Tietosuojavaltuutetun toimisto (Finland) - 4282/161/21

From GDPRhub
Tietosuojavaltuutetun toimisto - 4282/161/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(f) GDPR
Article 17(1) GDPR
Article 25(1) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 30.09.2019
Decided: 16.12.2021
Published: 27.01.2022
Fine: 6500 EUR
Parties: n/a
National Case Number/Name: 4282/161/21
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA imposed a fine of €6,500 on a travel agency for failing to adequately secure the personal data and for failing to comply with the data subject's request to erase their personal data.

English Summary

Facts

The Finnish DPA was notified that a travel agency (the controller) processed visa application data without encryption and had not responded to the data subject's request to erase their personal data. The DPA had asked the controller to explain how it processed personal data and why it had refused to comply with the data subject's request.

In response to the request, the controller clarified that it had provided visa application services, in connection with which various personal data had been collected, such as the name, contact details and passport number of the visa applicant. The operations of the controller had ceased in July 2021, and it had no staff who could have been in contact with the data subject.

The controller stated that it was a part of a small travel industry group but emphasised that the other group companies did not supervise the personal data processing carried out by the controller. However, the controller considered that the personal data of the data subject had been partially erased from its system.

Holding

On the basis of the information provided by the controller, the DPA considered that the controller's website, including the visa application forms, was not encrypted. The information entered on the form was stored as a PDF file in the web server's file folder, which was accessible from the internet.

The DPA emphasised that the passport number, especially when combined with other personal data, exposed the data subject to identity theft. The DPA found that the controller had neglected its duty to adequately protect and secure the personal data and had therefore processed the personal data in violation of the integrity and confidentiality principles.

The DPA found that the controller had also violated its obligation to comply with the data subject's request to have their personal data erased. In light of this, the DPA stated that the controller should have erased the inappropriately protected files on its own initiative, even without the erasure request made by the data subject.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(f) GDPR, Article 17(1) GDPR, Article 25(1) GDPR, Article 32(1) GDPR and Article 32(2) GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to erase the unprotected files containing personal data from its system.

In addition to the reprimand and the order, the Sanctions Board of the DPA imposed an administrative fine of €6,500 on the controller pursuant to Article 83 GDPR. The Board considered that the controller formed a group of undertakings with two other companies, and therefore the maximum amount of the fine was calculated based on the combined turnover of the group companies.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

Security of processing, principle of integrity and confidentiality, built-in and default data protection, right to data deletion
Decisions of the Data Protection Commissioner and Sanctions Board

On September 30, 2019, a complaint regarding the secure processing of personal data and the data subject's right to be forgotten was initiated in the office of the Data Protection Commissioner. The initiator has said that he suspects that the travel agency does not process the information in the electronic visa order form in the manner required by data protection regulations. The form is behind an unencrypted HTTP connection and generates a file with the applicant's personal data on the open network. The initiator has also requested the deletion of his data, but the controller has not reacted to this request.

The travel agency has been declared bankrupt in January 2021. The district court has issued a decision on the bankruptcy ending in July 2021.
The decision of the data protection officer in the matter concerning the security of processing, the principle of integrity and confidentiality and the right to have one's data deleted
Explanation and consultation received from the registrar
Request for clarification

On December 17, 2019, the data protection commissioner's office sent a request for clarification to the travel agency. However, no response was received to the request for clarification, and on May 19, 2020, the chief inspector of the data protection authorized office has inquired about the situation by email and requested an answer to the request for clarification by May 26, 2020. No answer has been given.
First hearing

After not responding to the request for clarification, the travel agency has been reserved the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to express its opinion on the matter and to give its explanation of such requirements and explanations that may affect the resolution of the matter. At the same time, the data controller is given the opportunity to bring forward such matters referred to in Article 83, paragraph 2 of the General Data Protection Regulation, which, in the data controller's view, should be taken into account when making a decision. For this purpose, a consultation request has been sent to the controller on June 25, 2020 electronically and by ground mail, to which it has been asked to respond by July 15, 2020. On July 14, 2020, the inspector of the data protection authorized office contacted the data controller by phone, and reminded it to give an answer the next day at the latest. At that time, the representative of the data controller stated that the consultation request sent by e-mail had not been noticed (sent to both of the data controller's offices, Imatra and Lappeenranta), and the mail had not been picked up for a long time, because the company's offices had been closed since March. The registrar's representative has been helped to find the consultation request in the e-mail, but no response has been given to the clarification request or the consultation request submitted on June 25, 2020. In the consultation request, the data controller has been informed that the matter can be resolved, even if the data controller does not submit an answer by the end of the deadline.
Second hearing

On November 15, 2021, the travel agency as part of XX Oy's group has received another consultation request regarding the evaluation of the group of companies related to the travel agency as a group and as a single financial unit. In this way, the registry keeper is also provided with the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to express his opinion on the matter and to give his explanation of such demands and explanations that may affect the resolution of the matter. XX Oy, which belongs to the company group, has responded to the consultation request on November 30, 2021.

In its response, XX Oy has stated that it has owned 40% of the travel agency's share issue, and it has not had control over the travel agency. According to XX Oy, section 5 subsection 1 point 3 of the Accounting Act does not support the interpretation that group regulation can be extended to all situations where companies have the same management or other business connections.

XX Oy states that it has not actually managed the processing of personal data of a travel agency that has been engaged in travel agency business, and the travel agency has been a separate functional unit from XX Oy, which has had its own offices, separate staff, and separate information systems and customer registers. XX Oy considers that the group relationship according to the General Data Protection Regulation could only be applied to cases where the companies have a clear and verified common customer information system or other personal data processing method. YY Oy is a separate company from XX Oy.

XX Oy considers the penalty payment consideration to be unreasonable. At the customer's request, the travel agency has immediately removed the relevant personal data and started to correct the information system error, which caused the customer data to be visible on the open network. The travel agency has had no staff at all who could have dealt with the customer in the requested measures.
Other related clarification

From spring 2021, the web search www.[matkatoimisto's name].fi will be on the website of another tour operator, ZZ Oy, which is why the Office of the Data Protection Commissioner has also requested an explanation from ZZ Oy. According to the statement given by ZZ Oy on 26 July 2021, it was only about the fact that ZZ Oy has bought the travel agency's domain name from the travel agency's bankruptcy estate, and it does not involve, for example, the handing over of customers' personal data. ZZ Oy has submitted an invoice document dated 11.3.2021 to the data protection authorized office, which shows the sale of the right to the [travel agency name] domain name from the bankruptcy estate of the travel agency to ZZ Oy.

The Office of the Data Protection Commissioner has tried to hear the bankruptcy estate of the travel agency in the matter as well. For the hearing, a hearing request from the data protection authorized office has been submitted to the bankruptcy estate of the travel agency on July 13, 2021. The bankruptcy estate has stated to the data protection commissioner's office on July 13, 2021, that the travel agency's bankruptcy proceedings have expired and the bankruptcy estate has ceased, and therefore the bankruptcy estate cannot issue a statement on the matter.

The CEO of the travel agency AA has been in contact with the data protection commissioner's office by phone on 17 November 2021. According to AA, all information about the initiator has been removed from the files, except for the information behind the link, which may still not be removed. In this connection, AA has pointed out that if there is a copy of the initiator's passport behind the link, the passport has already expired. During the call, it was also discussed with AA that the representative of the Data Protection Commissioner's Office helped AA's wife by phone to find the first consultation request in the email in July 2020, and that AA had told him in a previous phone conversation with the case representative on October 5, 2020, that the wife had shown him the consultation request at that time . AA has also said during the call that the mention of doing business as a group has now been removed from the website.
Background information
Service description

Through its website, the travel agency offers the possibility to apply electronically for several different types of visas: one-, two- and three-year multiple-entry visas, single-entry and double-entry visas, and visas at the customer's own invitation. The website also offers visas for minors, but applying for them is not done directly via the online form, but the applicant is asked to contact the registrar. Group visas also primarily require contacting the registrar. Group visas are related to group travel services to Russia offered on the website, and an offer for a group trip is requested by sending an e-mail to the registrar. Visa types other than group visas and visas for minors are applied for by filling out an online form.
Personal information to be filled in the visa application form

Fill in the electronic visa application form with last name, first names, e-mail address, phone number, passport number, employer/place of study, work/position, home address, purpose of trip, travel insurance number and desired visa validity period. After submitting the online form information, the customer must print the order form and send or bring it to the travel agency together with the passport, passport photo and travel insurance certificate.
Preliminary IT assessment of the case

The travel agency's website, including the visa application forms, is not encrypted, but the registrar processes personal data using the unencrypted HTTP protocol. Thus, third parties' access to personal data has not been blocked, and the information transmitted to the form travels openly on the Internet.
Site ownership and operating hours

According to information obtained from Traficom's domain name register, the domain name [name of travel agency].fi was registered in February 2006 and has been with the same user since then. The website itself has been copyrighted 2013.
Turnover and number of customers

The travel agency's turnover in the fiscal year 1 July 2019 – 30 June 2020 was EUR 688,357.57.

Since the data controller has not cooperated with the supervisory authority in any way, it has not been possible to determine the number of customers.
Ownership of a travel agency

According to trade register information, the CEO of the travel agency and the actual member of the board is AA. AA is also the CEO and board member of travel agency WW Oy, the CEO and board member of XX Oy, and the CEO and board member of Kuljetusliike YY Oy.

According to the travel agency's business tax return, the travel agency's shareholders are XX Oy (100 shares), BB (100 shares) and CC (50 shares).

In XX Oy's business tax return, AA is listed as the company's sole shareholder. In the tax declaration of YY Oy's business activities, XX Oy is listed as the sole shareholder of the company.

According to YY Oy's website, XX Oy's group includes XX Oy and a travel agency.

According to an update published on YY OY's social media in 2015, XX Oy and YY Oy belong to the same group of companies.
Bankruptcy of a travel agency

The travel agency has been declared bankrupt in January 2021. The district court has issued a decision on the bankruptcy ending in July 2021. According to the reasons for the district court's decision, the assets of the bankruptcy estate are not sufficient to cover the costs of the bankruptcy proceedings.
On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019. The previously valid Personal Data Act (523/1999) was repealed by the Data Protection Act.

Article 5(1)(f) of the General Data Protection Regulation provides for the principle of integrity and confidentiality. The principle requires that personal data must be processed in a way that ensures appropriate security of personal data, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures.

According to Article 17(1) of the General Data Protection Regulation, the data subject has the right to have the data controller delete personal data concerning the data subject without undue delay, and the data controller has the obligation to delete personal data without undue delay, provided that one of the criteria listed in the article is met.

According to Article 25(1) of the General Data Protection Regulation, taking into account the state-of-the-art technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risks caused by the processing, which vary in probability and severity, to the rights and freedoms of natural persons, the controller must effectively implement the data protection principles in connection with the determination of the processing methods and the processing itself, such as data minimization, for the implementation of appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, in order to include them in the processing and so that the processing meets the requirements of this regulation and the rights of data subjects are protected.

According to Article 32(1) of the General Data Protection Regulation, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in probability and severity, the controller and personal data processor must implement appropriate technical measures to ensure a level of security corresponding to the risk and organizational measures. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.
A legal issue

The Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The following must be assessed:

1) for the visa order form webpage: is the HTTP protocol without protection in this context a sufficient technical measure in accordance with the principle of integrity and confidentiality of Article 5(1)(f) of the General Data Protection Regulation, Article 25(1) (built-in and default data protection) and and Article 32(1) and to meet the requirements of paragraph 2 (security of processing);

2) regarding the storage and maintenance of the completed online form: does the storage of personal data on a web server open to the Internet without access control meet the requirements from articles 5(1)(f), 25(1) and 32(1) and 32(2); and

3) whether the data controller has properly exercised the registered person's right to have their personal data deleted in accordance with Article 17(1) of the General Data Protection Regulation
Decision of the Data Protection Commissioner
The notice and order bring processing operations into compliance with the General Data Protection Regulation

The Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to remove unprotected files containing personal data from the network

Since the travel agency's website is no longer operational, the Data Protection Commissioner does not consider it appropriate to give the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation with regard to the protection of the visa order form website.

The Data Protection Commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation regarding processing actions contrary to the provisions of the General Data Protection Regulation regarding insufficient protection of the visa order form web page, failure to exercise the data subject's rights and storage of the online form containing personal data on a web server open to the Internet.

The data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by February 15, 2022, or no later than six weeks after notification of the decision, unless it applies for an amendment to this decision.
Administrative penalty fee

According to Section 24 of the Data Protection Act, the administrative fine stipulated in Article 83 of the General Data Protection Regulation (administrative penalty fee) is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The matter concerning the travel agency is given to the sanctioning board to decide, and the sanctioning board must therefore assess whether the controller must be ordered to pay an administrative penalty in accordance with Article 58, paragraph 2, subparagraph i of the General Data Protection Regulation, in addition to the notice and order given by the data protection commissioner.
Reasons for the decision

The travel agency's websites, including the visa application forms, are not properly encrypted, but the data controller processes personal data using the unencrypted HTTP protocol. Therefore, third parties' access to personal data has not been prevented in an appropriate manner, and the information transmitted to the form travels openly on the Internet. The mechanics of the form also collects the information written on the form and puts them as a PDF file in a file folder on the same web server, which is open to the web.

Due to the negligence of the controller, personal data is particularly vulnerable to hackers. The average user's access to the data would require that he obtains a link through which the data of the visa form can be accessed on the registrar's web server. The Office of the Data Protection Commissioner has tested whether there is direct access to the travel agency's web server and found that this is not the case. Therefore, the contents of the file folder on the web server cannot be directly browsed, but the file requester must know or guess the name of the PDF file in order to get the information. However, the fact that the name of a file processed openly on the Internet is difficult to guess from the point of view of an average user cannot be considered an effective means of protection, because the process of going through the different file name options can be automated. The availability of data that is openly available online is therefore not under the sole control of the data controller. Regarding the controller's control, it is also clear that the controller is not the only entity that knows the names of the files in the folder and how they are formed: the folders exist specifically for the purpose of transmitting information to other parties.

The data controller has not submitted to the data protection commissioner's office that it has other protection mechanisms in place, such as restricting traffic or access control. Consequently, the visa information is freely available on the public internet, which cannot be considered to meet the requirements for the protection of personal data from the General Data Protection Regulation. In addition, it can be noted that the responses given by the data controller to the initiator show a lack of awareness of the actual operation of their own service, and the data controller states in the e-mail conversation forwarded by the initiator, among other things, that the uploads folder is not public, and the information is not on the open network. The registrar also describes guessing the network path of the folder as "pretty much impossible". It should also be noted that the information to be filled in the visa application form includes the passport number, which, especially when combined with key personal information, exposes the registered person to identity theft. Personal data should be protected with measures determined in accordance with a risk-based approach throughout the life cycle of their processing, and in this case the controller has neglected to take care of protection both when storing the data on the web server and in connection with data transfer (transfer from the customer to the web server and transfer from the web server to the receiving entity).

Based on the above, it must be considered that the controller's actions clearly violate Article 5 (principle of integrity and confidentiality) and Article 32 (security of processing) of the General Data Protection Regulation. The principle of integrity and confidentiality requires that personal data is processed in a way that ensures its appropriate security, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures. The controller should therefore constantly evaluate its processing operations and their adequacy from the point of view of personal data protection. Article 32 on data security, on the other hand, requires the data controller to implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. In assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data. The concept of data security includes the elements of both integrity (preserving data in its correct form) and confidentiality (preventing outsiders from accessing data), and personal data registered in data secure processing should only be usable by persons authorized to use it, not openly available on the internet. Both articles are also connected to the requirement of built-in and default data protection (Article 25 of the General Data Protection Regulation), which is about a data protection-centric approach, and taking data protection into account right from the start of operations. Also regarding that, it can be stated that the controller has not implemented preventive measures that would correspond to the principles from this article.

In addition to assessing the adequacy of protection measures, a position must be taken on the implementation of the data subject's rights. Regarding that, it can be stated, first of all, that Article 17 of the General Data Protection Regulation provides for the data subject's right to have his personal data held by the data controller deleted, and the initiator has submitted an appropriate request to the data controller to remove the insufficiently protected file containing his personal data from the network. However, the controller should delete such unprotected files already based on Articles 32 and 5 of the General Data Protection Regulation, even without a request made by the data subject on the basis of Article 17. However, the controller has not taken action on his own initiative, or even to implement the request made by the data subject. Thus, it has also violated Article 17 of the General Data Protection Regulation.

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on imposing the penalty fee.
Sanctions board's decision on an administrative fine (administrative penalty payment)
Registrar

Travel agency as part of the XX Oy group
Decision of the Sanctions Board

The Sanctions Board considers that the notice issued by the Data Protection Commissioner, the notice pursuant to Article 58, paragraph 2, subparagraph b, and the order pursuant to subparagraph d, of the General Data Protection Regulation are not a sufficient sanction, taking into account the nature and seriousness of the violation.

The sanctioning board formed by the data protection commissioner and deputy data protection commissioners orders the data controller to pay the state an administrative penalty fee of 6,500 (six thousand five hundred) euros pursuant to article 58, paragraph 2, subparagraph i and article 83 of the general data protection regulation.
Allocation of the administrative penalty fee
Group structure

According to company information, the travel agency has a close connection to XX Oy and YY OY, which is why it has been assessed in the case whether the companies form a group. According to Article 4, paragraph 19 of the General Data Protection Regulation, the group means a company exercising control and the companies under its control. Introductory paragraph 37 of the General Data Protection Regulation states as follows:

The group should cover both the company exercising control and the companies controlled by it, so that the company exercising control is the one that has control over another company, for example based on ownership, participation in financing or the company's rules, or has the authority to enforce the rules on the protection of personal data. A company that manages the processing of personal data in companies connected to it should be considered a group.

According to Chapter 8, Section 12 of the Limited Liability Companies Act (624/2006), if the limited liability company has controlling authority as referred to in Chapter 1, Section 5 of the Accounting Act, in another domestic or foreign entity or foundation, the limited liability company is the parent company and the controlling entity is a subsidiary. The parent company and its subsidiaries form the group. A limited liability company has control over another entity or foundation also when the limited liability company together with one or more of its subsidiaries or the subsidiary alone or together with other subsidiaries has the control referred to in Chapter 1 § 5 of the Accounting Act. According to Chapter 1 § 5 of the Accounting Act (1336/1997), the person responsible for accounting is considered to have control over another person responsible for accounting based on the number of votes or the right to appoint and dismiss members, or if the person responsible for accounting otherwise actually exercises control over the target company.

In the case under review, the CEO of both the parent company (XX Oy) and the companies under its control (YY Oy and travel agency) is the same person, AA. In the tax declaration of parent company XX Oy's business activities, AA is listed as the company's sole shareholder. In the tax return of YY Oy's business activities, the company's sole shareholder is XX Oy, which, as stated above, is owned by AA. According to the travel agency's business tax return, the travel agency's shareholders are XX Oy (100 shares), BB (100 shares) and CC (50 shares). In the extract from the travel agency's trade register, the official member of the travel agency's board is AA and the deputy member is DD (no other members).

Based on the report obtained in the case, it is not possible to evaluate the fulfillment of the criteria according to the first two paragraphs of Chapter 1, Section 5.1 of the Accounting Act. However, the ownership structure and the registrar's own declaration of the group formed by the companies found on YY Oy's website are a strong indication that the arrangement between the companies meets at least the requirements of Chapter 1, Section 5.1, Paragraph 3 of the Accounting Act, and XX Oy therefore has control over YY Oy and in a travel agency limited company. It must also be considered that the allocation of ownership and decision-making power to the same person and the consequent concentration of personal data management on the same entity fulfills the requirements of the General Data Protection Regulation to assess companies as a group and thus as a controller responsible for the processing of personal data. In the case, it is also justified to consider that the same body has the authority to implement the rules regarding the protection of personal data.

The Sanction Board notes that no consolidated financial statements have been prepared for the companies in accordance with Chapter 8, Section 9 of the Limited Liability Companies Act. The Sanction Board further notes that a small group is considered to be a group that exceeds at most one of the limit values stipulated in Chapter 1 § 4 a of the Accounting Act, and there is no need to prepare consolidated financial statements for a small group. Therefore, based on the information obtained in the investigation of the case, it can be considered that the group built around XX Oy is a small group that does not have the obligation to prepare consolidated financial statements, and the absence of consolidated financial statements is therefore not relevant in resolving the matter.
Allocation of the fine

According to introductory paragraph 150 of the General Data Protection Regulation, "When fines are imposed on a company, the company should be understood as a company in accordance with Articles 101 and 102 EUT". In connection with the determination and allocation of the fine according to Article 83 of the General Data Protection Regulation, in the case under review, it is therefore justified to also examine the competition law jurisprudence and especially the definition of the company and the allocation of responsibility that comes from it.

The Treaty on the Functioning of the European Union (TFEU) does not define the concept of a company, but the definition has been formulated in the jurisprudence of the EU courts. Therefore, the initial basic definition of a company can be considered a unit engaged in economic activity that offers goods or services in a certain market. The concept of a company can then mean an economic unit, even if the economic entity is made up of more than one natural person or legal entity.

In assessing whether several different companies can be considered a single economic unit, the so-called Single Economic Entity doctrine is applied in EU competition law. This essentially includes an assessment of whether one company has the opportunity to influence the decision-making of another company to the extent that the latter does not have a real autonomous position when deciding on its commercial activities in the market. In this assessment, the parent company's ownership in the subsidiary, the company's management, and the extent to which the parent company influences the subsidiary's operations or instructs the subsidiary can be examined. In the review, it must also be taken into account that the fact that it is not a wholly owned subsidiary of the parent company does not mean that it cannot be a financial entity referred to in competition law.

The industries and actual operations represented by XX Oy, YY Oy and the travel agency form a functional entity that serves travelers to Russia. The companies have a common interest, there are clear financial and organizational connections between the companies, and the management, ownership and decision-making power of the companies are largely concentrated in one person. Therefore, it is justified to consider that the travel agency is not an autonomous, independent operator, but rather the travel agency forms a unit that carries out economic activities with XX Oy and YY Oy. At this point, it can also be noted that the ruling practice of the EU Court has emphasized that the subsidiary's separate legal personality is not sufficient to rule out the possibility of attributing the subsidiary's activities to the parent company. This is especially the case when the subsidiary – even if it has a different legal personality – does not independently decide on its market behavior, but essentially follows the instructions given to it by its parent company.

In this case, the Sanctions Board of the Office of the Data Protection Commissioner considers it justified to interpret the definition of a company in accordance with the intention of the European legislator as it is determined on the basis of articles 101 and 102 EUT. The sanctioning panel of the Office of the Data Protection Commissioner considers, based on the grounds presented above, that the administrative penalty payment should be aimed at the economic activity unit formed by XX Oy, YY Oy and the travel agency. The maximum amount of the administrative penalty fee should therefore also be calculated based on the combined turnover of the companies.

In the resolution of the case, the sanctions panel of the data protection authorized office noted that the travel agency's turnover in the financial period 1.7.2019 – 30.6.2020 was 688,357.57 euros, XX Oy's turnover was 0 euros in the financial period 1.7.2020 – 30.6.2021, and YY Oy's turnover has been 210,767.48 euros in the financial period 1 July 2020 – 30 June 2021. The combined turnover is therefore EUR 899,125.05.
Reasons for imposing an administrative penalty

Article 83 of the General Data Protection Regulation provides for the general conditions for imposing administrative fines. According to the article, the imposition of administrative fines must be effective, proportionate and dissuasive in each individual case. Administrative fines are imposed according to the circumstances of each individual case in addition to or instead of the remedial powers provided for in Article 58. When deciding on the imposition of an administrative fine and the amount of the administrative fine, the factors listed in Article 83, paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.

When evaluating the matter, the instructions of the data protection working group according to Article 29 on the application and imposition of administrative fines are also taken into account.

In the case in question, it has been considered that the data controller has violated Articles 5(1)(f) (principle of integrity and confidentiality), 17(1) (right to delete data), 25(1) of the General Data Protection Regulation by not taking care of the data subject's rights and the website's security measures. (data protection by design and by default) and 32(1) and 32(2) (security of processing).
The nature and seriousness of the breach

The nature and seriousness of the violation is assessed in light of the factors according to Article 83(2)(a) of the General Data Protection Regulation.
The nature and seriousness of the breach

The matter is not a minor violation referred to in preamble paragraph 148 of the General Data Protection Regulation, and the violation aimed at the implementation of the data subject's rights and the security of the processing of personal data constitutes a significant risk to the data subject's rights in the case being evaluated and affects the essential content of the violated obligations. The scope and purpose of the data processing also support the evaluation of the violation as serious, so that the notice according to Article 58, paragraph 2, subparagraph b and the order according to subparagraph d of the General Data Protection Regulation cannot be considered as a sufficient sanction for the data controller.

The domain name [name of the travel agency].fi was registered in February 2006. In this case, it must be considered very unlikely that the security measures would have been stronger before 2019 (the date of implementation) than they are now. The grievance has thus clearly existed longer than the period of application of the General Data Protection Regulation, and the period cannot be considered short. The long-term nature of the violation must be considered a justification for imposing an administrative penalty.

The supervisory authority does not have information on the number of registered users, as the data controller has not responded to the data protection commissioner's request for clarification or consultation. According to the search engine results, the travel agency has several competitors that can be compared to it. When searching for example with the words "Visa to Russia", the travel agency's information typically does not appear on the first page in the search results of various search engines. In terms of pricing, the company does not stand out from its competitors, which are listed in the top results of search engines, of which there are several. Based on this information alone, the company cannot be considered, for example, a leading player in the field or the obvious choice for registered users who need a Russian visa. However, based on the nature of the violation, the long period of operation and turnover data, the sanctioning board considers that a significant amount of personal data has moved through the site and that the violation has been systematic, not isolated. The systematicity of the violation and the impact of the violation on numerous data subjects must be considered as grounds in favor of imposing an administrative penalty fee.

According to the data available to the Data Protection Commissioner's office, the data subjects have not suffered concrete financial or other material damage as a result of the violation in question. However, the occurrence of material damage is not a condition for imposing a fine, and the data subject can also, for example, demand compensation according to Article 82 of the General Data Protection Regulation, regardless of the imposition of a fine.

In the assessment of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must also be taken into account, where informed self-determination has been emphasized and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that the violation of the protection of privacy of informed self-determination as a contrary procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount.

The controller must therefore be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.
Assessment of aggravating and mitigating factors
Intentional or negligent breach

The problems related to the encryption of the website and personal data have been verifiably brought to the notice of the controller in July 2019, when the initiator contacted it. Despite this, it has not taken the necessary technical and organizational measures to remedy the matter. It can also be seen from the responses given by the controller to the initiator that it has not found out about the minimum requirements for the protection of the website acting as a channel for collecting personal data (the data has been reported to be protected and guessing the link has been described as "pretty much impossible"). It would seem to be a matter of lack of understanding and carelessness, as a result of which personal data has been available online without adequate technical protection. The registry keeper has not taken any action following the supervisory authority's contacts either, and therefore there are no mitigating grounds for its operation in this regard. The registrar's passivity in taking corrective measures and disregard for data protection regulations must be considered an aggravating factor in the case.
Actions taken by the registrar to mitigate the damage caused to the data subjects

In the assessment of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must be taken into account, which emphasized informed self-determination and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that violating the protection of privacy as a violation of informed self-determination as a procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount. In the selection of the type, it has therefore been taken into account that the data controller must be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.

Regarding the measures taken by the data controller to mitigate the damage, it can be stated that the data controller has not taken any steps to mitigate the damage caused to the data subject. The registrar's inactivity in these respects must be considered an aggravating factor in the case.
The degree of responsibility of the controller, taking into account the technical and organizational measures taken by it pursuant to Articles 25 and 32

The controller has not implemented technical measures that specifically correspond to the principles of built-in and default data protection, and it has not ensured the implementation of built-in and default data protection at all organizational levels with technical and organizational measures. The controller has not ensured that it has appropriate procedures in place to ensure the security of personal data processing and for the effective implementation of the data subject's rights, and it has not taken into account the risk to the rights and freedoms of natural persons caused by the lack of procedures. It was a systematic error by the registrar. Neglect of appropriate technical and organizational measures must be considered an aggravating factor in the case.
Previous similar violations by the controller

No similar violations have come to the attention of the supervisory authority.
Cooperation with the supervisory authority

The registrant has not cooperated with the supervisory authority in any way, but during the investigation of the matter, it has not responded to all contacts with the exception of one phone call (July 14, 2020). At this point, the sanctioning board of the data protection authorized office pays special attention to the fact that the data controller's inactivity has already started before the corona pandemic and the start of the bankruptcy proceedings. The registry keeper's passivity in investigating the matter must be considered an aggravating factor.
Personal data groups affected by the breach

The applicant fills in the electronic visa application form with information about surname, first name, e-mail address, telephone number, passport number, employer/place of study, position/office, home address, purpose of trip, travel insurance number and desired visa validity period. After submitting the online form information, the customer must print the order form and send or bring it to the travel agency together with the passport, passport photo and travel insurance certificate. Insufficiently protected data is therefore not data according to Articles 9 or 10 of the General Data Protection Regulation, and judging from the information available on the website, the visa application forms have not included the personal data of minors or the applicants' personal identification numbers either. This must be considered a mitigating factor in the case. In this case, however, special attention must be paid to the fact that the information to be filled in on the form has included information about the passport number. The passport number, especially when combined with key personal data, is a risk factor that exposes the registered person to identity theft when it ends up in the wrong hands. This fact must be considered an aggravating factor in the case.
The way in which information about the violation came to the attention of the supervisory authority

The information has come to the supervisory authority through a complaint, not from the data controller's own notification. In accordance with a risk-based approach, the controller should independently assess whether its operations involve risks regarding the processing of personal data, and it is not possible to pass this responsibility on to customers or the supervisory authority. No mitigating factors can be found in this regard, and the neglect of risk-based assessment and the transfer of this responsibility to the registered and the supervisory authority in practice must be considered an aggravating factor in the case.
Possible other aggravating or mitigating factors applicable to the case, such as possible financial benefits obtained directly or indirectly from the violation or losses avoided by the violation

The registrar has saved costs by leaving the site's protection to minimum measures. For example, the appropriate certificate and computing capacity required by the HTTPS protocol, which is generally used to protect data traffic, bring clear additional costs to the data controller. In addition, the complexity of the online service may require financial investment in expertise and maintenance, among other things. However, the registrant cannot be considered to have achieved a financial profit with his method of operation.

In this case, it must also be noted that the controller would have a huge number of different technical possibilities available to protect the customer's personal data. However, the secret links in use now are a significantly worse data security control than even a weak password.
Summary

According to Article 83(1) of the General Data Protection Regulation, the fine must be effective, proportionate and dissuasive. The assessment is made based on the circumstances of each individual case. When examining an individual case, it must be assessed whether the aim is only to change the activity to comply with the law, or whether it is justified to set the goal of punishing the controller for illegal activity. Regarding the amount of the fine, on the other hand, it must be taken into account whether the violation concerns the articles of the General Data Protection Regulation listed in Article 83(4) of the General Data Protection Regulation or Article 83(5) of the Regulation. Grading into two different categories forms the framework for setting the maximum amount of the fine, and the general data protection regulation does not specify fine amounts by type of violation, for example. In turn, the combined effect of all factors mentioned in Article 83(2) is taken into account in the assessment of the seriousness of the violation.

In the case of the data controller, it is justified to set the goal of both making the operation legal and drawing the data controller's attention to the illegality of the operation with a financial penalty. Because the violation has been long-lasting and, taking into account the turnover data, it can also be reasonably assumed to have affected numerous data subjects, and because the data controller has not taken any measures after becoming aware of the shortcomings, and the reason behind the violation can therefore be considered to be either the data controller's lack of understanding or indifference to compliance with the data protection regulations, simply bringing the operation into compliance with the requirements of the data protection regulations cannot be considered sufficient in this individual case. This point of view is also strongly supported by the reluctance of the data controller to cooperate with the supervisory authority and the fact that it has been a violation of the regulation and data protection principles regarding the rights of the data subject. The registrar has also not taken any measures to correct the problems.

In the case of the data controller, the upper limit of the fine in euros is formed in accordance with Article 83(5) of the General Data Protection Regulation, because the violation targets both those in accordance with 83(4) of the General Data Protection Regulation (violated articles: 25 and 32) and those in accordance with 83(5) of the General Data Protection Regulation (violated articles: 5 and 17) to regulations. Failure to fulfill the obligations arising from Articles 5 and 17 must thus be assessed as a more serious violation, and it is possible to apply Article 83(5) of the General Data Protection Regulation when determining the overall penalty. In the amount of the fine, it must be taken into account that it fulfills the requirement of Article 83(1) of the General Data Protection Regulation regarding the warning effect of an administrative fine.

As aggravating factors, the controller's passivity in handling the case, the controller's passivity in taking corrective measures, the controller's disregard for data protection regulations, neglect of risk-based assessment of operations, the systematicity of the violation, the intent of the violation, the controller's passivity in taking measures to mitigate the damage caused to the data subject, the controller's passivity in taking appropriate technical measures must be taken into account in the assessment. and in the implementation of organizational measures, as well as targeting of the violation to data, the misuse of which will result in clear harm to the data subject. Mitigating factors can be taken into account that the personal data does not refer to information in accordance with Articles 9 and 10, and that the website has not collected information of minors or applicants' personal identification numbers. In evaluating the data controller's inactivity, the sanctioning board of the data protection commissioner's office has drawn attention to the fact that the industry represented by the data controller has suffered from exceptional circumstances due to the corona epidemic. However, the data controller's passivity in correcting the complaints reported to it by the initiator and cooperating with the supervisory authority began even before the exceptional circumstances, and the data controller has also not responded to the supervisory authority's phone call to provide an explanation. Therefore, in the case of the data controller, the exceptional circumstances do not form a basis for evaluating the data controller's activities differently.

In accordance with Article 83(5)(b) of the General Data Protection Regulation, an administrative fine of up to EUR 20,000,000 or, in the case of a company, four percent of the leaked total global turnover of the previous financial year is imposed in accordance with paragraph 2 for the violation of the rights of registered persons according to Articles 12 to 22 , whichever of these amounts is greater. Even though the General Data Protection Regulation has been applied on 25 May 2018, and the Personal Data Act has not contained a corresponding fine provision, it is possible to impose a fine for a so-called continuous violation and thus it is also possible to take into account a violation prior to the start of the application of the General Data Protection Regulation.

In the consultation request delivered to the data controller on June 25, 2020, the data controller has been informed that the matter can be resolved even if the data controller does not submit an answer by the end of the deadline.

The decision to impose an administrative fine has been made by the members of the data protection commissioner's sanctioning board.