Editing Tietosuojavaltuutetun toimisto - 8205/154/18

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 54: Line 54:
 
}}
 
}}
  
The Finnish DPA (Tietosuojavaltuutettu) found that the national identification number is not intended to be used as a means of identification and identification alone cannot be the reason for its processing.  
+
The Finnish DPA (Tietosuojavaltuutettu) found that the national identification number is not intended to be used as a means of identification and identification alone cannot be the basis for its processing.  
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
 
The complainant claimed that each customer of the data controller gets a unique customer number in their billing systems which is backed by a social security number and all the relevant information, such as the total amount of invoices paid. They also claimed that this practice may lead to financial exploitation of the elderly or identity theft.
 
The complainant claimed that each customer of the data controller gets a unique customer number in their billing systems which is backed by a social security number and all the relevant information, such as the total amount of invoices paid. They also claimed that this practice may lead to financial exploitation of the elderly or identity theft.
  
 
The data controller claimed that they needed this number to identify the customers, while the customers' name only is not sufficient.  
 
The data controller claimed that they needed this number to identify the customers, while the customers' name only is not sufficient.  
  
===Dispute===
+
=== Dispute ===
  
  
===Holding===
+
=== Holding ===
Article 87 GDPR regulates the processing of a national identity number. This is also regulated with Section 29.4 of the National Data Protection Act, according to which a personal identification number shall not be unnecessarily entered in documents printed or prepared on the basis of the personal register. The DPA also invoked the principle of data minimisation of Article 5 GDPR.  
+
Article 87 GDPR regulates the processing of a national identity number. This is also regulated with Section 29.4 of the National Data Protection Act, according to which a personal identification number shall not be unnecessarily entered in documents printed or prepared on the basis of the personal register. The DPA also revoked the principle of data minimisation of Article 5 GDPR.  
  
 
Finally, the DPA found that the national identification number is not a personal identification number intended to be used as a means of identification, and identification alone cannot be the basis for processing. It ordered the data controller to bring the processing operations in line with the provisions of the GDPR in accordance with Article 58 (2) (d).
 
Finally, the DPA found that the national identification number is not a personal identification number intended to be used as a means of identification, and identification alone cannot be the basis for processing. It ordered the data controller to bring the processing operations in line with the provisions of the GDPR in accordance with Article 58 (2) (d).
  
==Comment==
+
== Comment ==
  
  
==Further Resources==
+
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
 
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: