Tietosuojavaltuutetun toimisto - 6609/163/19
|Tietosuojavaltuutetun toimisto - 6609/163/19|
|Authority:||Tietosuojavaltuutetun toimisto (Finland)|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 25(2) GDPR
Article 58(2)(d) GDPR
|National Case Number/Name:||6609/163/19|
|European Case Law Identifier:||n/a|
|Original Source:||Finlex (in FI)|
English Summary[edit | edit source]
The Finish DPA rendered a decision in a case opposing a parent (the applicant) to a company specialized in kindergarten and school photography (the controller). The applicant complained about the fact that a picture of his children was appearing in miniature on the invoice sent by the controller. The Finish DPA ruled that including a miniature of the children's pictures on the invoice was not necessary for the purpose of payment or security, and that the controller had therefore infringed the principle of data minimization enshrined in Article 5(1)(c) GDPR. The Finish DPA further ordered the controller to bring its processing activities into compliance under Article 58(2)(d) GDPR.
Facts[edit | edit source]
The controller is a Finish company specialized in taking pictures of children at kindergarten and schools. The controller was printing and sending pictures of about 400,000 pupils each year. For several years, the controller had adopted a practice consisting in printing a miniature of the pictures on the invoice to be sent to the parents. After receiving an invoice on which a miniature of his children's picture was printed, a parent decided to contact the customer service of the controller to complaint about that practice. The controller did not agree with the parent. As a consequence, the parent lodged a complaint with the Finish DPA.
Dispute[edit | edit source]
The dispute concerned whether or not printing the children's pictures in miniature on the invoice was complying with the GDPR, and in particular with the principle of data minimisation enshrined in Article 5(1)(c) GDPR. According to the company, printing the pictures in miniature on the invoice was enabling its employees to make sure that the correct pictures and invoices were sent together to each customer. The controller also argued that such a practice was justified from the point of view of data security. According to the parent, such practice was not necessary for the purposes pursued by the controller, and violated the principle of data minimisation according to which the processing of personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (Article 5(1)(c) GDPR).
Holding[edit | edit source]
The Finish DPA ruled that the controller did not comply with the principle of data minimization set out in Article 5(1)(c) GDPR when processing personal data in connection with invoices. The Finish DPA furthermore required under its enforcement officer to instruct the controller to bring the processing of personal data into compliance by no longer printing or including miniatures of the children's picture on the invoices.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Decision of the Assistant Supervisor Thing Data minimization Applicant 's claims and reasons On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller's invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller's customer service, and according to the customer service message sent to the DPO's office, the controller's data security officer is to consider covering the images in the invoices sent to the collection agency. Statement received from the controller On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer's home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller's staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses. According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary. The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images. Applicant 's reply On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances. Applicable law The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of directly applicable law in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999). Legal issue The Assistant Data Protection Supervisor will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved 1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and 2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation. Decision and reasons of the Assistant Data Protection Supervisor Decision The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices. Regulation The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data. Reasoning The principle of data minimization Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed. The personal data processed must, as mentioned above, be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may only be processed ifif the purpose of the processing cannot reasonably be achieved by other means. As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means.In practice, therefore, as little personal data as possible should be collected in each situation. In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person. On the present case It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim. The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children's personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children's personal data. For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation. Applicable law Mentioned in the explanatory memorandum. Appeal According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The decision is not yet final.