Tietosuojavaltuutetun toimisto (Finland) - 2984/182/2019: Difference between revisions

Revision as of 17:30, 6 July 2020

Tietosuojavaltuutetun toimisto - 2984/182/2019

Authority:	Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction:	Finland
Relevant Law:	Article 5(1)(c) GDPR Article 25(2) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:
Fine:	None
Parties:	n/a
National Case Number/Name:	2984/182/2019
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Finnish
Original Source:	Finlex (in FI)
Initial Contributor:	n/a

Finnish DPA holds that having data subject's address information on a parking permit does not meet the data minimization requirement under Article 5 (1) (c) GDPR.

English Summary

Facts

Data subject had asked the controller whether they could mask the data subject’s address information from the parking permit. The parking permit with the data subject’s address information was kept on the dashboard of the car . The controller refused the data subject’s request. The data subject filed a complaint with the Finnish DPA.

Dispute

Whether the controller has complied with the principle of data minimization as per Article 5 (1) (c) and Article 25 (2) GDPR?

Holding

The Finnish DPA held that the controller has not complied with the principle of data minimization set out in Article (1) (c) and Article 25 (2) GDPR. Having the data subject's address information was not necessary for the purpose for which the personal data was being processed.

The DPA ordered the controller to remove the data subject's address information from the car parking permit.

The decision is not final.

Comment

In their reply to the Finnish DPA, the controller failed to give a reason why having the data subject's address on the parking permit was necessary for the purpose for which the personal data was being processed.

Furthermore, in their reply, the controller stated that even if the address information would not be stated on the parking permit, the information could still be ascertained via public sources. The DPA clarified that even if personal data is public or otherwise easily accessible, the principle of data minimization must still be respected.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

THING

Applicant 's claims and reasons

On 8 April 2019, the applicant initiated a case in the office of the Data Protection Commissioner concerning the information entered on the card indicating the parking permit (the so-called parking permit tag). The applicant has stated that he has rented a parking space from the registrar. A parking permit sticker showing the number and period of validity of the parking permit in question, the name of the controller as well as the name of the property at […] and the identification of the houses owned and operated by the controller ( […]) shall be affixed to the dashboard of the vehicle parked in question .). The applicant has questioned the above requirement to display a home address. The applicant has stated that, due to his work, he is unable to keep a parking ticket permanently displayed in his vehicle. The applicant has also stated that, on some occasions after his working day, he forgot to display his parking permit sticker in his vehicle, as a result of which he has received private parking inspection fees. The applicant has been in contact with both the registrar and the company providing parking supervision in the area. The applicant has suggested that his registration number be recorded in such a way that forgetting the parking ticket does not lead to private parking fees. The applicant has also suggested that he cover the address information on the parking permit. The applicant's proposals have not been accepted.

Statement received from the controller

The applicant has stated that he has been in contact with the controller. The applicant had suggested masking the address information. The proposal was not accepted. The Office of the Data Protection Officer has requested clarification from the controller. The registrar has submitted his report on 27.5.2020.

The report states that the controller owns a proportion of a plot of land on which a car park is located. The car park has a total of […] parking spaces. The registrar owns and manages […] designated parking spaces under the management sharing agreement, of which […] belong to the company-owned property at […] and […] to the company-owned property at […] as required by the town plan and building permit. In addition, the car park has parking spaces for six other properties in the area.

The registrar shall require the user of the car park to display a parking permit sticker bearing the name of the registrar and […]. The report also states that, due to irregularities in the car park, the car park is monitored by a private car company. The car park has a total of eight different property parking spaces. However, the parking attendant must be able to distinguish whether the person who parked the vehicle in the parking lot was entitled to park the vehicle in the parking lot in question. The controller has considered that it would not be sufficient to indicate the name of the issuer of the parking permit on the parking permit. In this case, a resident of […] could park the vehicle in the parking spaces reserved for residents of the property located at […]. The parking attendant would have no means of detecting improper parking. The registrar has about […] objects of right of residence all over Finland. The alternative information content of the parking ticket presented above could also lead to a person holding a parking ticket being able to park the vehicle on any property owned by the registrar.

In addition, the report states that the exact address of the person who rented the parking space is not indicated on the parking permit. The number of the residential apartment is not marked on the parking permit. Identification information B – C is marked on the parking permit tag. The property at […] is not exclusively owned by the controller. The registrar owns a fixed part of the property and owns and manages the B and C houses located on the property. The management agreement for the land in question indicates which […] parking spaces belong to the property at […] and which to the property at […]. The division of property agreement has been entered as a special right in the land in question in the law auction and mortgage register maintained by the National Land Survey of Finland. It is therefore a public document. Everyone thus has the opportunity to find out at which address for each parking space the person who parked the vehicle lives or does business, even without a parking permit.

It is not required to display a parking permit sticker other than when parking at the parking facility in question. It is the parking lot user's own decision to leave the parking permit tag visible when parking elsewhere. The registrar has considered that displaying a parking ticket in a car park does not cause undue inconvenience to the user of the car park, especially given that in most car parks parking requires at least the start time, for example by displaying a parking disc, and forgetting this will result in a parking error.

The report provided states that the controller has not received much feedback from other car park users regarding the questioning. In the view of the registrar, the lack of feedback means that, in most cases, the address information of the car owner or keeper can be easily ascertained using the registration number. The report also states that if a car park user has concealed his address and it is important for him, for example, to keep his address information confidential, he must ensure that he does not keep a parking ticket in his vehicle when parked outside the car park in question.

For the reasons set out above, the controller has considered that its activities have not been disproportionate to the provisions of the General Data Protection Regulation - such as the principle of data minimization. However, the report states that if the company's operations are considered to be in breach of the information minimization principle, the company is prepared to replace the address of the property entered on the parking permit tags with an identification code consisting of numbers. Finally, the report emphasizes that, nevertheless, the address details of the holder of the vehicle parked in the car park could still be ascertained, as mentioned above, due to the public nature of the sharing agreement. It is also possible at this time for the user of the parking space to remove the parking permit tag from view when parking elsewhere.

Applicant 's reply

No reply has been requested from the applicant. In accordance with section 34 (2) (5) of the Administrative Procedure Act (434/2003), the hearing has been considered manifestly unnecessary. In the document of initiation, the applicant has questioned the necessity of the information marked on the parking permit. A wider consultation of the applicant would not have affected the outcome of the case.

Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a law directly applicable in the Member States. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).

Legal issue

The Assistant Data Protection Officer assesses and decides the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The matter must be resolved:

(1) whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation in the processing of personal data in connection with parking permits; and

(2) whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations into line with the provisions of the General Data Protection Regulation.

DECISION OF THE ASSISTANT DATA PROTECTION SUPERVISOR

The Assistant Data Protection Officer shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation in the processing of personal data in connection with parking permits.

The Assistant EDPS shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data carried out in connection with parking permits in accordance with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation.

The registrar shall ensure that the address or transaction information of the holder of the permit no longer appears on the parking permit tickets.

Reasoning

The principle of data minimization

Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.

As mentioned above, the personal data processed must be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and not limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may be processed only if

As mentioned above, this is a matter of the principle of data minimization, a principle which the European Data Protection Board has also issued practical guidelines in the context of its guidelines (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 13.11.2019). According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be if the purpose of the processing cannot be achieved by other means. (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (issued 13.11.2019), p. 19.) In practice, therefore, as little personal data as possible should be collected in each situation.

In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.

On the present case

The report states that, due to irregularities in the car park, the parking of the car park has been entrusted to a private car park company. The car park has a total of eight different property parking spaces. However, the parking attendant must be able to distinguish whether the person who parked the vehicle in the parking lot was entitled to park the vehicle in the parking lot in question. The registrar has considered that it would not be sufficient to indicate the name of the issuer of the parking permit on the parking permit. In this case, a resident of […] could park the vehicle at […]parking spaces for residents of the property. The parking attendant would have no means of detecting improper parking. The registrar has hundreds of right-of-occupancy properties all over Finland. The alternative information content of the parking ticket presented above could also lead to a person holding a parking ticket being able to park the vehicle on any property owned by the registrar.

In its report, the controller has emphasized that the address information of the holder of the vehicle parked in the parking lot can otherwise be ascertained due to the publicity of the management sharing agreement.

It should be noted that no evidence has been adduced to show that the address information is necessary to ensure that the person who parked the vehicle in the car park was entitled to park the vehicle in the car park in question. The controller himself has stated that the current practice could be replaced by, for example, identification data consisting of numbers. The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided.

For the sake of clarity, whether this information is public or otherwise available, this fact does not remove the obligation to comply with the principle of data minimization laid down in Article 5 (1) (c) of the General Data Protection Regulation.

For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data carried out in connection with parking permits in accordance with the General Data Protection Regulation.

Applicable law

Mentioned in the explanatory memorandum.

The decision is not final.

@@ Line 63: / Line 63: @@
 === Holding ===
-The Finnish DPA held that the controller has not complied with the principle of data minimization set out in Article (1) (c) and Article 25 (2) GDPR. The DPA ordered the controller to remove the data subject's address information from the car parking permit.
+The Finnish DPA held that the controller has not complied with the principle of data minimization set out in Article (1) (c) and Article 25 (2) GDPR. Having the data subject's address information was not necessary for the purpose for which the personal data was being processed.
+The DPA ordered the controller to remove the data subject's address information from the car parking permit.
 The decision is not final.
 == Comment ==
-In their reply to the Finnish DPA, the controller failed to give a reason why having the data subject's address was necessary for the purpose for which the personal data was being processed.
+In their reply to the Finnish DPA, the controller failed to give a reason why having the data subject's address on the parking permit was necessary for the purpose for which the personal data was being processed.
-Furthermore, in their reply, the controller stated that the address information could be ascertained via public sources. The DPA clarified that even if personal data is public or otherwise easily accessible, the principle of data minimization must be respected.
+Furthermore, in their reply, the controller stated that even if the address information would not be stated on the parking permit, the information could still be ascertained via public sources. The DPA clarified that even if personal data is public or otherwise easily accessible, the principle of data minimization must still be respected.
 == Further Resources ==