Tietosuojavaltuutetun toimisto (Finland) - 6813/171/21

From GDPRhub
Tietosuojavaltuutetun toimisto - 6813/171/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 25(2) GDPR
ยง3 Act on the Protection of Privacy in Working Life
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.05.2022
Published: 31.05.2022
Fine: n/a
Parties: Pohjois-Savon sairaanhoitopiiri
National Case Number/Name: 6813/171/21
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Vadym Kublik

The Finnish DPA ordered a hospital to delete any historical data, location logs, and other employee personal data generated by Windows 10 for Workstations. One of the OS features violated the "data protection by default" principle under Article 25(2) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

On 19 August 2021, the Northern Savonia Hospital District (controller) notified the Finnish Office of the Data Protection Ombudsman (DPA) about a security breach. The notification stated that the "allow location data on this device" function on employees' portable computers using Windows 10 was automatically enabled, and the employees couldn't change this setting.

The controller did not use this location data for any purpose and, after an internal investigation, considered that no personal information was sent to Microsoft. Finally, on 14 March 2022, the controller confirmed to the DPA that it disabled the location data function on the workstations.

Holding[edit | edit source]

The DPA assessed whether the Windows 10's location function on employees' laptops complied with the "necessity" requirement under section 3 of the Finnish Act on the Protection of Privacy in Working Life. Additionally, it checked whether this function followed the "data protection by default" principle under Article 25(2) GDPR.

The DPA held that because the controller collected the location data unintentionally and did not use it for any purposes, the processing was unnecessary and violated section 3 of the Finnish Act on the Protection of Privacy in Working Life which imposes even stricter conditions than the principle of data minimisation under Article 5(1)(c) GDPR. Moreover, since the processing of location data was unnecessary, having Windows 10's location setting enabled and locked by the administrator violated the "data protection by default" requirement under Article 25(2) GDPR. The DPA noted that the principle of "data protection by default" also requires that the controller, when using third-party software or firmware, ensures that functions for which there is no legal justification or that do not correspond to the intended purposes of the processing are disabled.

Therefore, the DPA ordered the controller to delete any historical data, location logs and other personal data generated by the location data function.

Comment[edit | edit source]

In related cases 2464/161/22 and 1141/161/22, the DPA also ordered the data processors to remove the default location data setting from customers' Windows 10 workstations.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Use location information on employees' laptops

Keywords: Location information
Employees

Legal basis: Decision in accordance with the EU General Data Protection Regulation

Diary number: 6813/171/21

Decision of the Assistant Supervisor on the processing of registered location data

Thing

Use the location feature of Windows 10 on employees' laptops

Registrar

Northern Savonia Hospital District

Statement received from the controller

On 19 August 2021, the registrar issued a preliminary security breach notification to the Office of the Data Protection Officer stating that the "allow location data on this device" function on employees' computers is automatically enabled. It is not possible for the employee to change this setting.

The Office of the Data Protection Officer has requested further information from the controller in order to clarify the matter on 16.9.2021, 27.9.2021 and 9.3.2022. The registrar has provided additional information on 17.9.2021, 30.9.2021 and 14.3.2022.

According to an additional report issued by the registrar on 17 September 2021, the data controller of the registrar has initiated investigations on 18 August 2021 with the ICT service provider (Istekki Oy) regarding the location regulation and how to switch it off. According to an investigation by the registrar's information management, no personal information will be sent to Microsoft in connection with the use of location information.

On 30 September 2021, the controller confirmed to the Office of the Data Protection Officer that these were also portable computers carried by employees. According to the registrar, the location data has not been used for anything. On 14 March 2022, the controller confirmed to the Office of the Data Protection Officer that the location data setting has been disabled on workstations.

Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The Data Protection Regulation contains a national margin of maneuver on the basis of which national law can supplement and clarify matters specifically defined in the Regulation. The general data protection regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previous Personal Data Act (523/1999).

According to Article 4 (1) of the General Data Protection Regulation, personal data means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to identification data such as location.

Article 25 (2) of the General Data Protection Regulation sets out the default data protection requirement. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. In particular, these measures shall ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.

Specific issues related to data protection at work are regulated nationally by the Act on the Protection of Privacy at Work (759/2004). The Data Protection Commissioner monitors compliance with the Act on the Protection of Privacy in Working Life as provided in section 22 of the Act.

Section 3 of the Act on the Protection of Privacy in Working Life provides for a necessity requirement related to the processing of personal data. According to the law, the employer may only process personal data directly necessary for the employee's employment, related to the performance of the rights and obligations of the parties to the employment relationship or the benefits provided by the employer to the employees or due to the special nature of the work. The requirement of necessity cannot be waived with the consent of the employee. Article 5 (1) (c) of the General Data Protection Regulation sets out the principle of data minimization, according to which personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed. The requirement of necessity in section 3 of the Act on the Protection of Privacy in Working Life restricts the personal data suitable for processing to those that have a connection with the management of the rights and obligations of the parties. The limitation is therefore stricter than the minimization principle of the General Data Protection Regulation.

Legal question

The Assistant Data Protection Supervisor assesses and resolves the matter on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The Assistant Data Protection Officer shall decide:

1) Has the use of the location feature of Windows 10 on employees' laptops been in accordance with section 3 of the Privacy Act (759/2004) and whether the registrar has been able to process the location data of employees.

2) Has the use of the location information feature of Windows 10 met the requirements of Article 25 (2) of the General Data Protection Regulation?

Decision of the Assistant Supervisor

Decision

The registrar has not complied with the necessity requirement under section 3 of the Privacy Act or the default data protection requirement under section 25 (2) of the General Data Protection Regulation, and the registrar's procedure for keeping the Windows 10 location data regulation on top has not complied with data protection rules.

The controller is instructed in accordance with Article 58 (2) (d) of the General Data Protection Regulation to delete any Historical Data, location logs and other personal data generated by the use of the location data feature. By 8 August 2022, the controller shall inform the Office of the Data Protection Officer of the action it has taken as a result of this provision, unless the controller appeals against this decision. On 14 March 2022, the registrar confirmed to the Office of the Data Protection Officer that the location data feature has been disabled on the workstations. Therefore, the Assistant Data Protection Officer will not instruct the controller to disable the function.

A notice is given to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation regarding the maintenance of the location information setting in Windows 10. The location setting has been unreasonably turned on by default on employees' laptops, and the registrar has not ensured that this is not the case. The controller has not had a statutory need to process employee location data.

Reasoning

Section 3 of the Act on the Protection of Privacy in Working Life

In the present case, the main location switch in Windows 10 has been locked by the administrator. The function has been used, for example, on employees' laptops, which, according to the investigation, may also have been used remotely by employees.

As the matter concerns the processing of employees' personal data, the provisions of the Act on the Protection of Privacy in Employment must be taken into account when assessing the procedure of the data controller. According to section 3 of the Act, the employer may only process personal data directly necessary for the employee's employment, which are related to the performance of the rights and obligations of the parties to the employment relationship or the benefits provided by the employer to the employees or are due to the special nature of work.

Even when the processing of personal data is outsourced, the controller must still be able to identify his or her legitimate purposes for the processing of personal data and ensure that unnecessary personal data are not processed. As the location data of the employees in this case have been unnecessary for the employer and have been collected unintentionally at all, the processing of personal data on the location of employees was not immediately necessary for the controller, as provided in section 3 of the Employment Data Protection Act.

Article 25 of the General Data Protection Regulation

In the present case, employees' portable workstations have had the Windows 10 location information setting turned on by default. According to the registrar, it has not used location data for anything.

Article 25 (2) of the General Data Protection Regulation provides for default data protection. In order to comply with the default data protection requirement, the controller must determine in advance for what specific, explicit and lawful purpose personal data will be collected and processed. Processing operations must be designed in such a way that, from the outset, only as little personal data is processed as is necessary for certain processing operations.

The default data protection requirement also requires that the controller, when using third-party software or firmware, ensure that functions which have no legal basis or which do not correspond to the intended purposes of the processing are disabled.

The Assistant EDPS notes that in the case under assessment it has now been possible for the controller to manage the location data regulation. The EDPS further notes that this is a normal operation of Windows 10 and that the controller has not gone through the basic settings based on the information received. The controller should have detected the presence of the location data setting in a timely manner, prior to the deployment of the workstations, and the controller should have evaluated the processing of personal data in the various functionalities prior to the deployment. Prior to the introduction of the workstations, the controller should also have communicated in sufficient detail with the data controller which functionalities are to be on. It should be noted that the service used by the controller in this case should operate without being on top of the location setting.

In the present case, the controller has stated that it has not used any location data and that, on the basis of the information received in the case, the data has been collected without any intention to do so. Regarding the processing of location data in working life in general, the Assistant Data Protection Officer states that the controller must always ensure that there is a legal basis for the processing of personal data before starting the processing of personal data. With regard to the processing of employees' personal data, special attention must also be paid to sections 3 and 4 of the Act on the Protection of Privacy in Working Life. Employees must also be informed in a transparent manner about the existence of monitoring and, for example, the purposes for which the location data is used, and employees must, in principle, be able to exercise the data subject's rights, including the right to inspect personal data. It should be pointed out that according to the opinion of the EU Data Protection Working Party, the employer should not collect the employee's location data outside the employee's working hours, and the employee should be able to switch off the location function outside working hours. The employee should also be instructed on how to turn off the location feature. The EU Data Protection Working Party has also considered it essential that the device in use constantly warns the user, for example by means of a permanently visible icon, that the location data collection function is on. In addition, the EU Data Protection Working Party has stated that where the device is allowed to process the data of the data subject by default, the fact that the user does not make any changes to the settings cannot be considered as voluntary consent.

Transmission of information to a location service provider

Because the registrar did not take proper care of the basic settings of the operating system, the information generated by using the location information feature has also been passed to the location service provider (Microsoft). In this respect, the data controller has assessed that the data received by the location service provider are not personal data and the data subjects have not been identifiable. The registrar's information management has received the following response from Microsoft in response:

"If you have enabled the device location setting, your device sends de-identified location information (including wireless access point information, and precise GPS location if available) to Microsoft after removing all personally identifiable information at the service."

According to a response from the registrar's information management from Microsoft, when the device's location feature is turned on, the device sends unrecognized location information, including the wireless access point, cellular base station information, and any available exact GPS location. The information is thus sent to the location service provider. In this respect, the EDPS draws attention to the fact that the policy does not prevent the aggregation of data by the location service provider in such a way that the data subject is, in principle, identifiable despite the procedure described above. According to Article 4 (1) of the General Data Protection Regulation:

"personal data" means any information relating to an identified or identifiable natural person, hereinafter referred to as "data subject"; identifiable means any natural person who can be identified, directly or indirectly, by identification, on the basis of a physiological, genetic, mental, economic, cultural or social factor. "

According to recital 26 of the General Data Protection Regulation:

'In order to determine whether a natural person is identifiable, account should be taken of all the means which either the controller or another person is reasonably likely to use to identify that natural person directly or indirectly, such as distinguishing that person from others. In order to determine whether the means can reasonably be expected to be used to identify a natural person, all objective factors should be taken into account, such as the costs and time required for identification and the technology and technical developments available at the time of processing. '

Thus, personal data are also data from which a person can be indirectly identified. Recital 26 of the General Data Protection Regulation further states that personal data are data that can be combined with a natural person using additional information. The EU Data Protection Working Party has stated in its opinion on the concept of personal data that separation from others โ€™. The present case concerns data which can be combined with a natural person by means of additional information, by combining data and thus indirectly identifying the data subject.

Irrespective of whether the data have actually been aggregated, the data must also be considered to be personal data with regard to the data that has been passed on to the location service provider. The EDPS also notes that, for example, the information on the wireless access point, which is stated above to go to the location service provider, may include the MAC address of the Wi-Fi access point, which identifies the physical device, and may be at the registered home.

The EDPS notes that in order to implement the default data protection and to comply with the other obligations of the controller, it is essential that the controller makes a proper and thorough assessment of the processing of personal data. It is not possible to transfer responsibility for the accuracy of this assessment to a processor of personal data, such as an ICT service provider.

Applicable law

Mentioned in the explanatory memorandum.

Appeal

According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court.

The decision is not final.