Tietosuojavaltuutetun toimisto (Finland) - 8492/163/20

From GDPRhub
Revision as of 23:58, 21 December 2022 by Vadkub (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - 8492/163/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(a) GDPR
Article 12(3) GDPR
Article 13 GDPR
Article 15(1) GDPR
Article 25(1) GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
§ 14 Act on the Status and Rights of Patients
§ 5(4) Act on the Protection of Privacy in Working Life
Type: Complaint
Outcome: Partly Upheld
Started: 26.10.2020
Decided: 09.12.2022
Published: 14.12.2022
Fine: 230,000 EUR
Parties: Viking Line Abp
National Case Number/Name: 8492/163/20
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Vadym Kublik

The Finnish DPA fined a shipping company €230,000 for several violations in processing employees' health data, including, among other things, the principles of transparency, accuracy, the right to be informed, the right to access, and the data protection by design.

English Summary

Facts

On 26 October 2020, a former employee (data subject) of a shipping company Viking Line (controller), complained to the Finnish DPA (Tietosuojavaltuutetun toimisto) about the controller's processing of the employees' health data. The investigation addressed the following facts.

Storing health data in the personnel management system. The controller operated two registers. Medakt was an electronic patient information system used on the controller's ships, where the nurses recorded notes about treatment procedures and given medicines. MAPS, on the other hand, was a personnel management system holding information related to the employment relationship, such as employee names and contact information, contract status, qualification, salary payment and medical care costs. In addition, the MAPS system contained information on employee absences, including sickness dates and ICD diagnosis codes. However, the controller claimed they removed the diagnosis information from the system in 2020.

Storing health data for longer than necessary. The controller claimed they kept the information about the period of sick leave and the right to pay in the MAPS system for ten years after the end of the absence. However, the data subject demonstrated that the controller stored their health information (including diagnosis information) in the MAPS system for twenty years. The Medakt system held data indefinitely.

Storing incorrect diagnosis information in MAPS. According to the controller, it was not possible to register all ICD codes in the MAPS system. So nurses tried to find the closest matching code that could be entered. As a result, the diagnosis information recorded in MAPS sometimes did not correspond to data from sick leave certificates.

Not providing data subjects with information stipulated in Article 13 GDPR. According to the data subject, the controller did not inform employees about the processing of their data. It was also not possible to find any information or instructions on the company's intranet regarding the processing.

Sharing the data subject's health information with police. The controller handed over the data subject's health information to police in a criminal case investigation, although they were not required to do so under the applicable law. However, the controller admitted it should not have happened without the data subject's consent.

Not implementing the data subject's right to access as required by Articles 12(3) and 15(1) GDPR. The data subject requested copies of sick leave certificates, diagnosis information, and the registers' log data on 10 January and 3 February 2020. After several email exchanges, the controller provided available sick leave certificates on 1 April 2020. However, the controller refused to share the log data.

Holding

The DPA held that the employer could process in its personnel management systems information about when and how long the employee was away from work due to illness. However, information about the reason for sick leave, for example, illness, injury, their nature or diagnosis information, according to Section 5(4) of the Finnish Act on the Protection of Privacy in Working Life, must be stored separately. Therefore, the controller violated the law by holding employees' diagnosis information in MAPS.

The DPA also held that according to Section 5(4) of the Finnish Act on the Protection of Privacy in Working Life, the employer must delete health information immediately after there is no basis for further processing. Since the controller did not provide any justification for keeping the data subject's health data in MAPS for twenty or ten years, they violated the mentioned requirement.

Further, the DPA held that the deficiencies of the MAPS system led to storing incorrect health information about the data subjects. The controller thus violated the principles of accuracy of Article 5(1)(d) GDPR and data protection by design of Article 25(1) GDPR.

In addition, the DPA held that the controller violated Article 5(1)(a) and 13 GDPR by not providing data subjects with sufficient information about processing their data. The DPA thus ordered the controller under Article 58(2)(d) GDPR to bring its practices in accordance with GDPR.

As regards the disclosure of the data subject's health data to the police, the DPA held that according to Section 14 of the Patient Act, the violation of the duty of confidentiality should be punished according to the Criminal Code unless a more severe punishment is provided elsewhere in the law. The DPA thus held that since the reason for the handover can be evaluated as a criminal case, the DPA considered itself incompetent to assess the existence of a possible basis for the disclosure.

Lastly, the DPA held that although the controller responded to the data subject's access request within one month, they did not provide the diagnosis information stored in the system then. The controller also did not inform the data subject about the reasons for the delay in providing the information. Therefore, the DPA held that the controller violated Articles 12(3) and 15(1) GDPR. Notably, the DPA also held that the log data was considered to be data concerning the persons who processed customer or register data. Consequently, the log data was not deemed as information concerning the data subject, which they had the right to access according to Article 15 GDPR.

Subsequently, the DPA fined the controller €230,000 for the identified violations under Articles 58(2)(i) and 83 GDPR.

Comment

On 16 December 2022, the Advocate General of the Court of Justice of the European Union published its opinion on the question of whether an individual is entitled to learn who has accessed its personal data. The opinion supports the position of the Finnish DPA in this case, suggesting that the log data is not information about a data subject, but information about the persons who have processed the data subject's data.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The processing of the employee's health data in the personnel administration system and the accuracy of the personal data

Keywords: health information
informing
right of inspection

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 8492/163/20

Decision of the Deputy Data Protection Commissioner

Thing

Processing of health information by the employer, accuracy of personal data, informing data subjects, disclosure of personal data to the police, the data subject's right to access data and user log data

Registrar

Viking Line Ltd

The applicant's requirements with justification

1. On 26 October 2020, the complainant has initiated a case at the data protection commissioner's office, which concerns the processing of personal data by the data controller. The complainant has submitted that Viking Line Oy Abp would have maintained an extensive register containing employees' health information. This register has been shown to have included the periods of sickness absences as well as diagnosis information. The complainant has submitted that in his case the data would have been stored in this register for 20 years. The complainant has said that he was dismissed in 2017, despite this, the aforementioned information of the complainant has been shown to be kept at least until 2020. The complainant has also submitted that in his case the information had also been partially incorrect. The complainant has also submitted that this information had been used against him after he contested his dismissal.

2. The complainant has said that he has asked Viking Line Oy Abp to access his personal data. The complainant has also stated that he requested log information related to the said register. Log information has not been provided to the complainant. Several justifications had been presented to the complainant regarding why, according to the employer, the employer had the right to keep the information. The complainant had not been provided with information about the list of diagnoses included in the register. In the end, the complainant had received the information in a roundabout way, so to speak.

3. The commissioning document also states, among other things, that health data would be stored in a system called MAPS, and that this system would be used by all ships sailing under the Finnish flag. It has also been suggested that a nurse on any ship would have access to the information of any ship's employee, regardless of which ship the nurse works on.

Statement received from the registrar

Request made by the complainant to the controller

4. On at least 10 January 2020 and 3 February 2020, the complainant has submitted a request to the data controller to access the data. The complainant has submitted to the Data Protection Commissioner's office, among other things, the response he received from the data controller to his request on April 1, 2020.

5. In this response, it has been stated that the complainant requested copies of his sick leave certificates from 2001–2017. The registrar has told that it has the complainant's sick leave certificates from 2017 and one sick leave certificate from 2016. It has been promised to deliver these copies to the complainant. In addition, the registrar has reportedly been in possession of material related to legal proceedings.

6. In the answer given below, the disclosure of log data is presented in the Act on electronic processing of social and health care customer data. This law has been found to apply only to the electronic processing of social and healthcare customer data. According to its presentation, Viking Line Oy Abp is not a provider of social care or health care services as referred to in this law. Therefore, in its view, Viking Line Oy Abp has no legal right or obligation to provide the complainant with the log data of the electronic systems.

7. In his request to the registrar, the complainant has stated that he inquired about the basis for the fact that his information had been processed during police interrogations. In this regard, Viking Line Oy Abp has referred to Article 9(2)(f) of the General Data Protection Regulation.

8. The complainant has been told that he also inquired why the nurse working at Viking Line Oy Abp has given information about the occupational health consultation to certain employees of the organization. The question has been found to be related to e-mails regarding the occupational health consultation and agreeing on the time of the occupational health consultation. In this regard, Viking Line Oy Abp has stated that the employer has the right to process the employee's personal data when the processing is necessary to comply with the obligations and special rights of the data controller or the registered person in the field of labor law. It has also been stated that the employee's personal data can also be processed to assess the employee's work ability. The information has only been processed by such persons who needed the information to perform their duties. In addition, in this context, it has been stated that access to information about the health status of employees is limited in such a way that only those persons who prepare or make decisions regarding employees or implement such decisions may process the information.

9. Sick leave certificates have been submitted to be kept for as long as they are needed to manage the rights and obligations related to the employment relationship. After this, the data will be deleted according to the answer given. According to the answer, Viking Line Oy Abp does not have copies of the complainant's sick leave for 17 years. The complainant's information has been collected from the employer's electronic system, where information about the employee's sick leave periods is stored. In the given answer, reference is again made to Article 9(2)(b), (f) and (h) of the General Data Protection Regulation.

Clarification request from the Office of the Data Protection Commissioner

10. The Office of the Data Protection Commissioner has requested an explanation of the matter from the data controller. The registrar has issued his statement on 31 January 2022.

The registers used by Viking Line Oy Abp, which contained employees' health information

11. In the report given, it has been confirmed that Viking Line Oy Abp has maintained two registers intended for its internal use (the MAPS personnel management system and the patient information system Medakt), which have included, among other things, employees' health information.

12. The MAPS system has been reported to be Viking Line Oy Abp's personnel management system, which has been used to manage employment relationships and take care of the employer's obligations, such as salary payments.

13. Medakti, on the other hand, has been reported to be an electronic patient information system used on Viking Line Oy Abp's ships, where the nurses working on the ship, approved by the Licensing and Control Agency for Social Affairs and Health (Valvira), record notes about treatment procedures performed on patients and medicines given, such as the patient's status and rights is required in section 12 subsection 1 of the law (785/1992). Patients can be passengers who have fallen ill on ships or members of the ship's staff. Employees' health information is recorded in the Medakt patient information system when the employee falls ill while on board and it is not possible for him to use the occupational health care services on land.

Information content of registers used by Viking Line Oy Abp

14. The MAPS system contains the personal data of approximately 6,000 registrants. Some of these registrants are current and some former employees of Viking Line Oy Abp. For all ships, at the beginning of 2022, the Medakt system will have contained the personal data of approximately 19,350 patients (data of 5,600 employees and 13,750 passengers).

15. The MAPS system stores information related to the employment relationship, such as employee names and contact information, employment contract status information, qualification information, information related to attended trainings, and information related to salary payment and medical care costs. According to Chapter 2 § 12 of the Maritime Employment Contracts Act (756/2011), the employer is obliged to compensate the sick employee's treatment and travel costs from the ship home.

16. In addition, the MAPS system has included information on employee absences, incl. of sickness absences with dates and ICD diagnosis codes, on the basis of which the paid absence is determined. It has been continued by stating that not all absences are paid for employees, which is why the employer must process information on the reasons for sickness absence to a certain extent in order to guarantee the correctness of the salary payment. In addition to codes, the system has also included information about diagnoses in plain language. However, according to the report, ICD diagnosis codes and plain language diagnosis information have been removed from the system in 2018–2019. This information is no longer included in the system. Now, only information about the period of sickness absence and information about whether it is paid or unpaid absence or, for example, family leave, is entered into the system. Viking Line Oy Abp has assessed that recording diagnoses is not necessary considering the intended use of the system.

17. The processing of personal data described above is presented as being based on the provisions of Article 6, paragraph 1, subparagraphs c and f of the General Data Protection Regulation (statutory obligation of the controller and legitimate interest of the controller). The employer's statutory obligations, such as the payment of wages for sick leave, have been found to be based either on the Maritime Labor Contracts Act or the Employment Contracts Act, depending on the employee's position.

18. The Medakt system stores information about the date of birth, name and address of the employees, as well as information about the employment relationship, such as ship and position. According to the report, a personal profile is not created in the system for passengers in the same way as for employees. Passengers' identification information, such as name and date of birth, on the other hand, are saved in the text written during each visit. In addition, the system records information about the reason and time of the treatment, procedures performed and medicines given from the ship's pharmacy. According to the explanation given, only the nurses working on the ship make entries in the Medakt system, and only they have access to these entries.

19. Health information has been disclosed pursuant to Article 9, Section 2, Subsection h and Section 3 of the current General Data Protection Regulation. In the report given, reference is also made to section 6, subsection 1, point 4 of the Data Protection Act (1050/2018), according to which Article 9, point 1 of the General Data Protection Regulation does not apply when the healthcare service provider, when organizing or producing services, processes the information obtained in this activity about a person's state of health or disability, or about the healthcare and rehabilitation service he received or other information necessary for the registered treatment. Reference has also been made to the provisions of the Data Protection Act. In the presentations, the general concept of a proven service provider has been presented, which covers the service organizer and producer. It has been suggested that these are the operational units and professionals of health and social care, as well as the auxiliary personnel working under them. The nurses working on the ship have therefore been proposed to process health data under the aforementioned exception.

20. In the report given, reference is also made to the law on ship pharmacies (584/2015). The medical treatment of the crew and the obligation to make records of the measures taken have been presented as based on the mentioned act. The purpose of the ship pharmacy law is to ensure the ability of the ship's crew to receive appropriate first aid and medical care on board in case of illness or accident. According to § 9 of the law, a medicine diary must be kept in the ship's pharmacy of certain categories of ships, in which an entry must be made of all purchases made in the ship's pharmacy, medicines given to persons and treatment procedures performed, and medicines and medical supplies removed from the ship's pharmacy. Information about the person must be kept separate from information about medicines and medical supplies. Entries in the medication diary must be made in the working language used on board. The medication diary must be kept in such a way that the information entered in it remains intact and unchanged. The medication diary must be kept for at least five years from the last entry made in it. The medicine diary must be kept in connection with the ship's pharmacy. The provisions of the Act on the Status and Rights of the Patient (785/1992) on the confidentiality of information contained in patient records apply to the confidentiality of the information contained in the medication diary.

Viking Line Oy Abp's operations and Section 5 of the Act on the Protection of Privacy in Working Life (759/2004)

21. According to the report given, the data controller has processed information about the employee's state of health in order to pay sick pay or comparable benefits related to state of health. When an employee falls ill while on duty on a ship, information about the illness is recorded by the ship's nurse in the Medakt patient information system. If the illness has led to sick leave, an entry is made in the MAPS system after the employee submits a sick leave certificate. It has also been found that nurses are part of the personnel administration when they receive the employees' sickness absence certificates. The employee can decide whether to submit the sick leave certificate to the ship's nurse or to the HR representative on shore.

22. According to the report given at Viking Line Oy Abp, only those persons who, on the basis of this information, prepare or make decisions regarding the employment relationship or implement such decisions, have processed information regarding the state of health. It has been reported that two personnel secretaries act as such persons. The employer has separately specified that the tasks of these persons include the processing of information about the state of health. These persons are bound by confidentiality both during and after their employment.

23. Viking Line Oy Abp has been shown to have kept the employee's health status data stored in the MAPS system in such a way that, for example, payroll accountants have not had access to diagnoses or ICD codes. Payrollers have only had access to information on whether it is an absence that entitles them to pay. It has also been submitted that unnecessary information regarding the state of health has also been removed from the register, as required by Section 5 of the Act on the Protection of Privacy in Working Life.

24. Regarding the Medakt system, it has been stated that Viking Line Oy Abp has not at all processed the data stored in the system as an employer. Only shipboard nurses are said to have access to the system. The information stored in the system has not been delivered to Viking Line Oy Abp's personnel administration, and people working in personnel administration do not have access to the system.

Access rights to the registers in question

25. According to the explanation given, the information in the MAPS system can be accessed by personnel management employees whose job duties include processing the information belonging to the system. Access rights are limited according to the work task, so that the employee can only access the information he needs for his work tasks. The part of the system used by the personnel administration has access to all data stored in the system, but according to the explanation given, access to this data is limited according to the needs of the people working in the personnel administration. The MAPS Sjölöner system is also used by ship nurses.

26. MAPS Omborddata, on the other hand, has been reported to be used on ships. Employees using the system can only see the information of the employees of the vessel in question. Employee access to this information is restricted. Managers do not have access to all information about their subordinates.

27. In addition to the above, the ship's nurses have recorded information about sick leave and diagnosis in the MAPS system, if the illness has started on board during the work shift and if the employee has submitted a sick leave certificate to the personnel administration to be delivered via the nurse.

28. Nurses working on ships have had access to the Medakt system, who have taken care of the obligations arising from the ship pharmacy act and the patient's status and rights act. According to the report, other persons have not had access to the system. The Medakt system has not been connected to other patient information systems, such as the Kanta service. Information about the Medakt system is therefore not passed on to other healthcare providers.

29. In principle, each member of the staff has been told that they have their own user profile in the Medakt system. When a deputy works in the ship's medical care, Medakt is used with a ship-specific user ID. Substitutes have been instructed to write their own name in the notes they make. However, it is possible to get information about the clerk later also from the work shift accounting.

30. According to the report given, ship nurses have had access to the Medakt data of any Viking Line ship, as both nurses and other employees can work on different ships. The same nurse is not always on duty, which is why another nurse may have a justified need to continue the task started by another and use the information in the system to complete the task. However, nurses may not process information other than what is necessary for the care relationship. Only main users have the right to make changes to the system. Nurses are not the main users.

Informing registered users

31. With the case in question now, it has reportedly become apparent that the employees have not been sufficiently informed about the current processing of personal data. According to the report given, the situation will be rectified as soon as possible. Viking Line Oy Abp will inform registrants as required by the general data protection regulation.

Data retention

32. According to the explanation provided, information about the period of sick leave and the right to pay is stored in the MAPS system for ten years after the end of the absence. Older information about sick leave periods and the right to pay for that period have been deleted. All ICD codes and diagnosis information have reportedly been removed from the MAPS system during 2018 and 2019, and such information is no longer stored in the system. Viking Line Oy Abp is introducing a new system. In this context, the data retention periods will be redefined.

33. The information in the Medakt system is currently stored indefinitely. According to the explanation given, the information about the health status is recorded, as it has been considered necessary for monitoring the health status. Information related to the employee's injuries or health problems may be needed later, for example, to handle insurance issues or occupational disease investigations. The Medakt system contains data since 2012. Retention periods will be re-evaluated during 2022.

About the correctness of the information entered in the register

34. The registered person has been able to check the information stored in both the MAPS and Medakt systems. Information has also been updated as necessary. The nurse making the entry in the Medakt system, on the other hand, has been obliged to enter the correct information in the system.

About the protection of registers

35. Viking Line Oy Abp's internal network is protected by, among other things, a firewall and passwords. When logging into the MAPS system from ships, task-specific IDs and passwords are used. Work time accounting is done with personal IDs and passwords. Those working in personnel administration have personal IDs and passwords for the MAPS system. As stated above, the user rights are limited so that the employee can only process the information he needs in his work. Only changes recorded in the system are recorded in the MAPS system log. Information about the author of the original entry is not saved in the log.

36. The Medakt system can only be accessed from the nurse's work computer in the cabin intended for medical care. Logging in is a three-step process. In the first step, the nurse must log in to the Citrix service with their personal username and password. In the second step, a one-time password is sent to the nurse by e-mail. The Medakt system can then be started via Citrix. Even after this, a personal username and password are required when logging into the Medakt system. In addition, it has been found that the nurses using the system are aware that the nurse has the right to open a patient relationship only for a person who has a patient relationship with the nurse. The system is not connected to any other healthcare information system.

About the register entries concerning the complainant

37. When investigating the matter, it has become apparent that in 2001 it was not possible to store all ICD codes in the MAPS system. Consequently, only some of the codes have been used. This, in turn, has led to the fact that sickness absences have been able to be saved in the system with a different code than the sickness absence granted. Users of the system have reportedly tried to find the closest matching code that was possible to enter into the system. In this regard, Viking Line Abp has admitted that the system was problematic in terms of data protection. The system has since been changed in this regard.

38. The complainant has submitted that the ICD code entered into the MAPS system for the sick leave granted at the turn of the year 2016–2017 does not match the code entered on the sick leave certificate. In connection with this, the registrar has referred to the request for information addressed to the registrar by the complainant on February 3, 2020, which was accompanied by four separate sickness absence certificates regarding the time in question. The period of sick leave has been reported to have started with a certain code, after which it had changed to another. According to the explanation given, Viking Line Oy Abp does not fundamentally change codes afterwards. In this case, however, it is possible that the code has been changed, for example at the complainant's own request, to match the code of the newly granted period of sick leave. The ICD code stored in the MAPS system corresponds to the code of three of the four sickness absence certificates delivered to Viking Line Oy Abp. Viking Line Oy Abp has emphasized that nurses can also make entries in the system at the request of employees.

39. In the report given, it is further emphasized that Viking Line Oy Abp, as the controller or employer, has had no interest in modifying the entries made in the register afterwards, without the contribution of the registered person. It has also been emphasized that diagnosis information is no longer stored in the system at all.

40. It has been continued by stating that it is only possible to edit an entry saved and signed in the Medakt system immediately after the entry is saved. If the entry is modified, it is marked with a symbol indicating modification. Despite this, all previous versions of the record are visible and cannot be deleted from the Medakt system. It is not at all possible to edit entries made by another person, as well as previously made entries. It is possible to specify a different date and time for the recording, but the actual time stamp remains visible.

About using and handing over register data

41. Information recorded in the MAPS system has been used for HR purposes, such as salary payment and ensuring its correctness. The Medakt system, on the other hand, is, as stated above, an electronic patient information system used on Viking Line Oy Abp's ships. According to the report, the information in the registers has not been used for anything other than its original purpose.

42. Despite the above, the complainant's health information has, according to the report, been handed over to the police to investigate the criminal case. In the report given, it is stated that this should not have been done. It has been continued that in the preliminary investigation, a doctor or other healthcare professional may be obliged to testify, for example, about confidential patient information when the question is a crime, for which the severest punishment provided for is at least six years in prison. However, the underlying criminal case has not involved such a crime. It has been continued that the information should not have been given to a criminal investigation without the patient's express written consent.

About the complainant's right to access information

43. According to the report given, information on sick leave certificates has been provided to the complainant, insofar as the information has been stored. The oldest data had already been deleted.

44. In the report given, reference is made to the Act on electronic processing of social and healthcare customer data (159/2007), which was repealed on 1 November 2021. According to § 18 of the aforementioned law, the customer has the right to receive, on a written request from the provider of social care and health care services, without delay, free of charge, based on the log register, in order to clarify or exercise his rights related to the processing of his customer data, who has used or to whom information concerning him has been disclosed, and what has been the nature of the use or disclosure. justification.

45. The obligation to provide log information has been presented regarding the health care service provider, which means the health care operational unit referred to in section 2, subsection 1, point 4 of the Act on the Status and Rights of the Patient, the employer referred to in section 7, subsection 1, point 2 of the Occupational Health Care Act (1383/2001), and as an independent healthcare professional acting as a practitioner. On ships, such as those of Viking Line Oy Abp, the crew's medical treatment is based on the ship's pharmacy law. The law on the ship's pharmacy is also based on the obligation to make records of the treatment procedures performed. Since the act on the status and rights of the patient does not refer to the act on the ship's pharmacy, according to the report provided, Viking Line Oy Abp has interpreted the legal section on the provision of log data in such a way that it is not a provider of healthcare services as defined in the law, and log data has therefore not been considered to be able to be provided. It has also been established that the log data concerns the users of the information systems, which is why they cannot be given to the person who is the subject of the processing solely on the basis of the general data protection regulation. Finally, it has been found that the controller has been in contact with Valvira, the Licensing and Supervision Agency of the Social and Health Sector, to get confirmation of the interpretation he has made. However, according to the report given, the controller has not received a response from Valvira.

On measures taken and to come

46. According to the report given, Viking Line Oy Abp is implementing a new HR information system, which can take into account the requirements of the current data protection legislation better than in the old MAPS system. In the new system, built-in data protection will be emphasized by, among other things, limiting storage periods, improving the logging of processing data, and requiring secure processing of personal data. Since the corona pandemic has particularly severely disciplined the tourism industry, such as Viking Line Oy Abp's business, the development and implementation of this HR system has been delayed.

47. In 2020 and 2021, Viking Line Oy Abp updated the data protection skills of HR employees with data protection training. Data protection training will also be invested in the future. During 2022, the personnel administration registers will be thoroughly reviewed. The purpose is to ensure that the registers do not contain old or unnecessary information. In this context, the privacy statements and the privacy section of the company's internal intranet will be updated. During 2022, staff will also be informed about the processing of their personal data.

The applicant's equivalent

48. After Viking Line Oy Abp has given its report on the matter, the report has been delivered to the complainant. After receiving the report, the complainant has submitted a short response to the data protection commissioner's office as well as to the data controller. In this e-mail sent on February 9, 2022, the complainant has stated that the given report contains several errors. The complainant has emphasized that he addressed the request he sent on 10.1.2020 to get to know the information to the employee of Viking Line Oy Abp, whom he separately named, because according to the complainant, this named person had provided the police with diagnosis information stored in the complainant's MAPS system for 17 years. The complainant has also emphasized that this person mentioned by name was not registered as an official health data processor at the shipping company. According to the complainant, it is unclear how this named person had gained access to this information. According to the complainant, this named person had not provided information to the complainant.

49. The complainant has referred to the report given in the case, which states that the ICD codes and diagnosis information stored in the MAPS system were deleted from the system in 2018–2019. According to the complainant, this is not true. The complainant has proven that he received his diagnosis information in writing in 2020.

50. According to the complainant, the claim that information would have been stored in the MAPS system for only 10 years is also incorrect. The complainant has referred to the copy of his diagnosis data recorded in the MAPS system, which he received in 2020 and which he delivered to the data protection commissioner's office. It appears from this copy that the first diagnosis entry concerning the complainant is from 1997. Therefore, according to the complainant, the data has not been deleted every 10 years.

Supplement to the given report

51. On February 10, 2022, Viking Line Oy Abp supplemented its explanation in the matter. According to the given supplement, an incorrect year was left in the statement. The information was deleted from the MAPS system in 2020, not in 2018–2019.

The applicant's equivalent

52. The applicant is given the opportunity to give a response in the case. The applicant has given his actual answer on 22 February 2022.

53. In the response given, it is stated that Viking Line Oy Abp maintained too extensive a health data register and neglected to inform the registered. According to the complainant's view, the recording of diagnosis information has been illegal. In addition, the information has been disclosed to third parties without a legal basis.

About the data content of the registers used by Viking Line Oy Abp

54. The complainant has presented his view that the Medakt system is a patient information system to which the law on ship's pharmacy applies only to a limited extent. The complainant has submitted that only the ship's nurses and the head office's personnel secretaries have access to the diagnosis information. The complainant has further submitted that the personnel secretary should only have access to the paper version of the medical certificate. According to the complainant, if the nurse has recorded both the diagnosis information and the information about whether it is paid or unpaid sick leave in the MAPS system, personnel secretaries have no reason to view the MAPS entries.

55. The complainant has further submitted that the Medakt system does not only record illnesses that occur on board, but the system also records, for example, information about phone conversations between a nurse and an employee on shore. The complainant has further submitted that the system also records the names of prescription drugs prescribed by any doctor in the countries as well as the price of the drug purchase. According to the complainant, the shipping company basically reimburses the purchase prices of such medicines to the employees. It is possible to receive medical reimbursement for a period of 112 days for the same illness, after which the employee himself is responsible for his medical expenses. After the mentioned date, prescriptions will no longer be made.

56. Purchase prices of prescription drugs are reimbursed to employees against a receipt. The nurse delivers the receipt she received from the employee to the personnel secretary. The complainant has submitted that personnel secretaries can misuse the information they receive from receipts and medical certificates. Because of this, according to the complainant, some employees do not use their right to medical reimbursements.

57. According to the complainant, with regard to nurses' records, the Medakt system basically stores information about the name of the nurse and the ship on which the reception visit took place. According to the complainant, even such markings are not always true in all respects. From time to time entries have been made to the wrong vessels. Sometimes the ship's name is completely missing. Therefore, according to the complainant, it remains unclear which ship's ship's pharmacy was used. If the entry has been made on the wrong ship, it means, according to the complainant, that the quantities of medicine in the ship's pharmacies cannot be in accordance with the Ship's Pharmacy Act and/or ship-specific. According to the complainant, this prevents the inventory of medicines given from the ship's pharmacy. The complainant has also submitted that not all entries are related to the provisions of the ship pharmacy act regarding medicines, but some of the entries are related to health care on a more general level, for example discussions about workload or workplace bullying (early intervention model).

58. The complainant has questioned Viking Line Oy Abp's claim that only ship nurses have access to the Medakt system. According to the complainant, the system also contains records of representatives of private service providers (for example, a chiropractor/CT doctor who visited the ship from time to time during port hours). According to the complainant, such persons have had access to the information of several employees. Consequently, the complainant has presented his opinion that the law on ship's pharmacy does not apply to Medakt records in terms of providing log information. According to the complainant, the question is not only about the procedures that take place at sea or the medicines from the ship's pharmacy.

Viking Line Oy Abp's operations and Section 5 of the Act on the Protection of Privacy in Working Life (759/2004)

59. The complainant has submitted that the employees have only been instructed to submit their sick leave certificates to the nurses, not to the personnel administration representatives. The nurse records the diagnosis information in the MAPS system, after which she sends the sick leave certificate to the person appointed in the personnel administration. The complainant has continued by stating that the employer has the right to take a copy of this original paper sick leave certificate and store it separately from other personal data and dispose of it as unnecessary after five years at the latest.

Access rights to the registers in question

60. The complainant has submitted that no payroll officer or functional manager has the right to access the diagnosis information. The salary is calculated without this information. The nurse makes the necessary entries in the MAPS system.

From the information entered in the register

61. The complainant has submitted that the 60-day sick leave rule is misused in the MAPS system. If an employee is on sick leave for a ten-day working period and healthy for the following ten-day period and sick again for the following ten-day working period, then Viking Line Oy Abp, according to the complainant, interprets the employee as having been sick during his/her free time as well, even if there is no such period of free time sick leave certificate. According to the complainant, this interpretation also applies to situations where the employee has been on sick leave before his annual leave and again right after the end of the annual leave. The complainant has suspected that in such situations the National Pension Institute has not been informed that the employee was healthy between sick leaves, which is why, according to the complainant, the shipping company may have received compensation from the National Pension Institute also without rights.

62. By acting in the manner mentioned above, according to the complainant, the employer will get 60 sick leave days accrued as quickly as possible, and thus also avoid a new nine-day deductible period.

63. The complainant has submitted that the main user of the Medakt system is one of the ship's nurses. Thus, according to the complainant, it has been possible to modify and delete entries. The complainant has also submitted that every nurse has had the opportunity to modify the diagnosis data recorded in the MAPS system, whenever and however they like.

Informing registered users

64. According to the complainant, the employees have not been informed in any way about the extensive record keeping in question, which is why, for example, the employees have not been able to check or ask for their information to be corrected. It has not been possible to find any kind of information or instructions on the company's intranet regarding the processing of employees' personal data by the data controller.

65. According to the complainant, the nurses have been unsure of how to act in a situation where an employee requests access to their information. According to the HR manager, such requests should be addressed to him. The complainant has questioned this, as the HR manager does not have access to registers containing health information. The complainant has continued that the employee does not necessarily want a named employee to be informed at all that the employee has visited the nurse's office. In this context, the complainant has referred to the law on the patient's status and rights, and stated that the information about such a visit is not intended for this named person. According to the complainant, this person is not registered as a health data processor.

Data retention

66. The complainant has emphasized again that the claim about the ten-year data retention period is not true. According to the complainant, the information has been verifiably stored for more than 20 years. The Complainant's Diagnosis List was printed on February 6, 2020, and it has contained diagnosis information since 1997. The complainant has told that a former employee requested the ship's nurse for his information stored in the MAPS system on 10 February 2022. The nurse had provided this employee with the information on the same day. This information contained information on this person's sick leave periods from 1990 to 2013. This person had stopped working at the shipping company in 2013, despite this, information about his sick leave periods was still kept in the register. At that time, the data had been stored for 32 years. According to the complainant, such storage would have no purpose related to salary payment and benefits.

About the register entries concerning the complainant

67. The complainant has said that he has never asked for his diagnosis information to be changed.

About using and handing over register data

68. The complainant has submitted that the data of both the Medakt and MAPS systems had been used for a purpose other than the original purpose. According to the complainant, the information has, among other things, been hacked and passed on. The complainant has mentioned as an example the judgment given by the labor court on 19.12.2019 in case R 24/18. According to the complainant, the issue in the mentioned case was that the employee's health data from 2006 had been used against him in the labor court in 2019. The employee's employment contract had ended in 2006 and continued in 2013 and ended again in 2016. According to the complainant, this shows that Viking Line Oy Abp retains the former employees' information quite widely and, if necessary, also use this information afterwards against the employee.

69. According to the complainant, in 2017, a named M/S Amorella nurse would have provided the complainant's health information to the named personnel manager, the registrar's lawyer and the operational manager, in violation of his confidentiality obligation, which composition subsequently dismissed the complainant.

About the complainant's right to access information

70. Since the diagnosis information had not been deleted in 2018–2019, the complainant could have been provided with this information in response to his request on January 10, 2020. The complainant had only been provided with information about his sick leave certificates for the years 2016–2017.

71. In this connection, the complainant has referred to the law on ship's pharmacy, and stated that the law is mainly related to medicines. Reception of nurses licensed by the Licensing and Control Agency of the Social and Health Sector is organized in connection with the ship's pharmacy. These nurses must follow the law on the patient's status and rights. Not all office visits are related to medicines, and not all registrations are related to a sea voyage.

Finally

72. The complainant has said that he also worked on the Viking XPRS ship sailing under the Estonian flag.

Hearing

73. On August 29, 2022, Viking Line Oy Abp is scheduled to have the opportunity referred to in § 34 of the Administration Act (434/2003) to be heard and to state its opinion on the matter and to give its explanation of such requirements and explanations that may affect the resolution of the matter. At the same time, Viking Line Oy Abp has been given the opportunity to bring forward the points referred to in Article 83, Paragraph 2 of the General Data Protection Regulation, which, in its view, should be taken into account when making a decision. Viking Line Oy Abp has given its answer on 13 September 2022.

74. In the response given to the hearing, it has been stated that the response has not taken a position on the claims based on legislation other than the General Data Protection Regulation.

Taking into account the nature, severity and duration of the breach, the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected by the breach and the extent of the damage caused to them

75. In the given answer, it has been stated that in the present case, the personal data would not have been processed for the purpose of monitoring the data subjects. In the response, it is separately stated that the personal data would not have been processed for the evaluation of the data subjects, and that no negative decisions affecting the data subjects would have been made based on the data. Furthermore, it has been stated that information related to the state of health has been collected for the payment of wages during sick leave, and according to the answer given, the information has not been used for any other purpose or disclosed to third parties without justification. Therefore, according to Viking Line Oy Abp, the purpose of use of the data has been in line with the original purpose of collecting personal data and the employer's role of the data controller. According to the answer given, the information has never been used for other purposes.

76. In the given answer, it is also stated that the system has only been used on ships sailing under the Finnish flag and that only the information of persons employed by Viking Line Oy Abp has been stored in this system. Consequently, Viking Line Oy Abp has considered that the data processing that is now under review has not been regionally large-scale, even though the company operates in the territory of several states due to its passenger ship operations.

77. It has also been stated that the response to the inspection request submitted by the complainant regarding the diagnosis information and the challenges related to compliance with the deadline have only been directed at the complainant in question, and the question has not been about the company's general practice.

78. In the given answer, it has been emphasized that the processing referred to in the case at hand has not led to discrimination of the data subjects, identity theft or fraud, financial losses, damage to the reputation, loss of confidentiality of personal data subject to confidentiality obligations, unauthorized release of pseudonymization, or has caused the data subject any other significant financial or social harm. Separately, it has been stated that a matter indirectly related to the complainant's current matter has also been discussed in court, and according to the answer given, the court has stated that Viking Line Oy Abp has not committed discrimination in its operations.

Intentionality or negligence of the violation

79. According to the answer given, the violation regarding the processing of personal data that is currently being evaluated, especially with regard to the personal data processed in the MAPS system, cannot be considered intentional, because according to the answer given, intentionality requires a knowing and intentional violation of the General Data Protection Regulation and disregard for the obligations of the legislation. According to the answer given, there was no question of this in the case at hand, and Viking Line Oy Abp, according to the answer given in the case, has not sought to achieve a financial or other advantage in relation to competitors in this regard. It has also been stated that Viking Line Oy Abp has also not actively and consciously made a decision that, for example, incorrect information would be kept in the personnel register. According to the response to the request for information, efforts have also been made to respond as timely as possible.

80. According to the answer given, the issue was rather a situation comparable to human error, as a result of which the system containing personal data had not been updated to meet the storage needs in terms of content and storage time as required by legislation. The retention of old data and their possible inaccuracy had not previously become apparent to the controller in other contexts before the complainant raised the matter. When the situation had become apparent to Viking Line Oy Abp, the matter had been investigated and policies had been changed.

Actions taken by the data controller or personal data processor to mitigate the damage caused to data subjects

81. When Viking Line Oy Abp had become aware that information regarding the employees' health status had been kept for too long and that the register could have also contained incorrect information, the company had reassessed the necessity of the information it was processing and deleted the information unnecessary in terms of the employment relationship. The company had evaluated the matter as a whole and changed its operating method in relation to all its employees, not only in relation to the registrant who made the complaint.

82. In the given answer, it is further emphasized that the implementation of the complainant's request for the right of inspection had been delayed due to the fact that the information containing the health status information, which the complainant had specifically requested, had been sent to the complainant via e-mail as securely as possible. However, for various reasons attributable to him, the complainant had not registered for a service that would have allowed him to be identified. The purpose of this identification procedure was to make sure that information about the state of health would not be disclosed to a third party without right. Before the information was released, there had been a lengthy email exchange between the complainant and Viking Line Oy Abp (March 5, 2020: Viking Line Oy Abp receives an inspection right request from the complainant; March 5, 2020: Viking Line Oy Abp sends a link to the complainant's email address via the identification service, where the complainant can identify himself with bank credentials and confirms his contact information; 5 March 2020: the complainant informs the representative of Viking Line Oy Abp that he cannot find the sent link; 9 March 2020: the representative of Viking Line Oy Abp responds to the complainant and tells the name of the sender in the email; 9 March 2020: the complainant requests to send the link again; 25/03/2020: the complainant asks again to send the link again; and 26/03/2020: Viking Line Oy Abp sends the link of the identification service to the complainant's email address again). Viking Line Oy Abp had therefore tried to deliver the information requested by the complainant as an encrypted e-mail. It would certainly have been possible to deliver the information faster, but in that case, according to Viking Line Oy Abp, data security would have had to be compromised, which according to the answer given, the company had not considered as an option.

83. Viking Line Oy Abp has considered that it has done its best to comply with the deadline according to Article 12, paragraph 3 of the General Data Protection Regulation, and thus also that stipulated in Article 15, paragraph 1 of the General Data Protection Regulation. Viking Line Oy Abp has admitted that with regard to the information in the register from 1997, it had acted incorrectly because it had not delivered it to the complainant.

84. Viking Line Oy Abp has also considered that it has actively investigated the matter at hand in cooperation with various authorities, such as the police and Valvira.

The degree of responsibility of the controller or processor of personal data, taking into account the technical and organizational measures taken by them pursuant to Articles 25 and 32

85. According to the answer given, Viking Line Oy Abp has tried to take into account the requirement of Article 25 of the General Data Protection Regulation for built-in and default data protection and the appropriate technical and organizational measures required by Article 32 in order to process personal data as securely as possible. Access to the personal data in question has been granted only to such persons, in terms of their work tasks and to whose work tasks the information is directly related and necessary. The processing of information about the health status of employees has been limited in the manner intended by Section 5 of the Working Life Data Protection Act, i.e. the management of access rights has ensured that the data is processed only by persons entitled to it. Other persons have not been granted access rights to the systems in question. According to the answer given below, the principle of integrity and confidentiality has been implemented, among other things, by logging the events of the information systems. The protection measures of the systems against external abuse have also been improved.

Possible previous similar violations by the controller or the processor of personal data

86. According to the answer given, Viking Line Oy Abp has not committed similar violations in the past, and the data protection authority has not ordered it to take the measures referred to in Article 58, paragraph 2.

The amount of cooperation with the supervisory authority to correct the violation and mitigate its possible adverse effects

87. According to the further answer, Viking Line Oy Abp has both tried to clarify the matter with the authority and promoted the introduction of a new system containing employees' personal data. The problem areas of the old system have been taken into account in defining the requirements of the replacement system. Regarding the question regarding the log data of the system used on the ship, Viking Line Oy Abp has repeatedly tried to find out the authority's position on the matter without getting an answer.

88. In the matter at hand, Viking Line Oy Abp has complied with the deadlines set for it by the authority and has answered the questions put to it as openly and concisely as possible, so that the complaint matter in question could be resolved on behalf of the authority as efficiently as possible.

Finally

89. Viking Line Oy Abp has emphasized that it has not received an indirect or direct financial benefit from the events that are the subject of the investigation. According to the answer given, what happened will rather cause it financial losses through reputational damage.

90. The total turnover of Viking Line Oy Abp in 2021 was 258,243,347.47 euros. In this connection, the company has emphasized that the tourism industry has suffered badly from the consequences caused by the corona. The authorities have been asked to take this into account when considering sanctions.

91. Finally, in the answer given, it has been stated that an administrative penalty fee should not be imposed for actions that may have been contrary to the provisions of the Data Protection Act on Working Life or legislation other than the General Data Protection Regulation, and according to the answer given, these matters based on other legislation should not be taken into account as aggravating factors when considering the penalty fee.

On the evaluation of cross-border applicability

92. The General Data Protection Regulation separately provides for the handling of matters that are cross-border as defined in Article 4, Section 23 of the General Data Protection Regulation. Such matters must be handled by the competent supervisory authority in accordance with Article 56 and Chapter VII of the General Data Protection Regulation.

93. In its report, Viking Line Oy Abp has stated that it acts as a data controller for the processing of the personal data in question. Viking Line Oy Abp's head office is in Finland, and the group also includes Viking Line Skandinavien AB and Viking Rederi AB based in Sweden, OÜ Viking Line Eesti based in Estonia, Viking Line Finnlandverkehr GmbH based in Germany and Viking Line Buss Ab based in Finland. Personal data is processed in connection with the operation of all the aforementioned locations. Information systems are accessible from ships. The ships sail in the territorial waters of Finland, Sweden and Estonia as well as in international sea areas. There are ships under the flag of Finland, Sweden and Estonia. The complainant has only worked on ships under the Finnish flag. Only one person works at the German location, and the registers in question are not used in Germany, nor are the data of a person working in Germany processed in these registers.

94. Viking Line Oy Abp's central administration is located in Finland. The office where the central administration is located has been reported to make the decisions about the personal data processing at hand now. In addition, this office where the central administration is located has been told that it has the authority to implement the decisions related to the processing of personal data at hand.

95. The Office of the Data Protection Commissioner will handle the case in accordance with the procedure stipulated in Article 60 of the General Data Protection Regulation in cooperation with the supervisory authorities of the participating Member States. In the present case, the participating supervisory authorities according to Article 4, paragraph 22, subparagraph b of the General Data Protection Regulation are the supervisory authorities of Sweden, Norway and Estonia, as the processing that is the subject of the complaint affects or is likely to significantly affect data subjects in these member states.

96. This decision contains points to which Finnish national legislation applies pursuant to Article 6, Paragraph 1, Subsection c of the General Data Protection Regulation. The Office of the Data Protection Commissioner considers that in this respect the issue is a matter within the competence of the Finnish Supervisory Authority, and such points are not part of the cooperation between supervisory authorities stipulated in Article 60 of the General Data Protection Regulation. This decision also contains points to which, pursuant to Article 88 of the General Data Protection Regulation, Finnish national legislation also applies.

Handling the matter in the cooperation procedure

97. In accordance with Article 56 and Article 60, paragraph 3 of the General Data Protection Regulation, the Office of the Data Protection Commissioner, as the leading supervisory authority, has delivered the relevant information to the other participating supervisory authorities in the same context when the position of the Finnish Supervisory Authority as the leading supervisory authority has been confirmed.

98. The draft decisions of the Data Protection Commissioner and the Sanctions College have been submitted to the participating supervisory authorities on 10 November 2022 in accordance with Article 60, Paragraph 3 of the General Data Protection Regulation.

99. The participating supervisory authorities have not made any comments or objections in the matter. Accordingly, the proposed decision has been approved. The Office of the Data Protection Commissioner makes a final decision on the matter and notifies it to the head office of the data controller. This was added by the data protection commissioner's office notifying the complainant, other relevant supervisory authorities and the Data Protection Council of the decision.

On applicable legislation

100. The processing of personal data is regulated in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation). The General Data Protection Regulation has been applied since May 25, 2018. As a regulation, the regulation is immediately applicable law in the member states. The rights of the data subject are regulated in Chapter III of the General Data Protection Regulation. The General Data Protection Regulation is specified in the Data Protection Act (1050/2018).

101. The processing of health information at workplaces is regulated in more detail in Sections 3 and 5 of the Act on the Protection of Privacy in Working Life (759/2004, the Employment Data Protection Act). The storage and preparation of patient data is regulated in § 12 of the Act on the Status and Rights of the Patient (785/1992; patient law) and in the decree issued by the Ministry of Social Affairs and Health on patient documents (298/2009; patient document decree).

102. The Ship's Pharmacy Act (584/2015) provides for measures to ensure the ability of ship's crew to receive appropriate first aid and medical care on board in case of illness or accident.

103. Health care professionals are regulated in the Act on Health Care Professionals (559/1994). The Act on the Electronic Processing of Social and Health Care Customer Data (784/2021, Customer Data Act) provides for the secure processing of customer data produced by social and health care and well-being data produced by the customer himself for the purposes of organizing and producing health care and social services. The Act on electronic processing of social and health care customer data preceding the above-mentioned law is also relevant (159/2007, repealed on 1 November 2021).

A legal issue

104. The Deputy Data Protection Commissioner assesses and decides the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the above-mentioned special regulation. The case involves the following legal issues:

i. Has Viking Line Oy Abp, when storing diagnosis data in the MAPS system, complied with the provisions of section 5, subsection 4 of the Working Life Data Protection Act;

ii. Has Viking Line Oy Abp, when storing information about the health status of its employees, complied with the provisions of section 5, subsection 4 of the Working Life Data Protection Act;

iii. Has Viking Line Oy Abp, in accordance with Article 5(1)(d) and Article 25(1) of the General Data Protection Regulation, implemented all possible reasonable measures to ensure that the processed personal data regarding the employees' health status is accurate and error-free;

iv. Has Viking Line Oy Abp provided the data subjects with the information stipulated in Article 13 of the General Data Protection Regulation when personal data has been received from the data subjects;

v. Has Viking Line Oy Abp complied with the provisions of Article 5(1)(b) of the General Data Protection Regulation when handing over the complainant's personal data to the police;

v. Has Viking Line Oy Abp implemented the applicant's right to access data in accordance with Article 12, Paragraph 3 and Article 15 of the General Data Protection Regulation; and

vii. Should the data controller be given an order according to Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the complainant's request to access the user log data?

Decision of the Deputy Data Protection Commissioner

Decision

105. The Deputy Data Protection Commissioner considers that Viking Line Oy Abp has not complied with the provisions of section 5 subsection 4 of the Working Life Data Protection Act when storing diagnosis data in the MAPS system.

106. The Deputy Data Protection Commissioner considers that Viking Line Oy Abp has not complied with the provisions of § 5 subsection 4 of the Working Life Data Protection Act when storing information about the health status of its employees in the MAPS system.

107. The deputy data protection commissioner considers that the grounds for processing patient data in the Medakt system have existed.

108. The Deputy Data Protection Commissioner considers that Viking Line Oy Abp has not taken all possible reasonable measures in accordance with Article 5(1)(d) and Article 25(1) of the General Data Protection Regulation to ensure that the personal data processed in the MAPS system is accurate and error-free.

109. The Deputy Data Protection Commissioner considers that Viking Line Oy Abp has not complied with the provisions of Article 5(1)(a) and Article 13 of the General Data Protection Regulation.

110. The Deputy Data Protection Commissioner does not consider himself competent to assess the existence of a possible basis for handing over information to the police more broadly than stated in the reasons for this decision.

111. The Deputy Data Protection Commissioner considers that Viking Line Oy Abp, when responding to the complainant's request in accordance with Article 15 of the General Data Protection Regulation, has not complied with the provisions of Article 12, paragraph 3 of the General Data Protection Regulation.

112. The Deputy Data Protection Commissioner considers that Viking Line Oy Abp, when responding to the complainant's request pursuant to Article 15 of the General Data Protection Regulation, has not complied with the provisions of Article 15, Paragraph 1 of the General Data Protection Regulation.

113. The Deputy Data Protection Commissioner does not issue an order to comply with the complainant's request to access the user log information.

Regulation

114. The Deputy Data Protection Commissioner issues an order to the data controller in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to change its practices regarding the information of data subjects in accordance with the provisions of the General Data Protection Regulation.

Note

115. The Deputy Data Protection Commissioner issues a notice to Viking Line Oy Abp pursuant to Article 58(2)(b) of the General Data Protection Regulation. The Deputy Data Protection Commissioner points out that the data controller's actions to implement the complainant's rights have not met the provisions of Article 12, paragraph 3 of the General Data Protection Regulation and the data controller has not implemented the complainant's request to access the data in accordance with Article 15 of the General Data Protection Regulation. Regarding the correctness of the data, the controller has not complied with the provisions of Article 5(1)(d) and Article 25(1) of the General Data Protection Regulation. In addition, the controller has neglected its obligation to inform the data subjects about the processing of personal data.

116. The Deputy Data Protection Commissioner also points out that the data controller has not complied with the provisions of § 5 subsection 4 of the Working Life Data Protection Act when processing the health status data of its employees. The deputy data protection commissioner states that the procedure of the data controller was particularly reprehensible in this regard. Apart from the fact that the processing has been contrary to the provisions of the aforementioned regulation, the processing has also been quite large-scale, and this processing cannot be considered short-term. Furthermore, taking into account the subordinate position of the employees in relation to the employer, the processing can be considered to constitute a particularly high risk.

Reasoning

Regarding the processing of the employee's health data at the workplace

On the facts of the case at hand

117. According to the report given in the case, Viking Line Oy Abp has maintained a personnel management system (MAPS system), which has been used to manage employment relationships and take care of the employer's obligations. The MAPS system stores information related to the employment relationship, such as employee names and contact information, status information on employment contracts, qualification information, information related to attended trainings, and information related to salary payment and medical care costs. The MAPS system has also included information on employee absences, incl. of sickness absences with dates and ICD diagnosis codes. In addition to codes, the system has also included information about diagnoses in plain language. However, according to the supplement given in the case, ICD diagnosis codes and plain language diagnosis information have been removed from the system in 2020. This information will no longer be included in the system. Now, only information about the period of sickness absence and information about whether it is paid or unpaid absence or, for example, family leave, is entered into the system.

Legal assessment

118. Section 5 of the Employment Data Protection Act provides for the employer's right to process information about the employee's health. The employer has the right to process information about the employee's health, if the information has been collected from the employee himself or with his written consent from elsewhere and the processing of the information is necessary for the payment of sick pay or comparable health-related benefits, or to find out whether there is a justified reason for the absence from work, or if the employee expressly wants to find out capacity for work based on information about health status. In addition, the employer has the right to process this information in those situations and to the extent that is separately provided for elsewhere in the law. In the preambles to the Act preceding the Data Protection Act in the Working Life (Act on the Protection of Privacy in the Working Life (477/2001)), it is expressly stated that the employer has the right, with the consent of the employee, to process information about the state of health, e.g. a doctor's certificate or statement with diagnosis information, in order to assess sickness absences.

119. Regardless of the employee's consent, the employer is bound by the requirement of necessity laid down in Section 3 of the Working Life Data Protection Act. The employer may only process personal data that is immediately necessary for the employee's employment relationship, which is related to managing the rights and obligations of the parties to the employment relationship or the benefits offered by the employer to the employees, or due to the special nature of the work tasks. The necessity requirement cannot be deviated from with the employee's consent.

120. It should be noted that the practices regarding the payment of wages for sick time are often based on the provisions of collective agreements. As a general rule, such contracts require the employee to provide the employer with a medical certificate with diagnosis information. In practice, in situations of recurrence of illness, the obligation to pay wages is often affected by whether it is a recurrence of the same illness or a different illness. In practice, the sick pay regulations have been interpreted in such a way that the medical certificate submitted to the employer must contain a medical diagnosis of the disease, i.e. diagnosis information. In practice, this means that the employer investigates whether the employee is entitled to sick pay based on the illness.

121. According to § 5 subsection 4 of the Employment Data Protection Act, the employer must keep the information it has about the employee's health separately from other personal data it collects.

122. The Deputy Data Protection Commissioner considers that the employer has the right, for example, in its personnel management systems to process information about when and how much the employee has been away from work due to illness (acceptable reason, payment of sick leave salary). However, information about the reason for sickness absence, for example illness, injury, their quality or diagnosis information, should not be stored in connection with the personnel management system. Medical certificates or statements submitted by the employee to the employer or other documents or records containing health information must be kept separately from other personal data concerning the employee. Such data can only be processed to the extent and for the purpose of use as stipulated in Section 5 of the Employment Data Protection Act. These uses are usually separate and related to the employee's period of sick leave. The provisions of the Working Life Data Protection Act therefore do not allow and give the employer the right to create a separate health status personal register of its employees, in which employees' health status data, such as diagnosis data, would be collected and stored.

123. Based on the above, the Deputy Data Protection Commissioner considers that the data controller has not complied with the provisions of Section 5, Subsection 4 of the Working Life Data Protection Act when storing diagnosis data in the MAPS system. Since the diagnosis information has since been deleted from the MAPS system according to the report given in the case, the Deputy Data Protection Commissioner will not issue an order to this effect to Viking Line Oy Abp.

Regarding the retention of the employee's health status data

On the facts of the case at hand

124. The complainant has submitted that Viking Line Oy Abp has kept his health information (including diagnosis information) in the MAPS system for 20 years.

125. According to the report provided, Viking Line Oy Abp has maintained two registers intended for its internal use (the MAPS personnel management system and the patient information system Medakt), which have included, among other things, employees' health information.

126. The MAPS system has been reported to be Viking Line Oy Abp's personnel management system, which has been used to manage employment relationships and take care of the employer's obligations, such as salary payments. The Medakt system, on the other hand, has been reported to be an electronic patient information system used on Viking Line Oy Abp's ships, where the nurses working on the ship who are approved by the Finnish Social and Health Licensing and Supervision Agency (Valvira) record notes about treatment procedures performed on patients and medicines given, such as the patient's status and rights is required in section 12 subsection 1 of the law (785/1992). Patients can be passengers who have fallen ill on ships or members of the ship's staff.

127. In the report given, it is stated that sick leave certificates should be kept for as long as they are needed to manage the rights and obligations related to the employment relationship. According to the explanation given below, information about the period of sick leave and the right to pay is stored in the MAPS system for ten years after the end of the absence. All ICD codes and diagnosis information have reportedly been removed from the MAPS system in 2020.

128. Information in the Medakt system is currently stored indefinitely. According to the explanation given, the information about the health status is recorded, as it has been considered necessary for monitoring the health status. Information related to the employee's injuries or health problems may be needed later, for example, to handle insurance issues or occupational disease investigations. The Medakt system contains data since 2012.

Legal assessment

129. As stipulated in section 5, subsection 4 of the Working Life Data Protection Act, information about health must be deleted immediately after there is no basis for the processing referred to in section 5, subsection 1 of the Working Life Data Protection Act. As stated in the justifications for the previous legal question, the purposes of the medical certificates or statements submitted by the employee to the employer or documents or recordings containing other health information are usually separate and related to the employee's period of sick leave. Consequently, the appropriate retention period for such data is generally relatively short. Furthermore, as stipulated in section 5 subsection 4 of the Working Life Data Protection Act, the basis and need for processing data about the employee's health must be evaluated at least every five years.

130. Section 9 of the Ship's Pharmacy Act provides for a medication diary to be kept in the ship's pharmacy. According to the law, an entry must be made in the medicine diary for all purchases made in the ship's pharmacy, medicines given to persons and treatment procedures performed, as well as medicines and medical supplies removed from the ship's pharmacy. Information about the person must be kept separate from information about medicines and medical supplies. The medication diary must be kept for at least five years from the last entry made in it.

131. The deputy data protection commissioner interprets the law on ship pharmacies to be a health and safety-related regulation to improve and monitor medical treatment on ships rather than an actual regulation concerning patient data. Section 1 of the Act on Ship Pharmacy provides for the purpose of the act. The purpose of the ship pharmacy law is to ensure the ability of the ship's crew to receive appropriate first aid and medical care on board in case of illness or accident. The legislation obliges to ensure that medicines and medical supplies in accordance with the provisions of the law are found on the ship. Section 9 of the Ship Pharmacy Act also enables the processing of personal data in the medication log. In addition to this, when treatment procedures are carried out by a healthcare professional due to the transfer of tasks referred to in § 5 subsection 3 of the Act on Ship Pharmacy, the obligation of the healthcare professional according to § 12 of the Act on the Status and Rights of the Patient to draw up and keep patient document entries and other regulations regarding the processing of patient data must be taken into account .

132. Based on the above, the deputy data protection commissioner considers that Viking Line Oy Abp has not presented any basis in the case that would have allowed the complainant's data to be stored in the MAPS system for 20 years. Nor has Viking Line Oy Abp put forward any justification based on which it would be appropriate to keep information about the health status of its employees in the MAPS system for ten years after the end of the absence. When storing information about the health status of its employees in the MAPS system, the registrar has not complied with the provisions of section 5, subsection 4 of the Working Life Data Protection Act. Since the diagnosis information has since been deleted from the MAPS system according to the report given in the case, the Deputy Data Protection Commissioner will not issue an order to this effect to Viking Line Oy Abp.

133. According to section 2, subsection 1, point 1 of the Patients' Act, a patient means a person who uses health and medical care services or is otherwise subject to them. The drafts of the law refer to the well-established interpretation of the Patient Injury Act, according to which health and medical care refers to measures taken to determine an individual's state of health or to restore or maintain their health, which are performed by healthcare professionals or performed in a healthcare operation unit. A health care professional means a person who carries out his activities under a legal right or who is registered under the law with the Finnish Social and Health Board (currently the Licensing and Control Agency for the Social and Health Sector Valvira). Health care professionals are regulated in more detail in the Act on Health Care Professionals. Furthermore, in the above-mentioned drafts of the law, it has been continued that based on the quality and purpose of the activity and the training of the person providing care, it can be decided in unclear cases whether the issue is health care or medical care for an individual. Care according to the definition is therefore also care given in other than actual health care operational units, if it is given by a health care professional. Health care or medical care provided by a health care professional in, for example, social care operational units, as well as the services of pharmaceutical professionals in pharmacies fall within the scope of the law.

134. In the report given, it has been stated that the nurses working on the ships are healthcare professionals approved by the Licensing and Control Agency of the Social and Health Sector (Valvira). On the basis of the above, the Deputy Data Protection Commissioner considers that the persons dealing at the ship's nurses' reception are patients as defined in the Patients Act, and the nurses' notes regarding such persons are, in turn, patient documents as defined in the Patients Act.

135. Regarding the actual patient document entries stored in the Medakt system, it should be noted that the retention of patient data is regulated in the Patient Act and the Patient Document Decree. According to Section 2, Subsection 1, Clause 5 of the Patient Act, patient documents refer to documents, drawn up or received, used in the organization and implementation of the patient's care, or technical recordings that contain information about the patient's state of health or other personal information. According to Section 12 of the Patient Act, the healthcare professional must enter in the patient records the information necessary to secure the organization, planning, implementation and monitoring of the patient's treatment. According to the regulation, patient documents must be kept for the time required for the organization and implementation of the patient's treatment, possible compensation claims related to the treatment, and scientific research. Patient documents must be destroyed immediately after there is no reason for their retention as mentioned above. The retention of patient documents and their respective retention periods are regulated in more detail in the Patient Document Regulation. Retention periods are defined in the annex to the regulation, according to which patient documents must basically be kept for 12 years after the patient's death or, if no information is available, 120 years after the patient's birth.

136. The maintenance of the medicine diary and the processing of the personal data contained in it is based on § 9 of the Act on Ship's Pharmacy, which defines the information to be stored in the medicine diary. Thus, there has been a basis for the processing of personal data to be included in the medication diary. According to section 5 of the ship pharmacy act, the ship must, among other things, be able to provide first aid and medical care to persons who need it, and according to section 3, the provision of first aid and medical care, among other things, can be defined as the task of a healthcare professional. In this case, the health care professional is obliged to draw up patient document entries for the treatment provided, in accordance with § 12 of the Act on the Status and Rights of the Patient. Based on the above, there has been a basis for data processing in the Medakt system.

Inaccuracy of information

On the facts of the case at hand

137. The complainant has submitted that in his case, some of the information stored in the MAPS system has been partially incorrect. The complainant has submitted that, for example, the ICD code entered into the MAPS system for the sick leave granted at the turn of the year 2016–2017 does not match the code entered on the sick leave certificate.

138. In the report given, it has been stated that during the investigation of the matter, it appeared that in 2001 it was not possible to store all ICD codes in the MAPS system. Consequently, only some of the codes have been used. This, in turn, has led to the fact that sickness absences have been able to be saved in the system with a different code than the sickness absence granted. Users of the system have reportedly tried to find the closest matching code that was possible to enter into the system.

Legal evaluation

139. Article 5 of the General Data Protection Regulation lays down the principles regarding the processing of personal data. According to paragraph 1, subparagraph d of the article, personal data must be accurate and, if necessary, updated. The controller must take all possible reasonable measures to ensure that personal data that is inaccurate or incorrect in relation to the purposes of the processing is deleted or corrected without delay ("accuracy").

140. The registered person has the right to be evaluated based on correct information. Inaccurate and/or incorrect personal data may pose a risk to the rights and freedoms of the data subject. Article 16 of the General Data Protection Regulation provides for the data subject's right to correct data. The registered person has the right to demand that the controller correct inaccurate and incorrect personal data concerning the registered person without undue delay. The purpose is to prevent wrong conclusions or decisions based on incorrect or incomplete information. Incorrect information means untrue information that does not correspond to the facts.

141. The provisions of Article 25, paragraph 1 of the General Data Protection Regulation are also relevant. Taking into account the state-of-the-art technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and severity of risks caused by the processing to the rights and freedoms of natural persons, the data controller must, in connection with the determination of the processing methods and the processing itself, effectively implement appropriate technical and organizational measures for the implementation of data protection principles, such as data minimization measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of this regulation and the rights of data subjects are protected.

142. The European Data Protection Board has issued practical instructions on built-in and default data protection according to Article 25 of the General Data Protection Regulation. Among other things, these instructions describe key factors regarding the accuracy of built-in and default data protection. These include, for example, degree of accuracy, continuous accuracy and data design. The controller must use technical and organizational measures to reduce possible inaccuracies related to personal data, such as by using precise options defined in advance instead of free text fields.

143. According to the explanation provided, diagnosis information is entered in the MAPS system with ICD codes. However, not all possible ICD codes were available for selection in the MAPS system, which has led to partly incorrect diagnosis entries, as can be seen from the report received.

144. Based on the above, the Deputy Data Protection Commissioner considers that the data controller has not, in accordance with Article 5(1)(d) and Article 25(1) of the General Data Protection Regulation, taken all possible reasonable measures to ensure that the personal data processed in the MAPS system is accurate and error-free. Since the diagnosis information is no longer recorded in the MAPS system according to the report given in the case, the Deputy Data Protection Commissioner will not give Viking Line Oy Abp the order regarding the violation that has now been found.

Informing registrants

On the facts of the case at hand

145. According to the complainant, the employees have not been informed in any way about the extensive record keeping in question. It has not been possible to find any kind of information or instructions on the company's intranet regarding the processing of employees' personal data by the data controller.

146. In the report given, it has been stated that during the investigation of the matter, it has emerged that the employees have not been sufficiently informed about the current processing of personal data.

Legal assessment

147. According to Article 5, paragraph 1, subparagraph a of the General Data Protection Regulation, personal data must be processed transparently from the point of view of the data subject. Article 12 of the General Data Protection Regulation, on the other hand, provides for transparency in more detail. The principle of transparency is strongly linked to Article 13 of the General Data Protection Regulation, which stipulates the information that must be provided to the data subject when personal data is collected from the data subject himself.

148. It should be noted that the data protection working group pursuant to Article 29 has given practical instructions ("instructions on transparency") on the principle of transparency. In these instructions, it has been stated that the duty of transparency comprises three key areas: 1) providing data subjects with information about the appropriate processing of data, 2) the way data controllers inform data subjects of their rights based on the General Data Protection Regulation and 3) the means of data controllers to help data subjects exercise their rights.

149. It should also be noted that the General Data Protection Regulation does not regulate the form of data submission and other details. However, the regulation stipulates that the data controller has the obligation to take "appropriate measures" to provide the data subject with the required information for the sake of transparency. This means that the controller must take into account all the circumstances of the collection and processing of personal data when choosing the appropriate way and format of data delivery. Appropriate measures must be evaluated especially in terms of the experience of the user of the product or service.

150. The registered person should receive information about the scope and consequences of the processing in advance, so that the methods of use of personal data do not come as a surprise to the registered person later. This is also important in terms of the principle of reasonableness referred to in Article 5, Paragraph 1 of the General Data Protection Regulation and is related to recital 39 of the preamble, according to which natural persons should be informed about the risks, rules, protective measures and rights related to the processing of personal data.

151. In the case of personal data obtained from the data subject referred to in Article 13 of the General Data Protection Regulation, the information listed in the article must be provided to the data subject when the data is received from the data subject.

152. Regarding the form of data delivery, it can be stated that in accordance with Article 13 of the General Data Protection Regulation, the data controller must "provide the data subject with all the following information [...]". The meaning has to be "supplied" in the wording used. This means that the controller must take active steps to provide the data in question to the data subject or actively direct the data subject to the location of the data.

153. According to the complainant, the registrants have not been informed in any way about the record keeping in question. The registrar has not denied the claim. The registrar has admitted that the information was insufficient. Therefore, the Deputy Data Protection Commissioner considers that the data controller has not complied with the provisions of Article 5(1)(a) and Article 13 of the General Data Protection Regulation.

154. The Deputy Data Protection Commissioner issues an order to the data controller based on Article 58(2)(d) of the General Data Protection Regulation to change its practices regarding the information of data subjects in accordance with the provisions of the General Data Protection Regulation.

Disclosure of personal data to the police

On the facts of the case at hand

155. Information recorded in the MAPS system has been used for personnel management purposes, such as salary payment and ensuring its correctness. The diagnosis information recorded in the system has initially been processed to determine whether certain absences are paid. However, Viking Line Oy Abp has since assessed that recording diagnoses is not necessary considering the intended use of the system. The Medakt system, on the other hand, is, as stated above, an electronic patient information system used on Viking Line Oy Abp's ships. According to the report, the information in the registers has not been used for anything other than its original purpose.

156. Despite the above, the complainant's health information has been handed over to the police in order to investigate the criminal case, according to the report. In the report given, it is stated that this should not have been done. It has been continued that in the preliminary investigation, a doctor or other healthcare professional may be obliged to testify, for example, about confidential patient information when the question is a crime, for which the severest punishment provided for is at least six years in prison. However, the underlying criminal case has not involved such a crime. It has been continued that the information should not have been given to a criminal investigation without the patient's express written consent.

Legal assessment

157. According to Article 5(1)(b) of the General Data Protection Regulation, personal data must be collected for a specific, specific and legal purpose, and must not be processed later in a way that is incompatible with these purposes ("purpose binding"). In the preamble 50 of the General Data Protection Regulation, it is also stated that the processing of personal data for purposes other than those for which the personal data was originally collected should only be allowed if the processing is compatible with the purposes for which the personal data was originally collected. collected.

158. As stated in the justifications for the first legal question, the employer has the right in itself to also process the diagnosis data of his employees' sickness absences. However, the purposes of use related to these are separate and related to the employee's period of sick leave. The purpose of use of patient data, on the other hand, is related to the treatment of the patient, and the purpose of processing the data in the medicine diary is related to the duties according to the law on ship pharmacies.

159. According to section 14 of the Patient Act, the violation of the duty of confidentiality stipulated in section 13, subsection 2 and subsection 3, point 5 of the Patient Act shall be punished according to chapter 38, section 1 or 2 of the Criminal Code, unless the act is punishable according to chapter 40, section 5 of the Criminal Code or a more severe punishment is provided elsewhere in the law . Since the complainant's diagnosis data had since been handed over to the police, the Deputy Data Protection Commissioner considers that the reason for the handover can be evaluated as a criminal case. Therefore, the deputy data protection commissioner does not consider himself competent to assess the existence of a possible basis for disclosure any more. Regarding this question, it is possible for the complainant to turn to the police.

About the right to access information

On the facts of the case at hand

160. The complainant has said that he requested access to his personal data from Viking Line Oy Abp on at least 10 January 2020 and 3 February 2020.

161. According to the report given, information on sick leave certificates has been provided to the complainant to the extent that the information has been stored. According to Viking Line Oy Abp, the oldest data had already been deleted. Copies of the remaining sick leave certificates had been delivered to the complainant on April 1, 2020. Prior to this, the complainant's questions had been answered by email at least on January 31, 2020. Diagnosis information was not provided to the complainant in these contexts.

162. However, in this regard, the complainant has referred to the copy of his diagnosis information recorded in the MAPS system, which he received in 2020 and which he delivered to the data protection commissioner's office. Since the diagnosis information had not actually been deleted in 2018-2019, the complainant has emphasized that this information could have been provided to him in response to his request on January 10, 2020.

Legal assessment

163. Article 15 of the General Data Protection Regulation provides for the data subject's right to access information. The registered person has the right to receive confirmation from the controller that personal data concerning him or her is processed or that it is not processed, and if this personal data is processed, the right to access the personal data and the information listed separately in the article.

164. Article 12 of the General Data Protection Regulation also provides for detailed rules for exercising the data subject's rights. According to paragraph 3 of the article, the data controller must provide the data subject with information on the measures that have been taken in response to the request made pursuant to articles 15-22 without undue delay and in any case within one month of receiving the request. If necessary, the deadline can be extended by a maximum of two months, taking into account the complexity and number of requests. The controller must inform the data subject of such a possible extension within one month of receiving the request and the reasons for the delay. If the data subject submits the request electronically, the information must be submitted electronically as far as possible, unless the data subject requests otherwise. Furthermore, according to Article 4, if the data controller does not take measures based on the data subject's request, the data controller must inform the data subject immediately and no later than one month after receiving the request of the reasons for this and inform about the possibility of filing a complaint with the supervisory authority and using other legal remedies.

165. In the case at hand, the complainant had not been provided with the diagnosis information requested by the complainant in response to his request made on 10 January 2020, although such information was demonstrably still in Viking Line Oy Abp's possession as late as 6 February 2020, when the complainant had obtained this information in a roundabout way, so to speak.

166. In the case at hand, the complainant has made the requests described above on 10 January 2020 and 3 February 2020. In response to the complainant's requests, copies of the remaining sick leave certificates were delivered to the complainant on April 1, 2020. In the meantime, there had been email correspondence between the complainant and the representatives of the data controllers. The registrar has therefore responded to the complainant's contacts and requests within one month of the applicant's aforementioned requests. However, the registrar had not provided the complainant with the information he requested within this time. The registry keeper had also not informed the complainant of the reason for his delay in providing the information to the complainant. Since the data controller had not provided the complainant with all the information he requested within one month from the complainant's first request referred to above, the data controller did not comply with the provisions of Article 12, paragraph 3 of the General Data Protection Regulation when responding to the complainant's request in accordance with Article 15 of the General Data Protection Regulation.

167. The complainant had requested Viking Line Oy Abp several times specifically for diagnostic information stored in the company's systems. Thus, the controller can be considered to have been aware of the complainant's wish to get acquainted with this information. Despite what was said, the information was not properly delivered to the complainant. Although the complainant finally managed to get access to the information through a nurse, Viking Line Oy Abp's procedure in the matter cannot be considered appropriate. The diagnosis information had not been delivered to the complainant in the same connection and through the same channel as the other information delivered to the complainant. On the contrary, the complainant had been given to understand that there would not have been any diagnosis information entered separately in the system. Since the data controller had not given the complainant the right to access the diagnostic information entered in the system, the data controller did not comply with the provisions of Article 15, paragraph 1 of the General Data Protection Regulation when responding to the complainant's request in accordance with Article 15 of the General Data Protection Regulation.

About the right to access log data

About the facts of the case at hand and what was presented in the report given

168. The complainant has requested access to Viking Line Oy Abp's log data of the complainant's personal data. Log information has not been provided to the complainant.

169. In the report given, reference is made to the Act on electronic processing of social and healthcare customer data (159/2007), which was repealed on 1 November 2021. According to § 18 of the aforementioned law, the customer has the right to receive, on a written request from the provider of social care and health care services, without delay, free of charge, based on the log register, in order to clarify or exercise his rights related to the processing of his customer data, who has used or to whom information concerning him has been disclosed, and what has been the nature of the use or disclosure. justification.

170. The obligation to provide log information has been presented for the health care service provider, which means the health care operational unit referred to in section 2, subsection 1, point 4 of the Act on the Status and Rights of the Patient, the employer referred to in section 7, subsection 1, point 2 of the Occupational Health Care Act (1383/2001), and as an independent healthcare professional acting as a practitioner. On ships, such as those of Viking Line Oy Abp, the crew's medical treatment is based on the ship's pharmacy law. The law on the ship's pharmacy is also based on the obligation to make entries about the treatment procedures performed in the medicine diary. Since the act on the status and rights of the patient does not refer to the act on the ship's pharmacy, according to the report provided, Viking Line Oy Abp has interpreted the legal section on the provision of log data in such a way that it is not a provider of healthcare services as defined in the law, and log data has therefore not been considered to be able to be provided. It has also been established that the log data concerns the users of the information systems, which is why they cannot be given to the person who is the subject of the processing solely on the basis of the general data protection regulation.

Legal assessment (General Data Protection Regulation)

171. Article 15 of the General Data Protection Regulation provides for the data subject's right to access information. According to the article, the registered person has the right to receive confirmation from the controller that personal data concerning him or her is processed or that it is not processed, and if this personal data is processed, the right to access the personal data and the information listed in the article. The registered person therefore has this so-called inspection right to the information that concerns him/herself.

172. In its ruling, the Data Protection Commissioner has held that user log information is not information about customers, but information about the persons who have processed the customer data. Therefore, the registered person's right to access the information has not been considered to extend to the information in the user log. In the absence of special legislation, the right to inspect log data has only been held by the persons who processed the personal data of the register themselves (for example, EOA 1433/4/05, date of issue 8 February 2007 and the decision of the Deputy Data Protection Commissioner in case 7681/152/2018, issued on 4 August 2020). Regardless of what was said, the customer still has the right to check his actual customer data and the entries that may have been included in it, based on the right of inspection.

173. As stated in the above-mentioned decision practice, the log data has been considered to be specifically data concerning the persons who have processed customer or register data. Consequently, the log data has not been considered as such information concerning the data subject, which he has the right to consult in the aforementioned Article 15. However, it must be stated that an appeal has been made to the aforementioned Deputy Data Protection Commissioner's decision 7681/152/2018 from the Administrative Court of Eastern Finland, which in turn has requested a preliminary ruling in the case from the Court of Justice of the European Union.

Legal assessment (special legislation)

174. In addition to the right based on Article 15 of the General Data Protection Regulation, it is possible to obtain log data on the basis of the right of access to information stipulated in other legislation. Section 18 of the now-repealed Act on the Electronic Processing of Customer Data in Social and Healthcare Services (250/2014, repealed by Act 784/2021) stipulated the patient's right to receive information from the provider of social and healthcare services about who has used or to whom when submitting a request for log data information about him/her has been disclosed and what was the basis for the use or disclosure. In question has been a special right of access to information separate from the rights stipulated in the General Data Protection Regulation. Evaluating this right of access to information was not provided for by the data protection commissioner in the above-mentioned repealed law. Although this task is stipulated in § 26 subsection 4 of the new Act on Electronic Processing of Social and Healthcare Customer Data (784/2021), the provision only applies to requests made after its entry into force (November 1, 2021). Therefore, the deputy data protection commissioner does not evaluate the fulfillment of this right to access information in this case.

175. However, at the end of this decision document, the deputy data protection commissioner gives general guidance on the question.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the Helsinki Administrative Court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

More information about this decision will be provided by the rapporteur

Laura Varjokari, tel. 029 566 6771.

Supervision of the deputy data protection officer

The complainant has requested to have access to Viking Line Oy Abp's log data of the complainant's personal data. In this evaluation, at least the following legislation is important.

In the report provided, the obligation to provide log data is presented regarding the health care service provider, which means the health care operational unit referred to in section 2, subsection 1, point 4 of the Act on the Status and Rights of the Patient, the employer referred to in section 7, subsection 1, point 2 of the Occupational Health Care Act (1383/2001), and as an independent healthcare professional acting as a practitioner. On ships, such as those of Viking Line Oy Abp, medical care for the crew is based on Viking Line Oy Abp's understanding of the law on the ship's pharmacy. The law on the ship's pharmacy is also based on the obligation to make records of the treatment procedures performed. Since the act on the status and rights of the patient does not refer to the act on the ship's pharmacy, according to the report provided, Viking Line Oy Abp has interpreted the legal section on the provision of log data in such a way that it is not a provider of healthcare services as defined in the law, and log data has therefore not been considered to be able to be provided.

In principle, the Deputy Data Protection Commissioner considers that, based on the above, medical care on ships cannot be excluded from all basic regulations regarding health care and the processing of patient data. Since health care professionals perform treatment procedures for those on board, the Deputy Data Protection Commissioner considers that Section 12 of the Patient Act regarding the obligation to prepare patient data will then apply in principle.

When deciding the question, the scope of the Customer Data Act is important. According to Section 2 of the Customer Data Act, the Customer Data Act provides regulations that supplement and specify the general data protection regulation, when social and health care customer data and well-being data generated by the customer themselves are processed electronically for the purposes of organizing and producing healthcare and social services. The law stated in the preambles to the law is applied when public and private social and health care service providers organize or produce social and health care.

According to section 3, subsection 1, point 7 of the customer database, service provider means an organizer of social and health services and a provider of social and health services. According to Section 3, Subsection 1, Section 8, Subsection b of the Act, the service organizer means a service provider who, as a private service provider, has the obligation to ensure that the customer receives the service that belongs to him in accordance with the contract. According to Section 3, Subsection 1, Section 9 of the Act, service provider means a service provider who a) in the position of a service organizer produces a social or health service himself and who b) produces a social or health service on behalf of a service organizer.

Section 2, subsection 1, point 4 of the Patient Act also defines the health care operational unit (i.e. service provider). According to Section 7, Subsection 1, Clause 2 of the Occupational Health Care Act (1383/2001), service provider means an employer and a self-employed healthcare professional.

According to § 2 subsection 1 of the Private Health Care Act (152/1990), health care services mean 1) laboratory activities; 2) radiological activity and other comparable imaging and research methods; 3) other examinations and procedures performed in order to determine the state of health or illness or to determine the treatment; 4) physiotherapeutic activities and other measures and therapies that improve and maintain performance; 5) occupational health care; 6) medical and dental services and other health and medical care and comparable services; 7) massage; and 8) ambulance services.

According to Section 2, subsection 2 of the Act on Private Health Care, service provider means an individual or a company, cooperative, association or other entity or foundation that maintains a unit that produces health care services. Another self-employed person or employer who organizes the occupational health care services referred to in the Occupational Health Care Act is not considered a provider of services.

Self-employed person, on the other hand, means a healthcare professional as referred to in § 2 subsection 3 of the Act on Private Health Care (559/1994), § 2 subsection 1 of the Act on Healthcare Professionals, who practices his profession independently.

According to Section 4 of the Act on Private Health Care, the service provider must have a license issued by the licensing authority to provide health care services. On the other hand, the self-employed person must, according to § 9 a of the law, submit a written notification of his activities to the regional administrative agency before he provides the health and medical care services referred to in the law.

In this context, let's also refer to the written question about the shortcomings in the interpretation of the law on ship pharmacies in relation to the availability of log data and the patient's right to record, check and change their health data, as well as the answer to this question given by the Minister of Social Affairs and Health on March 17, 2022. In this answer, it has been stated that the Customer Data Act does not apply on board, because it is not a service provider as defined by the law. The answer further states that the Ministry of Social Affairs and Health is currently preparing a comprehensive reform of social and health care data management regulations, which will combine, among other things, the law on the electronic processing of customer data in social and health care and the regulation on the processing of customer data of the Act on the Status and Rights of the Patient. In connection with the reform, the reference in Section 9 of the Act on Ship Pharmacy to the regulation on confidentiality will also be updated. In the draft that has already been pronounced, a reference to the new law is only proposed regarding the obligation of confidentiality, but in the finalization phase of the draft it is possible to consider expanding the general obligations regarding the processing of customer data, such as confidentiality, the collection of log data and the customer's right of access to log data, to also apply to ship pharmacies.

Despite the above, the deputy data protection commissioner does not consider himself competent to resolve the question of whether Viking Line Oy Abp should be considered a service provider as referred to in Section 26 of the Customer Data Act. Since, for the reason explained in the final section, the Deputy Data Protection Commissioner has not resolved the issue of the complainant's right to access log data in the current case, the Deputy Data Protection Commissioner has not requested a statement from the authorities supervising the Customer Data Act. However, the Deputy Data Protection Commissioner will submit this decision to the Licensing and Control Agency of the Social and Health Sector, the Regional Administrative Agency of Southern Finland and the Ministry of Social Affairs and Health for information in order to take possible measures.

You cannot apply for a change to this guidance of the deputy data protection officer by appealing.

Decision of the Sanctions Board on the administrative penalty payment

Registrar

Viking Line Ltd

1. According to the decision of the Deputy Data Protection Commissioner, Viking Line Oy Abp has not complied with the provisions of section 5, subsection 4 of the Working Life Data Protection Act when storing diagnostic information in the MAPS system and when storing information about the health status of its employees in the MAPS system. Nor has Viking Line Oy Abp, in accordance with Article 5(1)(d) and Article 25(1) of the General Data Protection Regulation, taken all possible reasonable measures to ensure that the personal data processed in the MAPS system is accurate and error-free.

2. Viking Line Oy Abp has not complied with the provisions of Article 5, Paragraph 1, Subparagraph a and Article 13 of the General Data Protection Regulation. Nor has Viking Line Oy Abp, when responding to the complainant's request in accordance with Article 15 of the General Data Protection Regulation, complied with the provisions of Article 12, Paragraph 3 and Article 15, Paragraph 1 of the General Data Protection Regulation.

3. Taking into account the seriousness of the violations, the matter is not a minor violation referred to in the preamble 148 of the General Data Protection Regulation. In terms of efficiency, proportionality and warning, it must be stated that in the current case, the order issued by the Deputy Data Protection Commissioner pursuant to Article 58(2)(d) of the General Data Protection Regulation, together with the notice given in the case, is not a sufficient sanction in the case, taking into account the provisions of Article 83(2) of the General Data Protection Regulation. An administrative fine must be imposed in this case. The imposition of a penalty fee is partly supported by the fact that the issue is not about individual violations, but about the established operating methods of Viking Line Oy Abp, with regard to violations of Article 5, Section 1, Subsection a and Article 13 of the Working Life Data Protection Act and the General Data Protection Regulation.

4. Viking Line Oy Abp has therefore not complied with the following regulations in accordance with Article 83, Paragraph 5 of the General Data Protection Regulation, the violation of which is subject to an administrative penalty fee: 1) Article 5, Paragraph 1, subparagraphs d and a; 2) Article 13; 3) paragraph 3 of Article 12; and 4) Article 15(1). Viking Line Oy Abp has not complied with Article 25, paragraph 1 of the General Data Protection Regulation, which in turn means the imposition of an administrative fine in accordance with Article 83, paragraph 4 of the General Data Protection Regulation.

5. Viking Line Oy Abp's turnover in 2021 has been 258,243,347.47 euros. In the case at hand, the administrative fine imposed on Viking Line Oy Abp may not exceed 20,000,000 euros. In addition to the above-mentioned corrective powers and measures imposed by the Deputy Data Protection Commissioner, the Sanctions Board formed by the Data Protection Commissioner and Deputy Data Protection Commissioners (later the "Sanctions Board") determines an administrative penalty fee of 230,000 (two hundred and thirty thousand) euros to be paid by the data controller to the state pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation. The sanctioning panel of the Data Protection Commissioner's Office considers the administrative penalty payment of 230,000 euros to be effective, proportionate and a warning.

Reasons for imposing an administrative penalty

6. Article 83 of the General Data Protection Regulation provides for the general conditions for imposing administrative fines. First of all, the imposition of administrative fines must be effective, proportionate and dissuasive in each individual case. Second, administrative penalty fees are imposed according to the circumstances of each individual case in addition to or instead of the remedial powers provided for in Article 58. In the case at hand now, the Deputy Data Protection Commissioner has ordered Viking Line Oy Abp to bring its practices regarding the information of registered users into compliance with the provisions of the General Data Protection Regulation and issued a notice to the company. The administrative penalty fee is therefore imposed in addition to Article 58, paragraph 2, subparagraphs b and d.

7. When deciding on the imposition of an administrative penalty fee and the amount of the administrative penalty fee, the factors listed in Article 83, Paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.

8. As mentioned above, Viking Line Oy Abp has not complied with the following regulations in accordance with Article 83, Paragraph 5 of the General Data Protection Regulation, the violation of which is subject to an administrative penalty fee: 1) Article 5, Paragraph 1, subparagraphs d and a; 2) Article 13; 3) paragraph 3 of Article 12; and 4) Article 15(1). Viking Line Oy Abp has not complied with Article 25, paragraph 1 of the General Data Protection Regulation, which in turn means the imposition of an administrative fine in accordance with Article 83, paragraph 4 of the General Data Protection Regulation.

9. According to Article 83, paragraph 3 of the General Data Protection Regulation, if the data controller intentionally or negligently violates several provisions of this regulation in the same or related processing activities, the total amount of the administrative fine may not exceed the fine imposed for the most serious violation.

10. The seriousness of violations must be assessed based on the factors listed in Article 83, paragraph 2 of the General Data Protection Regulation. In the evaluation, the procedure or omission that can be considered the most reprehensible, taking into account the details of the matter being evaluated at any given time, must be chosen.

11. In the case at hand, the violations of articles 5, 12, 13 and 15 of the General Data Protection Regulation, as well as the violation of the obligations arising from the legislation of the Member State adopted in accordance with Chapter IX of the General Data Protection Regulation, belong to the higher category of penalty payments according to Article 83 subsection 5 of the General Data Protection Regulation as the most serious violations. Accordingly, the applicable maximum amount of the administrative fine is determined in accordance with Article 83(5) of the General Data Protection Regulation and may not be exceeded based on Article 83(3) of the General Data Protection Regulation.

12. In accordance with Article 83(2) of the General Data Protection Regulation, an administrative fine of up to 20,000,000 euros is imposed for the violation of the provisions of Article 83(5)(a) (Articles 5, 6, 7 and 9) and (Articles 12–22) of the General Data Protection Regulation , or in the case of a company, four percent of its total annual worldwide turnover for the preceding fiscal year, whichever is greater.

13. When evaluating the matter, the instructions of the data protection working group according to Article 29 on the application and imposition of administrative fines have also been taken into account.

Assessment of the seriousness of violations

14. In the evaluation of the seriousness of the violations, Article 83 paragraph 2 subsections a, b and g of the General Data Protection Regulation have been taken into account.

Nature, severity and duration, nature, scope or purpose of data processing

15. According to recital 51 of the preamble of the General Data Protection Regulation, personal data that are particularly sensitive in terms of fundamental rights and freedoms must be protected especially carefully, because the context of their processing could cause considerable risks to fundamental rights and freedoms. Special requirements have been set for the processing of personal data belonging to special personal data groups, such as the fact that the processing of such personal data is basically prohibited. The processing of such personal data is permitted only when both 1) one of the general conditions for processing according to Article 6 of the General Data Protection Regulation is met and 2) also one of the special processing conditions stipulated in Article 9 of the General Data Protection Regulation is present.

16. Although there is no question in the case that Viking Line Oy Abp has processed the health status data of its employees without the conditions for processing laid down in Articles 6 and 9 of the General Data Protection Regulation, Viking Line Oy Abp has processed information regarding the health status of its employees in violation of § 5 subsection 4 of the Employment Data Protection Act regulated. In addition to this, Viking Line Oy Abp has neglected to comply with Article 5(1)(d) and Article 25(1) of the General Data Protection Regulation. It should be noted that the built-in and default data protection is one of the core elements of the General Data Protection Regulation, on which the realization of practical data protection is built.

17. Several violations and deficiencies have been identified. In addition to the violations mentioned above, Viking Line Oy Abp has failed to comply with the provisions of Article 5(1)(a) and Article 13 of the General Data Protection Regulation. In this right, it is a question of an informed right, which enables, for example, the use of the rights of the registered person stipulated in the regulation. The sanctions panel finds the violation of this right to be particularly reprehensible.

18. Nor has Viking Line Oy Abp, when responding to the complainant's request pursuant to Article 15 of the General Data Protection Regulation, complied with the provisions of Article 12, Paragraph 3, and Article 15, Paragraph 1 of the General Data Protection Regulation. Regarding the latter, however, the evaluation has taken into account the fact that there had been an email exchange between Viking Line Oy Abp and the complainant, which shows that the company had tried to respond to the complainant's request within the prescribed deadline. The assessment has also taken into account the fact that the violation of Article 12(3) and Article 15(1) of the General Data Protection Regulation found in the case has been limited only to the individual case at hand. Nothing has appeared in the case, on the basis of which the violations of the above-mentioned legal provisions could be found to be large-scale.

19. It must be stated separately that the Working Life Data Protection Act has been in force since 2004 and the general data protection regulation has started to be applied in May 2018. Thus, Viking Line Oy Abp has had a reasonable amount of time to bring the currently pending personal data processing activities into compliance with the law, and the violations cannot be considered to last in short.

20. Furthermore, taking into account the fact that the incompleteness of the ICD code set included in the MAPS system only concerned the year 2001, the period allowing the inaccuracy of the data can nevertheless be considered relatively short-term in the overall picture of the case at hand. However, this does not have a mitigating effect on the evaluation of the matter, because there has been no legal basis for storing the ICD codes. Instead, the fact that even incorrect diagnosis information has been stored for a considerable time is taken into account in the assessment as a harsher factor. The processing of incorrect diagnosis data poses a high risk to the legal protection of data subjects.

21. It should be noted that the nature of the violations must be considered as a factor in favor of imposing an administrative penalty.

The number of registrants affected by the breach and the extent of the damage

22. The MAPS system has been shown to contain the personal data of approximately 6,000 registrants. Some of these registrants are current and some former employees of Viking Line Oy Abp. It has not been shown in the case that the violations related to the MAPS system that have now been found have only affected a limited group of all registered users. The detected violations, on the contrary, reflect a systematic way of operating and a lack of appropriate practices. The processing has affected a significant part of Viking Line Oy Abp's personnel.

23. When assessing the impact of the violations on the number of data subjects, it has also been taken into account that the processing of personal data currently in hand has not only been national, but that the processing of personal data has also affected such data subjects located in other EU/EEA areas who have worked on Viking sailing under the Finnish flag on the vessels of Line Oy Abp. The processing has been aimed at registered persons in a weaker position compared to Viking Line Oy Abp.

24. It has not been a question of an individual or individual events. The number of registrants affected by the violations cannot be considered small. This number, on the one hand, reflects the seriousness of the violations, on the other hand, based on the information provided to the Data Protection Commissioner's office, it cannot be stated that the data subjects suffered financial damage.

25. It should be noted that the number of registered persons affected by the violations must be considered as a factor in favor of the imposition of an administrative penalty fee. On the other hand, the fact that the registrants have not been shown to have suffered concrete financial or other material damage as a result of the violations in question can be taken into account in the evaluation as a factor that reduces the amount of the administrative fine.

Intentional or negligent breach

26. In the above-mentioned instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative penalty fees, it has been stated that intentionality usually requires a conscious and intentional violation, while inadvertence means that the violation was not intentional, even if the controller had violated the due diligence obligations required by law. Intentional violations that manifest disregard for the law are generally considered more serious than unintentional violations.

27. In the response given to the hearing, it has been stated that the case at hand now does not involve intentional violations. According to the answer given further, no decision has been actively and consciously made that, for example, incorrect information would be kept in the personnel register. In the given answer, the situation has been equated to human error, as a result of which the system containing personal data had not been updated to correspond to the current legislation. In this context, reference should be made to the above-mentioned instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative fines. In these instructions, it has been stated that human error or, for example, the fact that technical updates have not been made in a timely manner may indicate negligence. It should also be noted that it is well established in Finland that ignorance of the content of the law does not in general mean the kind of mistake that would eliminate possible intentionality or negligence. It is the registrar's responsibility to ensure that its operations comply with the provisions of the law. Despite what has been said, with regard to the detected violations of section 5 subsection 4 of the Employment Data Protection Act, the sanctioning board has no reason to assess the matter differently than Viking Line Oy Abp has done in its response to the hearing. Viking Line Oy Abp has announced that it has taken corrective measures even before the matter has been investigated at the data protection commissioner's office. The evaluation has also taken into account the fact that Viking Line Oy Abp has already taken corrective measures based on a single registered contact. Evaluating the matter as a whole, the sanctioning board considers that Viking Line Oy Abp's violations assessed in this paragraph cannot be considered intentional or negligent.

28. In the response to the hearing, reference is made to the e-mail correspondence between Viking Line Oy Abp and the complainant regarding the complainant's right to access information. Although Viking Line Oy Abp has not implemented the complainant's right to access the information within the prescribed one-month deadline, the above-mentioned correspondence shows that Viking Line Oy Abp has nevertheless tried to implement the complainant's right in a timely manner. On the other hand, the sanctioning board finds it particularly reprehensible that, despite the complainant's express requests to get to know the diagnosis information, this information had not been delivered to the complainant. Such a procedure suggests negligence at the very least. However, the Sanctions Board does not give weight to the aforementioned point when evaluating the aggravating and mitigating factors affecting the amount of the administrative penalty. However, for the sake of clarity, it must be stated that the imposition of an administrative penalty does not require that the detected violation be intentional or negligent. The intentionality or negligence of the violation is only one of the factors that, as stipulated in Article 83, Paragraph 2 of the General Data Protection Regulation, must be properly taken into account when deciding on the imposition of an administrative penalty and the amount of the administrative penalty.

29. Regarding the violation of Article 5, Paragraph 1, Subsection a and Article 13 of the General Data Protection Regulation found in the main case, it should be noted that the issue in the case is not that the information provided to the data subjects was insufficient or incomplete, but rather that the information stipulated to be provided has not been provided to the data subjects at all . In this regard, Viking Line Oy Abp's actions show that the company's operations are not sufficiently familiar with the current legislation and the requirements arising from it, which in turn shows disregard for what is stipulated in the law.

Personal data groups affected by the breach

30. As stated above, the violations found in the case have concerned information about the health status of the data subjects. The Sanctions Board has already discussed the significance of violations against such data in the penalty consideration in the section "Nature, severity and duration, nature, scope or purpose of data processing".

Assessment of aggravating and mitigating factors

Actions by the data controller to mitigate the damage caused to the data subject

31. In the above-mentioned instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative fines, it has been stated that the data controller should do everything in his power to mitigate the consequences of the violation for the concerned parties. According to the instructions, the supervisory authority can take into account the responsible activity or lack of responsible activity of such a data controller when calculating the penalty fee.

32. Viking Line Oy Abp has announced that it has taken corrective measures after the complainant contacted the company. According to its announcement, the company had begun to investigate the matter even before the matter had been investigated at the data protection commissioner's office. As mentioned above, it is also significant that Viking Line Oy Abp has already taken corrective measures on the basis of a single registered contact. The Sanctions Board has a positive attitude towards this kind of approach.

The degree of responsibility, taking into account the technical and organizational measures implemented by the controller pursuant to Article 25

33. As stipulated in Article 25 of the General Data Protection Regulation, the controller must take into account "the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in probability and severity, caused by the processing".

34. In the response given to the consultation, it has been emphasized that Viking Line Oy Abp has ensured that the personal data in question has been accessed only by such persons, in terms of their work tasks and whose work tasks, the information is directly related to and has been necessary. Access rights management has therefore ensured that data is processed only by authorized persons. The principle of integrity and confidentiality, on the other hand, has been said to be implemented, for example, by logging events in information systems.

35. Despite the measures taken, it has not been possible to store all ICD codes in the MAPS system in 2001. Consequently, only some of the codes have been used. This, in turn, has led to the fact that sickness absences have been able to be saved in the system with a different code than the sickness absence granted. This error situation has only been discovered later after the complainant's contacts when investigating the matter. As mentioned above, it should be read in favor of Viking Line Oy Abp that, according to its announcement, the company has taken corrective measures after contacting the complainant before the matter has been investigated at the data protection commissioner's office. Viking Line Oy Abp can therefore be considered to have taken timely measures in such a way that the confirmed violation has been prevented from continuing shortly after the violation has become actively known to the company. The sanctions panel takes this into account in its assessment as a mitigating factor.

Previous similar violations and measures previously imposed on the same matter

36. Furthermore, in the above-mentioned instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative penalty fees, it has been stated that the supervisory authority should evaluate the historical data of the unit that committed the violation. The supervisory authority should take into account that the assessment in this respect can be very broad, as any type of breach, even if it is different in nature from the breach currently being investigated by the supervisory authority, may be relevant for the assessment, as it may give general indications of insufficient information or non-compliance with data protection regulations.

37. The Data Protection Commissioner's office is not aware of Viking Line Oy Abp's previous violations of data protection regulations. Viking Line Oy Abp has not previously been ordered to take the measures referred to in Article 58, Paragraph 2 of the General Data Protection Regulation for the violations at hand. The penalty panel does not consider the aforementioned as a mitigating or aggravating factor in the penalty payment estimate.

The degree of cooperation with the supervisory authority, and the manner in which the breach came to the supervisory authority's attention

38. Likewise, in the aforementioned instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative fines, it has been stated that the degree of cooperation can be "appropriately taken into account" when deciding on the imposition of an administrative fine and its amount. When evaluating the cooperation with the supervisory authority, importance could be given to whether the data controller has reacted to the requests of the supervisory authority during the investigation of the case in such a way that it has significantly limited the risk to the rights of individuals. However, as stated in these instructions, it would not be appropriate to emphasize the cooperation already required in the legislation.

39. Pursuant to Article 31 of the General Data Protection Regulation, the data controller must, upon request, cooperate with the supervisory authority to perform its tasks. Pursuant to Article 58(1) of the General Data Protection Regulation and Section 18 of the Data Protection Act, the controller is also obliged to submit the requested information to the supervisory authority.

40. Viking Line Oy Abp's violations have come to the attention of the supervisory authority through a complaint. When weighing a reasonable sanction, the Sanctions Board has taken into account the fact that Viking Line Oy Abp has responded to the authority's requests for clarification within the deadline. Viking Line Oy Abp has been cooperative in relation to the data protection commissioner's office. However, the penalty panel does not consider the above-mentioned fact as a mitigating or aggravating factor in the penalty payment estimate.

Any other aggravating or mitigating factors applicable to the case

41. When evaluating the amount of the penalty fee, the sanctioning board takes into account the fact that the tourism industry has suffered badly from the consequences caused by the corona pandemic as a factor mitigating the amount of the penalty fee.

42. The registry keeper has also, as stated above, started to correct the shortcomings found in the case in key aspects on his own initiative. The shortcomings observed in the exercise of the rights of the registrant can be considered to apply to the individual case at hand. In the case, nothing has been presented that would indicate in this regard the controller's regular activities, contrary to the General Data Protection Regulation.

Finally

43. In the response given to the hearing, it has been stated that an administrative penalty should not be imposed for actions that may have been contrary to the provisions of the Working Life Data Protection Act or legislation other than the General Data Protection Regulation, and according to the response, these issues based on other legislation should not be taken into account as aggravating factors in the penalty payment consideration. In this regard, the sanctioning board refers to the provisions of Article 83, paragraph 5, letter d of the General Data Protection Regulation. According to the mentioned law, an administrative fine can be imposed for all violations of obligations arising from the legislation of a member state approved in accordance with Chapter IX of the General Data Protection Regulation. In addition, reference is made to the provision in Article 88 of the General Data Protection Regulation. Member states can legally issue more detailed rules on the processing of employees' personal data in connection with the employment relationship to ensure the protection of rights and freedoms.

44. Separately, it must be emphasized that the provisions of Article 88 of the General Data Protection Regulation do not leave it to the discretion of the national legislature whether to limit the national regulations issued pursuant to the mentioned article outside the scope of administrative fines.

45. Paragraph 7 of Article 83 of the General Data Protection Regulation provides for the limitation of the scope of administrative penalty payments by national legislation. There is no other national margin of discretion in relation to the scope of administrative fines.

The decision regarding the imposition of an administrative penalty fee has been made by the members of the penalty panel of the Data Protection Commissioner's office.

Data Protection Commissioner Anu Talus

Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa

Deputy Data Protection Commissioner Annina Hautala

Inspector General Laura Varjokari presented the case

More information about this decision will be provided by the rapporteur

Chief Inspector Laura Varjokari, tel. 029 56 66771

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the Helsinki Administrative Court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision is not legally binding.