|
|
| Line 75: |
Line 75: |
|
| |
|
| <pre> | | <pre> |
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fi" lang="fi"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><title> Data Protection Officer 8.2.2021 - FINLEX ® </title><meta name="description" content="Finlex ® is a public and free Internet service for legal material owned by the Ministry of Justice." /><meta name="DC.Title" content="FINLEX ® - Tietosuojavaltuutettu 8.2.2021" /><meta name="DC.Language" content="fi" /><meta name="DC.Identifier" content="/fi/viranomaiset/tsv/2021/20210743" /><meta name="DC.Publisher" content="Oikeusministeriö" /><meta name="DC.Subject" content="Lasten koulukuvien lisääminen pienoiskoossa asiakkaiden laskuille" /><link rel="Shortcut Icon" href="/favicon.ico" type="image/x-icon" /><link rel="apple-touch-icon" href="/assets/img/touch-icon.png" type="image/png" /><link rel="image_src" href="/assets/img/logo-144x118.png" /><link rel="stylesheet" href="/assets/css/fonts.css" type="text/css" media="all" /><link rel="stylesheet" href="/assets/css/screen.css" type="text/css" media="screen, projection" /><link rel="stylesheet" href="/assets/css/finlex.css" type="text/css" media="screen, projection" /><link rel="stylesheet" href="/assets/css/print.css" type="text/css" media="print" /><!--[if lt IE 8]> <link href="/assets/css/ie.css" media="screen" rel="stylesheet" type="text/css" /><![endif]--><script type="text/javascript" src="/assets/js/mootools-core-1.4.1.js"></script><script type="text/javascript" src="/assets/js/finlex.js"></script><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Search everything" href="/fi/opensearch/kaikki/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Up-to-date legislation search" href="/fi/opensearch/ajantasa/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Case Law Search" href="/fi/opensearch/oikeus/" /><link rel="search" type="application/opensearchdescription+xml" title="Finlex ® Authorities Search" href="/fi/opensearch/viranomaiset/" /></head><body id="lang-fi"><div id="header"><div id="header-content" class="container"><h1> <a href="/fi/" title="Finlex"><span>Finlex ®</span></a></h1><div id="lang" title="Select language"><ul><li class="choose-lang-fi"> <a href="/fi/">In Finnish</a></li><li class="choose-lang-sv"> <a href="/sv/">In Swedish</a></li><li class="choose-lang-en"> <a href="/en/">In English</a></li></ul></div><div class="siirry"> <a class="skip" href="#skip">Skip to content</a></div><div id="locationBar0" title="You are here:"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Supervisor</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 8.2.2021">8.2.2021</span></div><div id="navi-container"><ul id="navi"><li> <a href="/fi/">front page</a></li><li> <a href="/fi/laki/" accesskey="l">Legislation</a></li><li> <a href="/fi/oikeus/" accesskey="o">Case law</a></li><li class="selected"> <a href="/fi/viranomaiset/" accesskey="v">Authorities</a></li><li> <a href="/fi/sopimukset/" accesskey="s">Government contracts</a></li><li> <a href="/fi/esitykset/" accesskey="e">Government proposals</a></li><li> <a href="http://julkaisut.finlex.fi" accesskey="j">Proceedings</a></li></ul></div></div><div id="section-header"><div id="search"><h3 class="title search"> Search the material </h3><form action="/fi/viranomaiset/tsv/haku/" method="get"><div class="search"><input type="hidden" name="search[type]" value="pika" /><input title="Keyword..." type="text" name="search[pika]" class="search-phrase" value="" accesskey="h" /></div><input type="submit" name="submit" class="submit" value="Search ›" /><p class="search-example"> Search the text for eg personal * and give up *. As a Keyword Break *. Also try <a href="/fi/viranomaiset/tsv/haku/">Advanced Search</a> . See <a href="/fi/ohjeet">instructions</a> .</p></form></div><div class="info"><div class="container"><div id="breadcrumbs"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Supervisor</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 8.2.2021">8.2.2021</span> </div></div></div></div></div><div id="main"><div id="main-content"><div id="document-header"><h2 id="skip" title="FINLEX ® - Data Protection Officer 8.2.2021"> 2/8/2021</h2></div><div id="document"><div id="oikeus-tsv"><h3 class="asiasanat"> Adding children’s school photos in miniature to customer invoices</h3><table class="metadata"><tr><th style="vertical-align:text-top"> Keywords:</th><td> Data minimization<br/> Personal information<br/> Photos<br/> Children's privacy<br/></td></tr><tr><th> Legal basis:</th><td> Decision under the EU General Data Protection Regulation</td></tr><tr><th> Diary number:</th><td> 6609/163/19</td></tr></table><h4 id="OT1"> <strong>Decision of the Assistant Supervisor</strong></h4><h4 id="OT2"> Thing</h4><p> Data minimization</p><h4 id="OT3"> Applicant 's claims and reasons</h4><p> On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller's invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller's customer service, and according to the customer service message sent to the EDPS's office, the controller's data security officer is to consider covering the images in the invoices sent to the collection agency.</p><h4 id="OT4"> Statement received from the controller</h4><p> On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer's home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller's staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses.</p><p> According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary.</p><p> The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images.</p><h4 id="OT5"> Applicant 's reply</h4><p> On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances.</p><h4 id="OT6"> Applicable law</h4><p> The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).</p><h4 id="OT7"> Legal issue</h4><p> The Assistant Data Protection Supervisor will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved</p><p> 1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and</p><p> 2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations into line with the provisions of the General Data Protection Regulation.</p><h4 id="OT8"> Decision and reasons of the Assistant Data Protection Supervisor</h4><h5 id="OT9"> Decision</h5><p> The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices.</p><h5 id="OT10"> Regulation</h5><p> The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data.</p><h5 id="OT11"> Reasoning</h5><h6 id="OT12"> The principle of data minimization</h6><p> Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.</p><p> As mentioned above, the personal data processed must be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may be processed only if the purpose of the processing cannot reasonably be achieved by other means.</p><p> As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means. In practice, therefore, as little personal data as possible should be collected in each situation.</p><p> In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.</p><h6 id="OT13"> On the present case</h6><p> It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim.</p><p> The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children's personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children's personal data.</p><p> For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation.</p><h4 id="OT14"> Applicable law</h4><p> Mentioned in the explanatory memorandum.</p><h4 id="OT15"> Appeal</h4><p> According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).</p><p> The decision is not yet final.</p></div><!-- cached 12:27:29 24.03.2021 --></div></div><div id="sidebar"><div class="description"><h3 class="title material"> <a href="/fi/viranomaiset/tsv/">Data Protection Officer</a></h3><p> Decisions of the Data Protection Supervisor on the interpretation of the Data Protection Regulation and the Personal Data Act.</p></div><div id="document-sidebar"><div class="extra-links"><h3 class="other title"> Other material related to the material</h3><ul><li> <a href="/data/tsv/TSV_tyojarjestys_FI.pdf" class="pdf"><span>›</span> Rules of procedure of the Office of the Data Protection Officer</a></li></ul></div></div><div id="toc-container"><div id="toc-title"><h4> Table of contents</h4><h3> 2/8/2021</h3></div><div id="toc-content"><div id="toc"> <a href="#">Adding Children's school of miniature images of customers invoices</a> <a href="#OT1">of the Assistant Decision</a> <a href="#OT2">Key</a> <a href="#OT3">requirements The applicant reasoned</a> <a href="#OT4">statement from the Registrar</a> <a href="#OT5">applicant's response to</a> <a href="#OT6">applicable legislation</a> <a href="#OT7">The legal question</a> <a href="#OT8">of the Assistant decision and the reasons for</a> <a href="#OT9">decision to</a> <a href="#OT10">order</a> <a href="#OT11">reasons</a> <a href="#OT12">the principle of data minimization</a> <a href="#OT13">in the present case</a> <a href="#OT14">Applicable legal provisions</a> <a href="#OT15">for appeal</a></div></div><div id="toc-footer"> <a class="to-top" href="#document">To the beginning of the page</a></div></div></div></div><div id="breadcrumbs-bottom"><div class="container"> <span class="skip">You are here:</span> <a class="home" href="/fi/">Finlex</a> › <a href="/fi/viranomaiset/">Authorities</a> › <a href="/fi/viranomaiset/tsv/">Data Protection Supervisor</a> › <a href="../2021/" title="Data Protection Supervisor 2021">2021</a> › <span title="Data Protection Officer 8.2.2021">8.2.2021</span> </div></div><div id="sitemap"><div id="sitemap-content" class="container"><div id="sitemap-category-laki"><h5> <a href="/fi/laki/">Legislation</a></h5><ul><li> <a href="/fi/laki/ajantasa/">Up - to - date legislation</a></li><li> <a href="/fi/laki/alkup/">Acts in original</a></li><li> <a href="/fi/laki/kokoelma/">Electronic collection of legal acts</a></li><li> <a href="/fi/laki/smur/">Directory of legislative amendments</a></li><li> <a href="/fi/laki/kaannokset/">Translations of legal acts</a></li><li> <a href="/fi/laki/saame/">Acts in the Sámi language</a></li></ul></div><div id="sitemap-category-oikeus"><h5> <a href="/fi/oikeus/">Case law</a></h5><ul><li> <a href="/fi/oikeus/kko/">The Supreme Court</a></li><li> <a href="/fi/oikeus/kho/">The Supreme Administrative Court</a></li><li> <a href="/fi/oikeus/ho/">Rights of the Court</a></li><li> <a href="/fi/oikeus/hao/">Administrative rights</a></li><li> <a href="/fi/oikeus/mao/">Market law</a></li><li> <a href="/fi/oikeus/tt/">Industrial tribunal</a></li><li> <a href="/fi/oikeus/vako/">Insurance law</a></li><li> <a href="/fi/oikeus/eurooppa/">European courts</a></li><li> <a href="/fi/oikeus/foki/">Case law in the literature</a></li></ul></div><div id="sitemap-category-viranomaiset"><h5> <a href="/fi/viranomaiset/">Authorities</a></h5><ul><li> <a href="/fi/viranomaiset/normi/">Collections of regulations of public authorities</a></li><li> <a href="/fi/viranomaiset/tyoehto/">Collective agreements</a></li><li> <a href="/fi/viranomaiset/foka/">Chancellor of Justice of the Government</a></li><li> <a href="/fi/viranomaiset/ftie/">Data Protection Board</a></li><li> <a href="/fi/viranomaiset/tsv/">Data Protection Officer</a></li></ul></div><div id="sitemap-category-sopimukset"><h5> <a href="/fi/sopimukset/">Government contracts</a></h5><ul><li> <a href="/fi/sopimukset/sopsteksti/">Government contracts</a></li><li> <a href="/fi/sopimukset/sopsviite/">Government Contracts Reference Database</a></li><li> <a href="/fi/sopimukset/sopimussarja/">Electronic contract series</a></li><li><a href="/fi/sopimukset/verosopimusteksti/">
| | Decision of the Assistant Supervisor |
| </a></li></ul></div><div id="sitemap-category-esitykset"><h5><a href="/fi/esitykset/">Government proposals</a></h5><ul><li> <a href="/fi/esitykset/he/">Government proposals</a></li></ul><h5> <a href="http://julkaisut.finlex.fi">Proceedings</a></h5><ul><li> <a href="http://lainvalmistelu.finlex.fi">Legislative Process Guide</a></li><li> <a href="http://helo.finlex.fi">Instructions for preparing Board proposals</a></li><li> <a href="http://lainkirjoittaja.finlex.fi">The Writer's Guide</a></li><li> <a href="http://yhdenvertaisuus.finlex.fi">Equality assessment</a></li><li> <a href="http://kuulemisopas.finlex.fi">Legislative Consultation Guide</a></li><li> <a href="http://kokeiluohje.finlex.fi">Trial Law Guide</a></li></ul></div><div id="sitemap-category-finlex"><h5> <a href="/fi/">Finlex®</a></h5><ul><li> <a href="/fi/uutiset/">News archive</a></li><li> <a href="/fi/rss/">RSS feeds</a></li><li> <a href="/fi/ohjeet/">Instructions</a></li><li> <a href="/fi/palaute/">Feedback</a></li><li> <a href="/fi/kayttoehdot/">Terms of use</a></li><li> <a href="/fi/saavutettavuusseloste/">Accessibility statement</a></li><li> <a href="/fi/sivukartta/">Sitemap</a></li></ul></div></div><div id="disclaimer"><p> Finlex ® is a public and free Internet service for legal material owned by the Ministry of Justice.<br /> Finlex content is produced and maintained by Edita Publishing Oy. Neither the Ministry of Justice nor Edita shall be liable for any errors that may occur in the content of the databases, direct or indirect damages caused to the user by their use, or interruptions in the use of the Internet data network or other disturbances.</p></div></div></body></html>
| | |
| | Thing |
| | |
| | Data minimization |
| | |
| | Applicant 's claims and reasons |
| | |
| | On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller's invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller's customer service, and according to the customer service message sent to the DPO's office, the controller's data security officer is to consider covering the images in the invoices sent to the collection agency. |
| | |
| | Statement received from the controller |
| | |
| | On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer's home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller's staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses. |
| | |
| | According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary. |
| | |
| | The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images. |
| | |
| | Applicant 's reply |
| | |
| | On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances. |
| | |
| | Applicable law |
| | |
| | The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of directly applicable law in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999). |
| | |
| | Legal issue |
| | |
| | The Assistant Data Protection Supervisor will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved |
| | |
| | 1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and |
| | |
| | 2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation. |
| | |
| | Decision and reasons of the Assistant Data Protection Supervisor |
| | |
| | Decision |
| | |
| | The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices. |
| | |
| | Regulation |
| | |
| | The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data. |
| | |
| | Reasoning |
| | |
| | The principle of data minimization |
| | |
| | Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed. |
| | |
| | The personal data processed must, as mentioned above, be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may only be processed ifif the purpose of the processing cannot reasonably be achieved by other means. |
| | |
| | As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means.In practice, therefore, as little personal data as possible should be collected in each situation. |
| | |
| | In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person. |
| | |
| | On the present case |
| | |
| | It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim. |
| | |
| | The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children's personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children's personal data. |
| | |
| | For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation. |
| | |
| | Applicable law |
| | |
| | Mentioned in the explanatory memorandum. |
| | |
| | Appeal |
| | |
| | According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). |
| | |
| | The decision is not yet final. |
| </pre> | | </pre> |
X
English Summary
Facts
X
Dispute
X
Holding
X
X
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Decision of the Assistant Supervisor
Thing
Data minimization
Applicant 's claims and reasons
On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller's invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller's customer service, and according to the customer service message sent to the DPO's office, the controller's data security officer is to consider covering the images in the invoices sent to the collection agency.
Statement received from the controller
On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer's home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller's staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses.
According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary.
The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images.
Applicant 's reply
On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances.
Applicable law
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of directly applicable law in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).
Legal issue
The Assistant Data Protection Supervisor will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved
1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and
2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation.
Decision and reasons of the Assistant Data Protection Supervisor
Decision
The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices.
Regulation
The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data.
Reasoning
The principle of data minimization
Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.
The personal data processed must, as mentioned above, be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may only be processed ifif the purpose of the processing cannot reasonably be achieved by other means.
As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means.In practice, therefore, as little personal data as possible should be collected in each situation.
In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.
On the present case
It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim.
The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children's personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children's personal data.
For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation.
Applicable law
Mentioned in the explanatory memorandum.
Appeal
According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).
The decision is not yet final.
