPA's request for information, stating that returning the inquiry form was voluntary but strongly desirable. The information was needed to arrange activities during exceptional circumstances due to the COVID pandemic. The controller agreed that the voluntary nature of the inquiry could have been more clearly communicated. They also explained that employees had been given general guidelines for handling personal data, but not specific guidelines for this particular situation.

The controller identified Article 6(1)(c) GDPR (necessary for compliance with a legal obligation) as the legal basis for processing of personal data. Their statement asserts that they needed the information in order to arrange early childhood education, account for students learning from home and arrange lessons in small groups where possible. They also claimed that they required the information to refund families if a child was not attending the activities due to the pandemic. However, the controller agreed that a child's social security number was not a necessary piece of information, amnd that their age would have been enough.

Holding

The DPA considered whether data subjects were informed in the survery of the purpose and legal basis of the processing of personal data, and the voluntariness of responding to the inquiry. This decision was based on Article 5(1)(a) GDPR (principle of lawfulness, fairness, and transparency); Article 12(1) GDPR (controller's responsibility to communicate in a concise, transparent, intelligible and easily accessible form using clear and plain language); and Article 13 GDPR (detailing the information to be provided to the data subject).

The DPA evaluated the inquiry form used and found that it was unclear whether returning was voluntary or mandatory. Furthermore, neither the form nor the accompanying information sheet sufficienelty clarified how the data would be used. No information was provided to explain that the collection of the personal data was needed to identify how many children required day care, and the information did not clarify whether day care could be denied based on the answers provided. In its response to the investigation, the controller had stated that information was required in order to process refunds if children were not attending day care. However, it was not clear whether the personal data would be processed to determine the arrangement of child care at home, the processing of payment refunds, or both.

Taking into account the above-mentioned points, the DPA found that the purpose of personal data processing had not been sufficiently communicated, and that the controller had infringed their transparency obligations under Articles 5(1)(a), 12, and 13 GDPR. Accordingly, the controller was reprimanded pursuant to Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Informing early childhood education customers about the purpose of personal data processing and the legal basis for processing

Keywords: Early childhood education
Legal basis
informing

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 3116/163/20

Note from the Deputy Data Protection Commissioner

Thing

Informing early childhood education clients about the purpose of processing personal data and the legal basis for processing when personal data is collected using questionnaires

A matter brought to the attention of the Office of the Data Protection Commissioner

The matter concerns informing customers about the purpose of processing personal data and the legal basis for processing when personal data is collected using questionnaires.

On April 23, 2020, the Office of the Data Protection Commissioner came to the attention of the data controller's early childhood care clients who had been sent a questionnaire and an information sheet about arranging child care at home after the start of the corona pandemic. The survey states that the processing of personal data is based on consent, but based on the material delivered to the Data Protection Commissioner's office, it may have remained unclear whether answering the survey is voluntary or mandatory. According to the contact, the day care center would have told you that the survey should be returned.

In addition, the purpose of the processing of personal data may have remained unclear in the case, and at the same time also the conditions under which the child can continue to participate in early childhood education. The form submitted to the office of the Data Protection Commissioner states the following regarding the legal basis and purpose of data processing:

"The processing of the personal data asked in the survey is based on the consent you give by answering this survey. The personal data you provide in the survey will only be processed if necessary. The supervisor of the unit whose day care or pre-school education is in question for a child belonging to the unit's operations participates in the processing. In addition, the information is processed by the office secretaries of early childhood education for the sake of payments."

According to the contact, together with the questionnaire, the customers were given the information sheet "Information on measures affecting the everyday life of early childhood education in order to curb the coronavirus pandemic". The following is stated in section 1 of the bulletin delivered to the office of the Data Protection Commissioner:

"The operational units of early childhood education and the pre-school education organized in connection with them will be kept in operation. This secures access to early childhood education for the children of workers in sectors critical to the functioning of society and enables parents to work.

Family or individual specific reasons can also support the organization of a daycare place. Kindergarten directors and family daycare supervisors ensure that all families' opportunities to care for their child at home are mapped.

However, it should be noted that those guardians who are able to arrange care for the child at home do so.

Pre-school education is organized as close-to-home education for those children whose guardians are unable to arrange care for the child at home. --

In early childhood education, preparations are being started to change fee reimbursement practices. The purpose is that the child's day care fee is reimbursed for the days the child is absent when the service organizer proposes to organize the child's care at home due to exceptional circumstances, a strike, a ban on overtime or another similar reason. Billing information is transmitted internally, and the guardians are not required to take any action in the matter."

Statement by the registrar

An explanation has been requested from the registrar in the matter with an explanation request dated 11.01.2022. The controller has responded to the data protection authorized officer's request for clarification on March 18, 2022. According to the registrar's report, answering the form has been desirable, but voluntary. According to the data controller, obtaining the information was essential for the early childhood education organizer. In a very exceptional situation, a survey aimed at the guardians was the only option to collect information on how many children's day care would be organized at home. According to the controller, the voluntariness of answering could have been expressed more clearly.

The controller also states that the daycare staff have been given instructions on the handling of personal data on a general level, but no separate instructions have been given in this specific case.

According to the controller, the legal basis for processing personal data has been a statutory obligation. According to the controller, the purpose of the processing of personal data was to find out how to organize the child's care at home. The registrar notes that personal information has been requested so that, if necessary, the child's age could also be verified and the necessary information could be obtained as quickly as possible in a situation that required a quick response. Reaching the children's parents could be problematic because many children had already been left out of care. Due to payment refunds, however, the registrar had to receive the absence information. The registrar states that the child's age could have been asked with a multiple-choice question, in which case it would not have been necessary to ask for the personal identification number.

According to the registrar, the respondents have been informed that the collected information will only be processed by the unit's supervisor and the office secretaries handling payment credits if necessary. The purpose of the processing could have been specified.

A legal question

The Deputy Data Protection Commissioner assesses and decides the case based on the Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The matter has to be resolved

1. have customers been transparently informed in the survey about the purpose and legal basis of the processing of personal data (voluntariness of answering)

2. whether the deputy data protection commissioner can use the remedial powers provided for in Article 58, paragraph 2 of the TSA due to the questions presented above.

On applicable legislation

The processing of personal data is regulated in the General Data Protection Regulation. The General Data Protection Regulation is specified in the Data Protection Act (1050/2018).

Article 5 of the TSA stipulates the principles regarding the processing of personal data. According to Article 5, paragraph 1 of the TSA, personal data must be processed lawfully, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency").

According to Article 12(1) of the TSA, the data controller must take appropriate measures to provide the data subject with the information in accordance with Articles 13 and 14 in a concise, transparent, easily understandable and accessible form in clear and simple language, especially when the information is intended specifically for a child. The information must be submitted in writing or in another way and, as the case may be, in electronic form. If the data subject requests it, the information can be given verbally, provided that the identity of the data subject has been confirmed in another way.

According to TSA Article 13, paragraph 1, subparagraph c, when collecting personal data concerning him from the registered person, the controller must, when the personal data is obtained, provide the registered person with information about the purpose of processing the personal data and the legal basis for the processing.

Decision of the Deputy Data Protection Commissioner

The controller is given a notice in accordance with TSA Article 58, paragraph 2, subparagraph b, because the controller has not informed the customers about the purpose of the processing of personal data and the legal basis for the processing, as required by the data protection regulation.

Reasoning

Information about the purpose of personal data processing

According to the aforementioned TSA Article 13(1) c, when collecting personal data concerning him from the registered person, the controller must, when the personal data is obtained, provide the registered person with information about the purpose of processing the personal data. According to TSA Article 12(1), the information in question must be provided in a concise, transparent, easily understandable and accessible form in plain and simple language. According to TSA Article 5(1), personal data must be processed transparently.

According to section 39 of the introductory paragraph of the Data Protection Regulation, it should be transparent to natural persons how personal data concerning them is collected and used and accessed or processed in another way, as well as clear about the extent to which personal data is processed or is to be processed. In accordance with the principle of transparency, information and communication related to the processing of personal data must be easily accessible and understandable and must use clear and simple language. This principle applies in particular to data subjects' information about the identity of the data controller and the purposes of the processing, as well as additional information that ensures the appropriateness and transparency of the processing of the natural persons in question, as well as their right to receive confirmation and notification of the processing of their personal data.

Based on the material submitted to the office of the Data Protection Commissioner, the purpose of the processing of personal data may have remained unclear in the case, and at the same time also the conditions under which the child can continue to participate in early childhood education. There is no transparent information on the form or in the information provided with it that personal data is processed to map how many children need day care. According to the registrar, absence information was needed to process payment refunds. The information sent with the form instructs customers to arrange care for their children at home, if possible, but it does not explicitly say what the meaning of the answer is (whether a child's daycare can be denied based on the answers on the form). In the light of the materials submitted to the office of the data protection commissioner, it is not clear whether the purpose of the processing of personal data was to determine the arrangement of child care at home, the processing of payment refunds, or both.

Taking into account the above-mentioned points, the Deputy Data Protection Commissioner considers that the purpose of personal data processing has not been sufficiently transparently informed as required by the Data Protection Regulation. Therefore, the controller is given a notice in accordance with Article 58(2)(b) of the TSA.

Information about the legal basis for processing personal data

TSA Article 13(1) c obliges the controller to inform about the legal basis of the processing. In accordance with TSA 12(1), data subjects must also be informed about the legal basis of the processing.

The form submitted to the office of the data protection commissioner states that the processing of the personal data asked in the survey is based on the consent that the person gives by answering the survey in question. The processing of personal data may be based on the data subject's consent for one or more specific purposes, according to Article 6, paragraph 1, subparagraph a of the Data Protection Regulation. However, according to Article 4, Section 11 of the Data Protection Regulation, the consent must be a voluntary and informed expression of will (see also Article 7 of the Data Protection Regulation and Sections 42 and 43 of the preamble of the Data Protection Regulation). In order to give informed consent, the data subject should know the purposes for which the personal data is to be processed. Consent cannot be considered voluntarily given if the data subject does not have a real possibility of free choice.

According to the registrar's answer, the basis for processing personal data has been a statutory obligation, which the registrar has not specified in its report. According to the registrar's answer, answering the survey was voluntary, but at the same time the registrar states that obtaining the information has been necessary for the early childhood education organizer. However, according to the contact received by the Office of the Data Protection Commissioner, the day care facility would have told that the survey should be returned to the day care.

It may have been difficult for the customer to assess whether he can not answer the survey, even though the respondent has been told that answering is voluntary, because the legal basis for the processing of personal data may have remained unclear. In the current case, it may have remained unclear to early childhood education clients whether the processing of personal data was based on consent or a legal obligation. Therefore, the legal basis of the processing has not been transparently informed as required by the data protection regulation. Therefore, the controller is given a notice according to TSA Article 58(2)(b).

This decision does not take a position on what is the legal basis for the processing of personal data.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The case has been presented by inspector Emmi Iivonen.

The matter has been resolved by deputy data protection commissioner Heljä-Tuulia Pihamaa.

The decision is not legally binding.

Supervision of the deputy data protection officer

Information about the processing of personal data

The Deputy Data Protection Commissioner draws the controller's attention to the fact that according to TSA Article 13(2) e, the controller must inform the data subject whether the provision of personal data is a legal requirement and whether the data subject is obliged to provide personal data and the possible consequences of not providing such data. The statutory obligation can only be based on the law of the European Union or a member state. The controller should clearly state which information is mandatory and the possible sanctions for not providing it. Information that is not mandatory from this point of view should be indicated in a similar way.

If the processing of personal data is based on consent, when consent is requested, the controller, all separate purposes for which consent has been requested, what information is collected from the data subject and the data subject's right to withdraw consent must be indicated, among other things.

The Deputy Data Protection Commissioner instructs the data controller to also take into account the fact that, based on Article 29 and Article 32, Paragraph 4 of the Data Protection Regulation, the staff must be given the necessary instructions on the processing of personal data. When the data subject asks questions related to the processing of personal data, it is important that he is told from whom he can get more information.

According to Article 29 of the TSA, the personal data processor or any person acting under the authority of the data controller or the personal data processor who has access to personal data may not process them other than in accordance with the instructions of the data controller, unless this is required by Union law or the legislation of a member state. According to Article 32 of the TSA, the data controller and personal data processor must take measures to ensure that every natural person working under the data controller or personal data processor who has access to personal data only processes it in accordance with the data controller's instructions, unless otherwise required by Union law or national legislation. Accordingly, the controller should ensure that the staff is aware of how personal data may be processed.

You cannot apply for a change to this guidance of the deputy data protection officer by appealing.