Tietosuojavaltuutetun toimisto (Finland) - TSV/35/2022

From GDPRhub
Tietosuojavaltuutetun toimisto - TSV/35/2022
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 32(4) GDPR
Article 58(2)(b) GDPR
§ 16(3) Act on the Openness of Government Activities
Type: Investigation
Outcome: Violation Found
Started: 20.04.2022
Decided: 22.12.2023
Published: 05.02.2024
Fine: n/a
Parties: n/a
National Case Number/Name: TSV/35/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA found an educational institution to have breached the principles of lawfulness and purpose limitation in processing the personal data of its students for marketing purposes.

English Summary

Facts

The Finnish DPA was notified that a municipality-run educational institution (the controller) processed the personal data of its students for the marketing of courses offered by a third party without the consent of its students. The DPA asked the controller to explain the purpose of the personal data processing.

In response to the request, the controller clarified that a teacher had sent the students an email in which the teacher advertised their own course in another organisation. The controller emphasised that sending the email in question was not related to the activities of the controller.

The controller claimed that the email in question had been sent against the controller's instructions. According to the controller's privacy notice, personal data was not disclosed to third parties for direct marketing.

Holding

On the basis of the information provided by the controller, the DPA considered that the email sent from the controller's information system was promoting services offered by another organisation and that such use of the personal data was comparable to disclosure.

The DPA emphasised that in accordance with Article 32(4) GDPR, the controller must ensure that its employees have sufficient understanding and competence regarding the processing of personal data and data protection.

The DPA stated that the controller must also comply with Section 16(3) of the Finnish Act on the Openness of Government Activities, according to which the disclosure of personal data for direct marketing requires the data subject's consent. Since there was no legal basis to disclose the students' personal data, the controller processed the personal data in violation of the lawfulness principle.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(a) GDPR, as the processing of personal data was not related to the activities of the controller and there were no legal grounds for the processing. The controller's purpose in collecting the personal data was for processing related to college operations. As the advertisement for another organisation did not relate to college operations, the DPA also found a violation of Article 5(1)(b) GDPR.

As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.

Comment

Generally, a controller having inadequate security measures for employees under Article 32(4) GDPR and a controller lacking or exceeding legal basis for processing are separate issues. Where an employee has processed data subjects' personal data for their own purposes, a violation of Article 32(4) GDPR occurs if the controller failed to take proper steps to prohibit the employee from processing the personal data without controller instruction. This unauthorised processing, while a controller security violation, is thus usually considered distinct from the controller's processing. In this case, however, the DPA appears to merge the employee's unauthorised processing with the controller's processing.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Deputy Data Protection Commissioner
Thing

Processing of personal data of college students for the marketing of courses offered by another controller
Registrar

College administrator
The initiator's requirements with reasons

On April 20, 2022, the office of the Data Protection Commissioner initiated a case regarding the processing of student personal data at the college. The initiator said that he had signed up for a course organized by the college, which had been canceled on February 10, 2022. After that, he had received an e-mail message through the information system used by the college, which apologized for the cancellation of the spring courses and advertised the courses offered by an external party with their prices. The initiator said that he had not given his consent to such disclosure of his information.
Statement by the registrar

The data protection commissioner's office requested an explanation from the data controller with an explanation request dated July 4, 2023. On 10 August 2023, the registrar gave a report on the matter.

According to the report given by the registrar, the college that the sent message was in question in the case is an educational institution maintained by the city. The mission of the college is to organize training in liberal arts work in its area of activity. The operation is governed by the Act on Free Educational Work (632/1998). Participating in the trainings requires registering for the courses and providing personal information in that connection.

According to the report, the initiator gave his email address himself when registering for the college's course. The class teacher who worked at the college at the time the message was sent sent an e-mail message to his own teaching group from the college's information system, which was sent to each member of the group separately. In the report, it was said that in the message the class teacher of the group in question advertised his own summer teaching activities at the service of another employer. The report concluded that the sending of the message in question was not related to the school's activities. The registrar stated that the message was sent against the college's instructions. In his report, the controller said that the staff has been instructed and trained in data protection matters and the incident has been clarified with the employee.
The equivalent of an initiator

On August 22, 2023, the data protection commissioner's office asked the initiator to pay for the report given by the data controller. In his response on 25 August 2023, the initiator stated that, despite the college's instructions, his personal data has been used for marketing the activities of a third party.
On applicable legislation

The processing of personal data is subject to the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (Data Protection Regulation), which is a regulation that is directly applicable in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The data protection regulation is specified in the national data protection act (1050/2018).

According to Article 4, Section 7 of the Data Protection Regulation, the controller means a natural person or legal entity, authority, agency or other body that, alone or together with others, defines the purposes and means of personal data processing. According to Article 5, Section 1, Subsection a of the Data Protection Regulation, personal data must be processed in accordance with the law (lawfulness). In accordance with paragraph 1, subparagraph b of the same article, personal data must be collected for a specific, specific and legal purpose, and must not be processed later in a way that is incompatible with these purposes (purpose-relatedness). According to Article 4, Section 10 of the Data Protection Regulation, a third party means a natural person or legal entity, authority, agency or other institution than the registered person, controller, personal data processor and a person who has the right to process personal data directly under the direct responsibility of the controller or personal data processor.

Article 86 of the Data Protection Regulation enables the right to publicize official documents and the right to protection of personal data according to the Data Protection Regulation to be reconciled. According to Section 28 of the Data Protection Act, the provisions on public authorities' activities are applied to the right to receive information and other disclosure of personal data from the authority's personal register. Pursuant to Section 16, subsection 3 of the Act on the Publicity of Officials' Activities (621/1999, Publicity Act), the official's personal register may disclose personal data for direct marketing and opinion or market research only if it is separately stipulated or if the data subject has given his consent.

The Publicity Act was enacted before the Data Protection Regulation began to apply. At that time, the personal register was defined in section 3, paragraph 3 of the Personal Data Act (523/1999), repealed by the Data Protection Act. The student register, which also records the contact information provided by the student, was a personal register defined in the Personal Data Act. There is no corresponding definition of a personal register in the Data Protection Regulation. The Deputy Data Protection Commissioner considers that although the application of § 16 subsection 3 of the Publicity Act is to some extent open to interpretation for the aforementioned reason, the matter is not decisive in the assessment of the matter at hand. Disclosure of personal data is processing of personal data based on Article 4, Section 2 of the Data Protection Regulation.

According to Article 5, Section 2 of the Data Protection Regulation, the data controller is responsible for it, and must be able to demonstrate that Section 1 has been complied with (obligation to demonstrate). The principles of legal compliance and purpose-relatedness are data protection principles according to Article 1.
A legal question

The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned Data Protection Regulation (EU) 2016/679, the Data Protection Act and the Act on Free Educational Work. In the matter, it must be decided whether the data controller (the education provider) has complied with Article 5, paragraph 1, subparagraph a (principle of legality) and subparagraph b (relationship to intended use) and paragraph 2 of the data protection regulation, when an e-mail message has been sent from the information system it uses to the students of the educational institution, which tells about the organization of a third party courses.
Decision of the Deputy Data Protection Commissioner
Decision

From the information system used by the city-run college (educational institution for liberal arts work), an e-mail message was sent to those registered for its course, with information about the courses organized by another organization, along with price information. The deputy data protection commissioner considers that the personal data of the college's students has been used contrary to the intended use, when they have been sent such a message from the college, which is in no way related to the college's operations. The personal data of the college's students has also been processed against the law, when the goal of the communication has been to promote the demand for sports services offered by a third party. Even if the personal data has not actually been transferred to another organization, it has been made available to another organization without a legal basis. It is about an event comparable to handover.

The controller (college) has not complied with Article 5, Paragraph 1 Subsection a (principle of legality) and Subsection b (Principle of purpose-relatedness) of the Data Protection Regulation, as well as Article 5 Subsection 2, when the personal data of its students has been used to send the e-mail message described above.
Note

The deputy data protection commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the data protection regulation that it has not complied with the data protection regulation in the above-mentioned parts, when the personal data of its students has been used for e-mail communication, the aim of which was to promote the demand for another organization's sports services.
Reasoning

The matter at hand is related to the processing of personal data of the college's students. According to the registrar's report, the Act on Free Educational Work (632/1998) applies to the college's operations. The city is the administrator of the educational institution (Section 4 of the Act on Free Educational Work) and at the same time also the data controller in accordance with Article 4, Section 7 of the Data Protection Regulation. The registrar's responsibility is regulated at a general level in Article 24 of the Data Protection Regulation, which is interpreted together with other regulations on the registrar's obligations.

According to the information received from the registrar, the initiator gave his email address when he registered for the college's course. Participation in the trainings requires the processing of personal data necessary for the operation, according to the controller's report. In accordance with Article 5, paragraph 1, subparagraph b of the Data Protection Regulation, the controller must define the purposes of personal data processing. Personal data may not be subsequently processed contrary to the purposes defined by the controller (see also Article 6, Section 4 of the Data Protection Regulation).

Handing over personal data to another controller requires a legal basis. The administrator of the college is the city, which is the authority referred to in the law in accordance with section 4 subsection 1 point 4 of the Publicity Act. According to Section 16, subsection 3 of the Publicity Act, personal data may only be disclosed for direct marketing if it is separately stipulated or if the data subject has given his consent (See also Section 200 of the Electronic Communication Services Act (917/2014).

Based on the information obtained from the report, the e-mail sent in the case was sent from the information system used by the college and was sent by an employee of the college. However, according to the report of the registrar, the sending of the message was not related to the school's activities. The message told about another organization's sports offering and pricing criteria. The sender of the message worked as a teacher in both of these organizations. According to the registrar's report, the message was sent contrary to the instructions given by the college. The data protection statement prepared by the controller states that the information in the register is not disclosed to external parties for direct marketing.

The Deputy Data Protection Commissioner notes that the organization whose activity message was sent to those enrolled in the college's course is a separate data controller from the college. Direct marketing is not defined in the data protection regulation or the publicity act. The Deputy Commissioner considers that the purpose of the e-mail message sent from the college's information system in the case at hand was to promote demand for services offered by another organization. According to section 16 subsection 3 of the Publicity Act, the disclosure of personal data for direct marketing requires consent to be requested from the data subject in official activities. Although the email addresses needed to send the email message were not disclosed to another organization, the message was actually sent to promote demand for the sports services offered by this other organization. It is an event comparable in its effects to the release of students' personal data.

The Deputy Data Protection Commissioner considers that the processing of the personal data of the college's students in order to send the message in question has been contrary to the binding purpose defined in Article 5, paragraph 1, letter b of the Data Protection Regulation, because the processing of the personal data has not been related in any way to the operations of the college and there have been no other legal grounds for the processing. The processing of personal data has also been against the principle of compliance with the law stipulated in Article 5, Section 1, Subparagraph a of the Data Protection Regulation, because there was no basis for the disclosure of students' personal data in accordance with Section 16, Subsection 3 of the Public Information Act. The Deputy Data Protection Commissioner gives the data controller the notice referred to in Article 58, paragraph 2, letter b of the General Data Protection Regulation, because the processing operations in the ways described above were in violation of the provisions of the Data Protection Regulation.
Applicable legal provisions

Those mentioned in the justifications.
Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019).
Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision was issued by the Deputy Data Protection Commissioner Annina Hautala.
Supervision of the deputy data protection officer

According to Article 25, paragraph 1 of the Data Protection Regulation, the data controller must effectively implement appropriate technical and organizational measures for the implementation of the data protection principles in connection with determining the processing methods and the processing itself. The Deputy Data Protection Commissioner draws the data controller's attention to the fact that, according to Article 32, paragraph 4 of the Data Protection Regulation, the data controller must also take measures to ensure that every natural person working under the data controller who has access to personal data only processes it in accordance with the data controller's instructions (see also Article 29 of the Data Protection Regulation article). As part of appropriate protection measures, the data controller must ensure that the natural persons working under the data controller have sufficient understanding and know-how of personal data processing and data protection.

This guidance cannot be changed.