Tietosuojavaltuutetun toimisto (Finland) - 3843/163/20: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=3843/163/20 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2021/20210943 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
 
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 67: Line 67:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=fred
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]
|
|
}}
}}


The DPA fined Jamk University of Applied Sciences €25,000 for unnecessarily processing the location data of its employees.
The DPA fined Jamk University of Applied Sciences €25,000 for unnecessarily processing the location data of its employees. The DPA also imposed a ban on the processing of location data.


== English Summary ==
== English Summary ==

Latest revision as of 17:39, 29 April 2024

Tietosuojavaltuutetun toimisto - 3843/163/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 58(2)(f) GDPR
Article 83 GDPR
§ 3 Act on the Protection of Privacy in Working Life
Type: Investigation
Outcome: Violation Found
Started:
Decided: 05.07.2021
Published: 21.07.2021
Fine: 25000 EUR
Parties: Jamk University of Applied Sciences
National Case Number/Name: 3843/163/20
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA fined Jamk University of Applied Sciences €25,000 for unnecessarily processing the location data of its employees. The DPA also imposed a ban on the processing of location data.

English Summary

Facts

The Finnish DPA was notified that Jamk University of Applied Sciences (the controller) unnecessarily processed the location data of its employees. The DPA then asked the controller to explain the purpose for which it processed the location data of its employees.

In response to the request, the controller clarified that it used a third-party mobile application that allowed remote employees to record their working hours. The controller explained that the use of the app also required location data to be enabled by default. The controller emphasised that it did not actively use the location data, but only processed it for system technical reasons.

The controller also stated that the use of the app was voluntary. If the employee had chosen to use the app, the processing was based on the data subject's consent. The controller noted that the use of the app was also in compliance with Section 3 of the Finnish Act on the Protection of Privacy in Working Life, according to which the employer may only process personal data that is directly necessary for the employee's employment relationship.

Holding

On the basis of the information provided by the controller, the DPA considered that the mere fact that the app does not allow the recording of working hours without processing location data did not make the processing necessary. The DPA noted that it was possible to record working hours without processing location data. The DPA also emphasised that according to Section 3 of the Finnish Act on the Protection of Privacy in Working Life, no exceptions to the necessity requirement can be made, even with the consent of the employee.

The DPA found that consent does not override the necessity requirement under the Finnish Act on the Protection of Privacy in Working Life. Therefore, the data subject's consent cannot serve as a legal basis for collecting unnecessary personal data. Since there was no legal basis to process the employees' location data, the controller processed the personal data in violation of the principles of lawfulness and data minimisation.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 6 GDPR and Section 3 of the Finnish Act on the Protection of Privacy in Working Life. As a result, and in accordance with Article 58(2)(f) GDPR, the DPA imposed a ban on processing on the controller, covering all processing related to location data that is or has been collected with the app.

In addition to the ban on processing, the Sanctions Board of the DPA imposed an administrative fine of €25,000 on the controller in accordance with Article 83 GDPR. The fact that the main purpose of the controller's activities was not to make a profit, but to provide higher education in accordance with the law, was considered a mitigating factor that significantly reduced the amount of the fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

The Office of the Data Protection Commissioner has found out whether the data controller had a legal basis for processing employees' location data in connection with working time stamps.

The Office of the Data Protection Commissioner has investigated the activities of the data controller on the basis of a complaint made to it. However, the decision given in the case does not specifically concern the complainant's right, interest or obligation, so the complainant must not be considered a party in accordance with Section 11 of the Administrative Law.
Question formulation

The Deputy Data Protection Commissioner has to resolve the following questions in the matter:

1. Has the processing of employees' location data been in accordance with Section 3 of the Act on Privacy Protection in Working Life (Act on Privacy Protection in Working Life 759/2004, later the Working Life Data Protection Act).

2. Has the possible processing of employees' location data been in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (later the Data Protection Regulation).

3. If the processing of personal data has not been in accordance with the provisions of the Working Life Data Protection Act and/or the Data Protection Regulation, the matter to be decided is what penalty for the activity should be imposed on the controller.

In the case, the sanctions panel has to decide:

If it is considered that the data controller's activities are in violation of or deficient in the manner described in the above-mentioned sections of the General Data Protection Regulation and/or the provisions of the Nationally Supplementing Data Protection Act on Working Life, the issue to be resolved is whether the data controller should be subject to an administrative fine in accordance with Article 58, Section 2 (i) of the Data Protection Regulation instead of or in addition to other possible sanctions, and the amount of the administrative penalty fee that may be imposed.
Decision and reasons of the Deputy Data Protection Commissioner
Decision

1. The processing of personal data related to the location of the registrar's employees has not been in accordance with Section 3 of the Working Life Data Protection Act.

2. The processing of personal data related to the location of the data controller's employees has not been lawful according to Article 6 (1) of the Data Protection Regulation.

According to Article 5 (1) (a) of the Data Protection Regulation, the personal data related to the location of the data controller's employees has not been processed in accordance with the law, and the processing has not followed the principle of data minimization in Article 5 (1) (c) of the Data Protection Regulation.

3. Pursuant to Article 58 (2) (f) of the Data Protection Regulation, the Deputy Data Protection Commissioner imposes a processing ban on employee location data for the data controller.
Reasoning
1. Necessity assessment in accordance with the Working Life Data Protection Act
Applicable legislation

According to Section 3 of the Employment Data Protection Act, the employer may only process personal data that is immediately necessary for the employee's employment relationship, which is related to the management of the rights and obligations of the parties to the employment relationship or the benefits offered by the employer to the employees, or due to the special nature of the work tasks. The necessity requirement cannot be deviated from with the employee's consent.
Cleared up

Based on the report received, the data controller has implemented the mobile application (later the application) provided by X Oy (later the personal data processor) in May 2019 for approximately 350 employees. Using the application also requires enabling location on the mobile device.

The registrant has stated that it does not use location data in any situation, but the location data at the time of stamping is only collected, saved and stored as long as it is necessary for system technical reasons to enable mobile stamping.
In the view of the controller, the processing of employees' location data has been necessary in accordance with Section 3 of the Employee's Working Life Data Protection Act, and in addition, the processing has also been in accordance with the Data Protection Regulation.

The use of the application has not been mandatory, but to the extent that the employee has wanted to use the application, in the opinion of the data controller, the collection, storage and preservation of location information has been necessary in accordance with Section 3 of the Working Life Data Protection Act, because the application does not work without the use of location information.
Conclusions

According to the Deputy Data Protection Commissioner's view, it is clear that even though the use of the application in question has required the processing of the employee's location data, it would be possible to monitor working hours and stamp working hours even without processing location data, especially when taking into account that, based on the report received, location information is unnecessary for the data controller. Therefore, the mere fact that with the application in question it is not possible to stamp work time without processing location data, does not make their processing immediately necessary as stipulated in Section 3 of the Working Life Data Protection Act. The Deputy Data Protection Commissioner points out that when using the systems or other services of external service providers, the data controller must be able to identify their own needs regarding the processing of personal data, and services or systems whose functionality does not meet the data controller's needs or compliance with possible data protection regulations should not be used.

Since the location information of the employees has been unnecessary for the employer, the processing of the information regarding the location of the employees has not been immediately necessary for the data controller as stipulated in Section 3 of the Data Protection Act on Working Life. It is also worth noting in this case that the requirement of necessity according to Section 3 of the Data Protection Act cannot be deviated from with the employee's consent.
2. Assessment of compliance with the Data Protection Regulation
Applicable legislation

According to Article 6, paragraph 1 of the Data Protection Regulation, the processing of personal data is lawful only if and only to the extent that at least one of the following conditions is met:

a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;

b) the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of measures prior to the conclusion of the agreement at the request of the data subject;

c) the processing is necessary to comply with the legal obligation of the controller;

d) the processing is necessary to protect the vital interests of the data subject or another natural person;

e) the processing is necessary for the performance of a task in the public interest or for the exercise of public authority vested in the controller;

f) the processing is necessary for the realization of the legitimate interests of the controller or a third party, except when the interests of the data subject requiring the protection of personal data or fundamental rights and freedoms supersede such interests, especially if the data subject is a child.

According to Article 5 1 (a) and (c) of the Data Protection Regulation, the following requirements must be met with respect to personal data:

a) they must be processed lawfully, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency");

c) personal data must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").
Cleared up

In the opinion of the controller, the processing of employees' location data has been in accordance with the data protection regulation.

In its report on August 28, 2020, the controller has stated that the basis for processing employees' location data is the employer's legitimate interest and the employee's consent. Since then, in the report issued on June 22, 2021, the consent of the data subjects has been found to be the basis for processing the location data of employees.

In its report, the controller has highlighted the European Data Protection Board's guideline "Guidelines for consent according to Regulation 2016/679 05/2020", according to which consent is a possible basis for processing personal data in the relationship between the employer and the employee, if the employer can demonstrate that the consent was in fact given voluntarily. This is possible when there are no harmful consequences to whether or not employees give their consent.

According to the controller's opinion, the employees have given their consent to the processing of the location data voluntarily, and giving or not giving consent has not had any harmful consequences for the employee. The employee has had and has had the opportunity at any time to withdraw his consent to the processing of location data and switch to using alternative ways to monitor working hours. When doing remote work, alternative ways to use the application have been either to record the working hours done in an Excel table or to work regularly for the number of hours agreed upon in the employment contract, in which case manual working time tracking, which monitors "plus balance" and/or "minus balance" is not necessary. Although using the application is easier and faster than manual time tracking when the employee is working remotely, it cannot be considered that the employee incurs sanctions for not wanting to use the application.

In the view of the controller, the basis for processing the location data of employees has been the data subject's consent in accordance with Article 6 (1) (a) of the Data Protection Regulation. The collection of location information has been a feature of the application, without which it is not possible to stamp working hours with the application. The controller has not needed the employee's location information, and the processing of the location information has therefore been limited to its collection, storage and storage.
Conclusions

Lawfulness of processing

In order for the processing of personal data to be lawful in accordance with Article 6 (1) (a) of the Data Protection Regulation, there must be a suitable processing basis for it. The controller has considered that the basis for processing employees' location data has been the consent of the data subjects. However, based on the report received, according to the Deputy Data Protection Commissioner's opinion, it is clear that the collection of location data was not necessary in this case, but the only reason for the collection of location data was that without the processing of location data, the application cannot be used to stamp working hours. The registrar has not presented such a statement, based on which the duties of the registrar's employees would require the processing of location data.

It should be noted from the point of view of the case that the consent does not supersede the necessity requirement of Section 3 of the Data Protection Act, and therefore the consent of the data subjects in this case cannot form a legal basis for processing unnecessary personal data. Since the processing of employees' location data in this case cannot be considered lawful in light of the Working Life Data Protection Act and there is no demonstrable legal basis for the processing, the processing of the aforementioned data is not lawful in the sense of Article 6, paragraph 1 of the Data Protection Regulation.

Compliance with data protection principles

Since no legal processing basis has been presented for the processing, the deputy data protection commissioner considers that the information related to the location of the employees has also not been processed according to Article 5 (1) (a) of the data protection regulation in accordance with the law.

According to the principle of data minimization in Article 5 (1) (c) of the Data Protection Regulation, personal data may not be collected or processed more extensively than is necessary for the purpose of their use. Through the purpose of use, it is possible to define which personal data are necessary to fulfill the purpose of the processing. It is essential to distinguish between what is necessary in terms of the purpose of use of the application and what is necessary in terms of the use of the application. In this regard, the deputy data protection commissioner emphasizes that the necessity of personal data is assessed specifically in relation to their purpose of use. The fact that the processing of location data has been necessary to use the application does not mean that the processing of location data is necessary in relation to their purpose of use.

Based on the report received, the purpose of use of the application in question has primarily been monitoring the working hours of employees. Based on the report received, the controller has not used the location data in any way and the data is processed only because it is a feature of the application that cannot be disabled. Based on the report received, monitoring of working hours could also be carried out without processing location data, if necessary, which logically follows that the processing of location data in this case was not necessary in terms of the purpose of use of the application.

Therefore, the deputy data protection commissioner considers that by collecting unnecessary location data about the employee, the data controller has acted in violation of the principle of information minimization in Article 5 (1) (c) of the Data Protection Regulation.
3. Penalty assessment
Applicable legislation

According to Article 58 (2) (f) of the Data Protection Regulation, the national supervisory authority can impose a temporary or permanent restriction on processing, including a processing ban.
Cleared up

According to the registrar, the prohibition of processing according to Article 58 (2) (f) should not be imposed, because the processing has been and is in accordance with the law.

However, according to the Deputy Data Protection Commissioner's view, the processing of employees' location data has not been and is not necessary. Furthermore, the processing of location data is contrary to the data protection regulation and the nationally supplementing working life data protection act, as stated by the deputy data protection commissioner in this decision.
Conclusions

The controller has processed employees' location data in violation of the Data Protection Regulation and the Working Life Data Protection Act. However, the controller itself has considered that the processing of employees' location data has been and is legal and has not announced that it will stop processing location data. Therefore, it is assumed that processing will continue in the future for those registered who have not requested to switch to an alternative method of recording working time when working remotely.

Since there is no demonstrable legal basis for processing the location data of the controller's employees and the processed location data is unnecessary in terms of the purpose of use of the application, the deputy data protection commissioner considers that the processing of this data must be stopped immediately and therefore imposing a processing ban in accordance with Article 58 (2) (f) of the Data Protection Regulation is necessary to protect the rights of the data subjects . It should be noted regarding the processing ban that it covers all processing of employee location data processed by the application, including the storage of the data, and therefore already collected data must be deleted.

The imposition of a processing ban has been processed in the sanctions panel in accordance with the rules of procedure of the data protection authorized office.
Supervision of the deputy data protection officer

In its report on 28 August 2020, the controller has stated that no contract has been drawn up with the personal data processor regarding the processing of personal data. Later in its report on 22 June 2021, the controller states, in contrast to the previous one, that the controller has entered into a service contract with the processor of personal data, according to which IT2018 YSE - General contract conditions and IT2018 EHK - Special conditions for the processing of personal data will apply, so the processing of personal data has been agreed upon in a written contract.

The data controller has submitted the service agreement form agreement between the data controller and the personal data processor to the data protection commissioner's office. The attachments mentioned in the agreement are the following:

- service contract terms

- service description

- IT2018 ETP special conditions for services delivered via the data network (cloud service)

In the "Other contract terms" section of the service contract terms, the following is stated: "To the extent that these contract terms have not agreed otherwise, the IT2018 contract terms apply."

In addition to this, the data controller has submitted the IT2018 YSE – General contract terms and IT2018 EHK – Special terms and conditions for the processing of personal data to the data protection commissioner's office, but these terms are not mentioned in the appendices of the service agreement concluded between the data controller and the personal data.

On 23 June 2021, the controller has given instructions to the personal data processor regarding the processing of personal data. The following is stated in section 4 of the instructions: "The customer's rights and obligations as a data controller: The customer's rights and obligations as a data controller are described in the service agreement and its appendices (including the IT2018 EHK terms and conditions)". The instructions have been signed only by the representative of the data controller.

According to Article 28 (3) of the Data Protection Regulation, the processing by the processor of personal data must be determined by a contract or other legal document in accordance with Union law or the legislation of a member state, which binds the processor of personal data in relation to the controller and which establishes the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the groups, duties and rights of the controller. The content of the agreement is regulated in more detail in the aforementioned article.

The Deputy Data Protection Commissioner notes that the entire contract that the data controller has since delivered has not been available or for one reason or another has not been delivered to the Data Protection Commissioner's office when it was requested for the first time in July 2020. In addition, the instruction given by the data controller to the processor has only been given after the data protection commissioner's office has investigated.

The Deputy Data Protection Commissioner directs the data controller to ensure that the contractual entity defining the processing performed by the personal data processor is legally binding on the personal data processor and contains at least the elements required by Article 28 (3) of the Data Protection Regulation. Furthermore, the deputy data protection officer directs the data controller to ensure that the contract in question is internally documented and can be found in such a way that, in accordance with the data protection obligation of the data controller, if necessary, it can be demonstrated that the data protection regulation has been complied with.

You cannot apply for a change to this guidance of the data protection officer by appealing.

This decision was made by deputy data protection commissioner Heljä-Tuulia Pihamaa, and it was presented by chief inspector Katariina Koski.

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel, which has issued the following decision on imposing the penalty fee.
Sanctions panel's decision and reasons
Decision

Taking into account the Deputy Data Protection Commissioner's decision regarding the violation of the Data Protection Regulation, the Sanctions Board has assessed the imposition of an administrative fine as an effective, proportionate and warning sanction based on Article 83 of the Data Protection Regulation.

Pursuant to Article 58 (2) (i) and Article 83 (5) (a) and (d) of the Data Protection Regulation, the Sanctions Board of the Office of the Data Protection Commissioner imposes an administrative penalty fee of EUR 25,000 (twenty-five thousand) on the data controller to be paid to the state.

When evaluating the amount of the administrative penalty, the aggravating and mitigating factors according to the data protection regulation 83 (2) have been taken into account.
Reasoning
Applicable legislation

Article 25 (1) of the Data Protection Regulation states the following. Taking into account the state-of-the-art technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and severity of risks caused by the processing to the rights and freedoms of natural persons, the controller must effectively implement appropriate technical and organizational measures for the implementation of data protection principles, such as data minimization, in connection with determining the processing methods and the processing itself measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of this regulation and the rights of data subjects are protected.

According to Article 83 (1) of the Data Protection Regulation, the imposition of administrative fines for violations of the Data Protection Regulation must be effective, proportionate and dissuasive in each individual case.

According to the Data Protection Regulation 83 (2), administrative fines are imposed in accordance with the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a-h) and (j).

When deciding on the imposition of an administrative fine and the amount of the administrative fine, in each individual case, according to Article 83 (2) of the Data Protection Regulation, the following points must be duly taken into account:

a) the nature, severity and duration of the breach, taking into account the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected by the breach and the extent of the damage caused to them;

b) the intentionality or negligence of the breach;

c) actions taken by the controller or personal data processor to mitigate the damage caused to the data subjects;

d) the degree of responsibility of the controller or processor of personal data, taking into account the technical and organizational measures taken by them pursuant to Articles 25 and 32;

e) possible previous similar violations by the controller or personal data processor;

f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate its possible adverse effects;

g) groups of personal data affected by the breach;

h) the manner in which the breach came to the attention of the supervisory authority, in particular whether the controller or personal data processor notified the breach and to what extent;

i) if measures referred to in Article 58 paragraph 2 have previously been imposed on the relevant data controller or personal data processor for the same matter, compliance with these measures;

j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

k) any other aggravating or mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation

According to Article 83 (5) of the Data Protection Ordinance: Violation of the following provisions shall be subject to an administrative fine of up to 20,000,000 euros or, in the case of a company, four percent of the annual global turnover of the previous financial year, whichever is greater, in accordance with paragraph 2 :

a) the basic processing principles referred to in Articles 5, 6, 7 and 9 above, including the conditions for consent.

d) all obligations arising from national legislation adopted in accordance with Chapter IX

According to Article 83 (3) of the Data Protection Regulation: If the controller or personal data processor has intentionally or negligently violated several provisions of this regulation in the same or related processing activities, the total amount of the administrative fine may not exceed the fine imposed for the most serious violation.

According to section 148 of the preamble of the Data Protection Regulation: If it is a minor violation or if the imposed fine would be an unreasonable burden on a natural person, a warning can be issued instead of a fine.

According to Section 4 of the University of Applied Sciences Act (923/2014), the task of a university of applied sciences is to provide higher education for professional expert tasks based on the demands of working life and its development, as well as research, artistic and cultural starting points, and to support the student's professional growth.

The mission of the University of Applied Sciences is also to carry out applied research activities, development and innovation activities, as well as artistic activities that serve the University of Applied Sciences teaching, promote working life and regional development and renew the economic structure of the region. In carrying out its tasks, the university of applied sciences must offer opportunities for continuous learning.

According to Section 5 of the University of Applied Sciences Act (quoted only in the parts applicable to the case), a university of applied sciences is a legal entity in the form of a joint stock company (university of applied sciences joint stock company), to which the Limited Liability Companies Act (624/2006) applies, unless otherwise provided in this law.

The purpose of the university of applied sciences joint-stock company's activities must not be the pursuit of profit, and it must not distribute dividends to shareholders or generate other financial benefits for shareholders or other participants in the activity.
Cleared up

According to the registrar, the sanctioning board should not impose an administrative penalty on the registrar, because according to the registrar's opinion, it has not acted unlawfully when processing location data.

The turnover of the registrar in 2020 was 61,942,032.55 euros.

The nature, severity and duration of the breach

The registrar has processed the personal data of its job seekers and employees in violation of the key provisions of the Employment Data Protection Act, in such a way that the basis for processing the location data has been missing. By proceeding in this way, the controller has also acted in violation of the data protection regulation by processing location data without a legal basis for processing, contrary to the principle of data minimization.

The processing of personal data without a legal basis for processing, the processing of personal data contrary to the principles of the Data Protection Regulation and the violation of obligations arising from the legislation of the Member State approved in accordance with Chapter IX of the Data Protection Regulation are offenses of a more serious nature according to Article 83, Sections 5 (a) and (d) of the Data Protection Regulation.

The controller has processed the personal data related to the location of its employees since May 2019, i.e. when the decision was made in June 2021, the processing has lasted a little over 2 years.

The number of those registered and the damage caused to them

In the case, the location data of approximately 350 persons of the registrar was regularly processed with the help of the application.

The registrants have not been shown to have suffered concrete financial or other material damage as a result of the established violation. On the contrary, according to the controller, most of its employees have found the application useful. The use of the application has made it easier for employees to monitor their own working hours and has reduced the employees' own manual work related to it. According to the registrar, employees have been able to stop using the application at any time without it causing damage to the employee.

Intentional or negligent breach

Regarding the application, the controller has carried out a data protection impact assessment in accordance with Article 35 of the Data Protection Regulation and has discussed the use of the application in the cooperation advisory board, which partly shows that the controller has tried to detect risks related to the application's data protection and to comply with the legislation. The processing of location data has been discussed in the cooperation advisory board, in which case the basics of the application have been reviewed in good agreement. Personnel representatives have not presented that location data cannot be processed.

The actions of the registrar to mitigate the damage caused to the data subjects

The registrar has offered employees alternative ways to monitor working hours. The controller has also explored the possibility of making changes to the application so that in the future it would also work without processing location data. So far, however, the controller has continued to use the application and collect location data.

Any previous similar violations by the controller or personal data processor

According to the data protection authorized office, the data controller has no similar previous violations.

The degree of cooperation with the supervisory authority in order to correct the violation and mitigate its possible adverse effects

The registrar has complied with the cooperation required by legislation with the supervisory authority.

Personal data groups affected by the breach

The subject of processing has not been data belonging to special personal data groups.

The subject of processing has been personal data concerning registered persons in a weaker position
Conclusions

Sanction consideration

Violations by the controller determined by the decision of the Deputy Data Protection Commissioner must be regarded as serious violations in principle.

Since the processing of personal data in question has taken place for more than two years, the violation cannot be considered particularly short in duration, but rather it was a matter of an established operating method.

Location data has been processed for approximately 350 registered users and thus the processing has affected a significant part of the data controller's personnel. The processing has been aimed at data subjects who are in a weaker position than the controller.

According to the opinion of the sanctioning body, it is clear that the data controller has not violated data protection regulations due to indifference. In this respect, however, it must be noted that if the data controller had followed Article 25 of the Data Protection Regulation carefully, the data controller should have discovered that there is no need for the intended processing of location data and therefore no legal basis for processing either.

Thus, the degree of negligence shown by the data controller in the case can be considered as a factor in favor of imposing an administrative penalty.

Taking the above-mentioned facts into account, the violation in question cannot be considered minor in the sense of point 148 of the preamble of the Data Protection Regulation. The Sanctions Board considers that in addition to the sanction imposed on the data controller by the Deputy Data Protection Commissioner, the data controller should be charged an administrative penalty fee.

The amount of the administrative penalty fee

Of the detected violations, the violations according to Articles 5 and 6 are, by virtue of Article 83 (5) (a) and (d) of the Data Protection Regulation, violations of a higher seriousness category, in which case the amount of the administrative penalty imposed on the controller is a maximum of 20,000,000 euros, or four percent of the annual amount of the preceding fiscal year of total worldwide turnover, whichever is greater.

In the case, taking into account the violated articles of the data protection regulation and the data controller's turnover, the maximum amount of the administrative penalty imposed on the data controller would be 20,000,000 euros.

The sanctions panel considers that the violations concerning the data protection regulation and the national supplementary legislation found by the deputy data protection commissioner are such that, taking into account the nature and seriousness of the violations, negligence, the number of data subjects and the weaker position of the data subjects in relation to the controller, an effective, proportionate and warning sanction is, in addition to the order issued by the deputy data protection commissioner, in the amount of 25 000 euro administrative fine.

The registrants have not suffered any financial or other material damage from the processing. The application in itself can be considered useful and makes tracking working hours easier, also from the point of view of the registered users. In this case, these can be considered mitigating factors, especially considering that the data controller has not sought or achieved financial gain through the violation.

When evaluating the proportionality of the amount of the penalty fee, the fact that the registrar's task is to provide higher education in accordance with Section 4 of the University of Applied Sciences Act and the fact that the main purpose of the registrar's activities is not the pursuit of profit has also been taken into account as a factor that significantly lowers the amount of the penalty fee.