Tietosuojavaltuutetun toimisto (Finland) - 9024/181/19

From GDPRhub
Tietosuojavaltuutetun toimisto (Finland) - 9024/181/19
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(f) GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.10.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 9024/181/19
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finnish DPA website (in FI)
Initial Contributor: Florence D'Ath

The Finnish DPA ruled that a cleaning company breached the GDPR by using WhatsApp instant messaging services with its employees as a mean to share information about its customers, including their names, address, door code or key box code. Among other things, the controller had no means to oversee the use of personal data via WhatsApp, or otherwise impose restrictions on possible further use.

English Summary

Facts

A cleaning company (the Company) was relying on WhatsApp instant messaging services to communicate to its employees information about its clients, including their name, address, telephone number, and in some instances, even the door code or key box code of its clients' home.

On 21 November 2019, a complaint was lodged with the Finnish DPA on the ground that the disclosure of such personal data via WhatsApp messages was in breach of the GDPR, and in particular of the principle of integrity and confidentiality, and security obligations.

The Finnish DPA started an investigation, and asked the Company to clarify its data processing practices. The Company stated that it had changed its policy in connection with the investigation, and that it would only use WhatsApp messages to provide location information, i.e. the names and addresses of customers. The Company further stated that more sensitive information, such as door codes, are now communicated orally to its employees. The Company also stated that all former employees have already been instructed and reminded to delete all past communications containing customers' personal data.

Holding

The Finnish DPA first considered that the Company had used WhatsApp without informing its customers thereof, to transmit customer data, including door codes and key box numbers, and that such disclosure could cause clear inconvenience to the customers. In particular, the Finnish DPA pointed out that the Company had no means of controlling the use of personal data via WhatsApp, or otherwise imposing restrictions on such use. In addition, the Finnish DPA considered that the Company should have taken all potential risks into account, such as the possibility that employees would lose their phones, and that customers' personal data could then become accessible to third parties.

Although the Company had instructed former employees to remove all communications, the Finnish DPA noted that the Company had no means to verify if and when former employees had actually complied with such instruction, and whether any back-up of these data had also been deleted.

Finally, after considering WhatsApp terms of use, the Finnish DPA noted that the use of the app was normally not compatible with business purposes, as it would create a contractual relationship between the employee and Facebook (now, "Meta", the owner of WhatsApp).

Based on the above considerations, the Finnish DPA found that the use of WhatsApp to transmit customer data was in breach of the principle of integrity and confidentiality (Article 5(1)(f) GDPR), of the principle of privacy by design and by default (Article 25 GDPR) and of the obligation of the Company to implement appropriate organisational and technical measures to ensure the security of personal data (Article 32 GDPR).

Finally, the Finnish DPA noted that the use of WhatsApp implied potential data transfers to the US, and that such transfers could no longer be justified on the basis of the Privacy Shield following the judgment of the CJEU in case C-311/18 (Schrems II). The Finnish DPA decided however not to use its corrective powers with respect to this potential breach, as the violations had taken place before a final judgment had been rendered in that case.

In conclusion, the Finnish DPA found that the Company had breached Article 5, 25 and 32 GDPR, and ordered the Company to bring its data processing practices into compliance. No fine was imposed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.


      Transferring customers 'personal information to employees' personal phones with WhatsApp
       
      Decision of the Data Protection Supervisor on the integrity and confidentiality of personal data, the security of the processing of personal data, built-in and default data protection and the transfer of personal data to third countries
      Thing
      Processing of customers' personal information in the WhatsApp instant messaging service
      Statement from the complainant
      On 21 November 2019, a complaint was lodged with the Office of the Data Protection Commissioner alleging that a cleaning company uses the WhatsApp instant messaging service to transmit customer information from a company to an employee. The information includes, for example, customer names, addresses, telephone numbers, door codes and key box numbers.
      Statement received from the controller
      The Office of the Data Protection Supervisor has requested clarification from the controller with a request for clarification dated 6.10.2020. The registrar has issued a report on 19.10.2020 and an additional report on 19.11.2020.
      The data controller has stated that it has changed its policy in connection with the investigation by the Office of the Data Protection Supervisor, and WhatsApp messages are now mainly the location information of work sites, ie the names and addresses of customers. For example, door codes are now communicated orally to an employee. The registrar has stated that it has used the WhatsApp service because the service ordered to process customer data is still incomplete and the registrar has no information on the timetable for the introduction of the new service.
      According to the registrar, all former employees have already been instructed to delete all communications and have now been reminded again. In a statement to the Office of the Data Protection Officer, the controller stated that home customers tend to change door codes, in which case the old code will no longer work and that access will require a key. According to the data controller, the company alarm codes do not allow access, and such codes are also changed at certain intervals.
       The complainant 's defense
      The complainant lodged a defense on 23 October 2020, stating that the controller had not previously instructed employees to remove the WhatsApp groups.
      Applicable law
      The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The Data Protection Regulation contains a national margin of maneuver on the basis of which national law can supplement and clarify matters specifically defined in the Regulation. The general data protection regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previous Personal Data Act (523/1999).
      Article 5 (1) (f) of the General Data Protection Regulation lays down the principle of integrity and confidentiality, according to which personal data must be processed in a way that ensures adequate security, including protection against unauthorized and unlawful processing and accidental loss, destruction or damage. organizational activities.
      Article 24 of the General Data Protection Regulation provides for the liability of the controller. According to paragraph 1, taking into account the nature, scale, context and purposes of the processing and the risks to the rights and freedoms of natural persons, which vary in probability and severity, the controller shall take the necessary technical and organizational measures to ensure and demonstrate compliance with this Regulation. These measures need to be reviewed and updated as necessary. According to paragraph 2, where proportionate to the processing operations, the measures referred to in paragraph 1 shall include the implementation by the controller of appropriate data protection policies.
      Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1, taking into account state-of-the-art technology and implementation costs, as well as risks to the rights and freedoms of natural persons varying in probability and severity, the appropriate technical and organizational measures. Paragraph 2 requires the controller to take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed.
      Article 32 of the General Data Protection Regulation (security of processing) sets out the technical and organizational measures to be taken by the controller and the processor to ensure a level of security commensurate with the risk associated with the processing of personal data.
      Article 44 of the General Data Protection Regulation lays down the general principle of transfers of personal data. According to this article, the transfer of personal data processed or to be processed after transfer to a third country or to an international organization shall only take place if the controller and the processor comply with the conditions set out in Chapter V of the General Data Protection Regulation and subject to other provisions of the General Data Protection Regulation. ; this also applies to the onward transfer of personal data from that third country or international organization to another third country or to another international organization. All the provisions of Chapter V of the General Data Protection Regulation must be applied in order to ensure that the level of protection of personal data of natural persons guaranteed by the General Data Protection Regulation is not compromised.
      Article 45 of the General Data Protection Regulation provides for the transfer of personal data following a decision on the adequacy of data protection. According to paragraph 1, the transfer of personal data to a third country or to an international organization may take place if the Commission has decided that that third country or territory or one or more specific sectors or international organizations ensure an adequate level of data protection. No special permit is required for such a transfer.
      Article 46 of the General Data Protection Regulation provides for the transfer of personal data to a third country or to an international organization with appropriate safeguards. In the absence of a decision pursuant to Article 45 (3) of the General Data Protection Regulation, the controller or processor may transfer personal data to a third country or international organization only if that controller or processor has taken appropriate safeguards and enforceable rights and effective remedies are available. Paragraphs 2 and 3 of the article set out what appropriate safeguards may be.
      Legal question
      The Data Protection Officer will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).
      The EDPS must decide whether the use of WhatsApp for the processing of customers' personal data has been covered by Articles 5 (1) (f) (integrity and confidentiality), Article 25 (built-in and default data protection) and Article 32 of the General Data Protection Regulation. (security of processing).
      Decision of the EDPS
      The controller has not complied with Articles 5 (1) (f) of the General Data Protection Regulation (principle of integrity and confidentiality), Article 24 (responsibility of the controller), Article 25 (built-in and default data protection) and Article 32 (security of processing). The registrar's procedure regarding the use of the WhatsApp instant messaging service to process customers' personal data has therefore not complied with the general data protection regulation.
      The controller is instructed in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing operations in line with the provisions of the Regulation.
      The controller shall be notified in accordance with Article 58 (2) (b) of the General Data Protection Regulation of any processing operation in breach of the provisions of the Regulation.
      Reasoning
      The General Data Protection Regulation is based on a risk-based approach, which requires the controller to continuously assess the adequacy of security measures in relation to the risks of processing and to take appropriate technical and organizational measures to ensure adequate protection of personal data (see in particular Article 24 of the General Data Protection Regulation).
      With regard to the risk-based approach, special attention must be paid in the present case to Article 5 (1) (f) of the Regulation (principle of integrity and confidentiality) and Article 32 (security of processing). The principles of integrity and confidentiality require that personal data be processed in a way that ensures their proper security, including protection against unauthorized and unlawful processing through appropriate technical or organizational measures. Article 32 on data security, in turn, requires the controller to take appropriate technical and organizational measures to ensure a level of security commensurate with the risk. 
      The principle of integrity and confidentiality is part of the requirement for built-in and default data protection underlying the General Data Protection Regulation (Article 25 of the General Data Protection Regulation), which requires the controller to take data protection into account from the outset. The implementation of built-in and default data protection requires that the controller effectively implements data protection principles, such as the principles of integrity and confidentiality.
       
      In the present case, the data controller has passed on the customers' personal data to the employees via the WhatsApp instant messaging service. The information may include, for example, name, address, telephone number, door code, and alarm system code.
      WhatsApp Messenger is an instant messaging service for smartphones that uses your phone's Internet connection. The service is typically used in the same way as text messages. In his previous statement on healthcare activities (dnro 3013/183/18), the EDPS considered that the use of the WhatsApp application leads to the transfer of the customer's personal data to third countries and does not recommend the use of the application in appointment-related customer communications for healthcare activities. In addition, in its previous decision-making practice, the EDPS considered that employees should not be obliged to use their own tools for security reasons (dnro 2290/41/12).
      In the present case, the registrar has used WhatsApp to transmit customer data. In particular, the addresses, door codes and key box numbers have been information the termination of which could cause clear inconvenience to the data subject. In its statement, the controller stated that, as a precautionary measure, it had instructed former employees to remove all communications. In this context, the controller has not verified on the basis of the information obtained in the report whether the business-related group has been deleted, for example at the end of the employment relationship, or whether the company section has been deleted from the employee's backup. Furthermore, based on the information received in the case, the data controller has not informed the registered, ie the customers of the cleaning company, about the use of the WhatsApp application.
      With regard to the WhatsApp service, it should be noted that when using the application, there is a contractual relationship between the individual, ie the employee, and Facebook, and the disclaimers in the agreement with the individual, for example, are not compatible with business use.
      When utilizing the application, the controller also has no means of controlling the use of personal data in the service or otherwise imposing restrictions on its use. In addition, the risk of using the application in the event of a lost phone can be taken into account, in which case access to the phone also allows access to the WhatsApp application.
      In view of the above, the EDPS considers that the use of WhatsApp to transmit customer data from the company to the employee's personal telephone has not complied with the requirements of integrity and confidentiality, built-in and default privacy and security, and the controller has not taken into account the risk-based approach. technical and organizational measures to ensure adequate protection of personal data.
      In the present case, the EDPS also pays particular attention to the fact that the use of the application is likely to have led to transfers of data from the Union to third countries, including the United States. The General Data Protection Regulation requires that the transfer of personal data from the Union to controllers, processors or other recipients in third countries does not jeopardize the level of protection of personal data under the General Data Protection Regulation. At the time the case was brought, the so-called Privacy Shield was used to transfer data between the EU and the US in order to ensure an adequate level of data protection. However, in its judgment in Case C-311/18, the Court of Justice ruled that Decision 2016/1250 on the adequacy of the level of data protection provided by the EU-US Privacy Shield was invalid. In its ruling, the Court held that the restrictions on the protection of personal data arising from the US internal rules governing access to and use of personal data transferred from the Union to the United States are not limited to the requirements of European Union law. Registrants are also not given enforceable rights that they could invoke against U.S. authorities in court. The Court further states that the controller must suspend the transfer of personal data to a third country if it is unable to take sufficient additional measures to ensure the protection of personal data.
      The European Data Protection Board has assessed the consequences of the above decision and the adequate safeguards. At the time of the case before the EDPS, the Privacy Shield system was still in place and the consequences of the decision in Case C-311/18 were being assessed by the European Data Protection Board during the investigation. Therefore, in the context of the investigation, the controller has not been specifically requested to clarify the transfer mechanisms under Chapter V of the General Data Protection Regulation, which ensure the level of protection of personal data under the General Data Protection Regulation. The Data Protection Supervisor's Office has requested clarification from the controller before the European Data Protection Board has adopted guidelines on data transfers and the European Commission has adopted standard clauses on transfers to third countries. Consequently, the EDPS does not exercise his remedial powers in this respect under Article 58 (2) of the General Data Protection Regulation.
      Applicable law
      Mentioned in the explanatory memorandum.
      Appeal
      According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).
      Service
      The decision shall be served by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt.
      The decision is not final