Tietosuojavaltuutetun toimisto - 8393/161/2019

From GDPRhub
Tietosuojavaltuutetun toimisto - 8393/161/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 13(2)(d) GDPR
Article 13(2)(e) GDPR
Article 26 GDPR
Article 30 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 26.05.2020
Published: n/a
Fine: 72000 EUR
Parties: Taksi Helsinki
National Case Number/Name: 8393/161/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
English
Original Source: tietosuoja.fi (in FI)
tietosuoja.fi (press release) (in EN)
Initial Contributor: n/a

the Finnish DPA (Tietosuojavaltuutetun toimisto) fined Taksi Helsinki € 72,000 for failing to assess the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis.

English Summary[edit | edit source]

Facts[edit | edit source]

Following the investigations carried out in November 2019 on Taksi Helsinki’s processing, the Tietosuojavaltuutetun toimisto found several serious GDPR violations regarding the processing of customers’ audio and video personal data.

Dispute[edit | edit source]

The Tietosuojavaltuutetun toimisto raised six data protection law issues regarding the processing of both audio and video data which can be summed up as below: - Does the controller process audio and video data for security purposes in accordance with Article 6(1)(f) GDPR? - Does the controller process audio and video data in accordance with 5(1)(c) GDPR? - Does the information provided to data subjects regarding the security camera and the automated decision making process comply with Article 12 GDPR? - Did the controller identify the actors playing a role in the processing, with respect to Articles 4(7), (8) and Articles 26, 28 GDPR (processor, controller, joint controllership)? - Did the controller maintain a record of processing activities according to Article 30 GDPR? - Did the controller perform a data protection impact assessment prior to the implementation for the security camera system, as prescribed under Article 35 GDPR?


Holding[edit | edit source]

First, the Tietosuojavaltuutetun toimisto decided that the controller was not able to demonstrate that the processing of video and audio data for security purposes complies with Article 5 (1) (a) and Article 6 (1) (f) GDPR. Thus, the controller failed to comply with the accountability principle under Article 5 (2) GDPR. Second, the data protection authority pointed out that the recording of images and sound in all of the company’s cars did not comply with the principle of data minimisation under Article 5(1)(c) GDPR. The recording of the image would have fit the purposes of safety and the investigation of criminal offences and damages which might have occurred, as claimed by the controller. Regarding the information to be provided to the data subjects, the data protection authority ruled that several pieces of information were missing, such as the right to lodge a complaint and whether the provision of personal data is a legal or contractual requirement, (Article 13 (2) and (e) GDPR). The authority also stated that there was no link between the controller’s privacy policy and the information about the loyalty program website targeting the consumer. This prevents the data subject from exercising their GDPR rights during the processing, and results in an incomprehensible overview of the processing of personal data by the controller in the context of the automated decision making for the loyalty program. Thus, the authority held that the controller did not comply with Article 12 GDPR. In identifying the controller or processor, in particular the role of the taxi drivers in the processing at stake, the authority held that Taksi Helsinki did not defined what personal data it processes as a controller. Thus, the authority decided that Taksi Helsinki failed to demonstrate its compliance with Article 26 GDPR. Furthermore, Article 30 GDPR does not require that a report of the processing activities has to be drawn in a specific form other than in writing. However, a report has to be drawn in a document and cannot only subsist in the privacy statements that the data controller provided. Thus, Taksi Helsinki violated Article 30 GDPR. Lastly, the authority decided that the controller did not carried out any impact assessment. Thus, the controller breached Article 35 GDPR.


Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decisions of the Assistant Data Protection Supervisor and the Sanctions Chamber
Thing
General information on the processing of personal data by Taksi Helsinki Oy (later the registrar)
compliance with the Data Protection Regulation 1
• The security camera surveillance carried out by the controller in taxi cars is
and data minimization
• Transparency in the processing of personal data
• Defining the roles of the actors involved in the processing of personal data
• The controller's obligation to prepare a report on the processing operations, as well as
• The obligation for the controller to carry out a data protection impact assessment.
The Office of the EDPS has started to investigate the matter on his own initiative
after receiving the relevant anonymous notification.
The Office of the Data Protection Officer has asked the controller for clarification of the personal data
processing on 13 November 2019. The controller provided its response to the request for clarification
within the deadline of 12.12.2019. The controller has been asked to complete the report
02.06.2020. The registrar provided the requested supplement on the same day.
The EDPS office has requested further clarification and reserved it for the controller
opportunity to be heard on 13 February 2020. The controller responded to the request for further clarification and
consultation by the deadline of 6.3.2020. The controller was requested
to complete its further study on 16.4.2020. The requested supplement was received
21.04.2020. 
The matter has also been clarified by consulting the controller’s website,
information from the mobile app and other publicly available sources.
The Office of the Data Protection Officer has requested clarification from the controller
from the service provider on 9.4.2020, but the request for clarification has not been answered.
Decision of the Assistant EDPS on the breach of the Regulation and his powers
exercise of its remedial powers
Statement received from the controller
1. Legality of security camera surveillance
The controller has stated in its report that it is in compliance with the general data protection
implementation of the principle of legality in accordance with Article 5 (1) (a) of
documenting all uses and their legal bases. The register
According to the controller, the responsible person is responsible for the equivalence of the processing carried out.
and legal basis. Further consent and legitimate interest the controller shall also provide documentation of the legal proceedings.
Trust and process estimates found in other reporting. 
The controller has identified camera surveillance as the primary legal basis
in accordance with Article 6 (1) (f) of the General Data Protection Regulation
implementation of the legitimate interests pursued by the controller or a third party.
As regards the requirement of the necessity of a legal basis, the controller submits that the processing
is necessary on the one hand because of the right of the taxi driver and the passenger
personal safety can be ensured by both the taxi driver
to safeguard working conditions. On the other hand, processing is considered necessary after processing
the purpose is to deal with incidents and safety hazards
clarification so that a third party can take legal action or
legitimate interests in defense.
As regards the balancing test for the application of the legitimate interest
the controller states that it passes it clearly, but states that it has not been before
this response has been prepared or documented. In the view of the controller
there is in any case a balance between the interests of the controller and the data subjects
assessed in the decision of the Data Protection Board of 25 February 2002, and not by the controller
has therefore not considered that there is a need for separate additional documentation. 
Likewise, the controller submits that the legal status with regard to the type of documentation
required of the controller in such a situation shall be deemed to be so unclear,
the controller could not have been required to perform a balancing test in a documented manner.
Finally, however, the controller states that it will
operate the balancing test without undue delay during the spring of 2020 and
the balance between the interests of the controller and those registered
at regular intervals.
2. Minimization of personal data in connection with security camera surveillance
The controller has stated in its report that it is in compliance with the general data protection
the principle of data minimization in accordance with Article 5 (1) (c) of
documenting all personal data stored in information systems or elsewhere. Re-
the registrar states that it shall ensure that it does not hold the data resources for which it is
has not specified at least one use. The controller shall also
that the responsible person is responsible for the equivalence and reasonableness of the personal data stored;
in relation to the purposes for which the data are used. 
The registrar has stated in his report of 12 December 2019 and in the
in the privacy statement of the mass surveillance camera surveillance that it deals with
whose personal data of taxi drivers, staff and motorists' customers are described and
using a sound recording camera surveillance system.
In its reply of 6.3.2020, the controller states, unlike before, that it
processes image data only in the context of its security camera surveillance. The registrar brings
emphasized in its reply that new security cameras with voice recording capability
roit was installed in about half of the taxi cars covered by it in the summer
2019. Likewise, the controller states in his response that the processing of audio data
was a mistake and was never intended to deal with
in the context of security camera surveillance. 
The data controller has provided his reply as an annex with a voice recording feature
Security Cameras that require Voice Recording
has been set to “Off” during installation. 
In its same reply, the controller stated that on 20 December 2019 it had invited the
cars covered by its service to deactivate audio recording. motorists
has had to use the maintenance of his taxi by 15 January 2020 to remove the audio recording
at the risk of a motorist who failed to perform a maintenance visit being removed from taxi
the scope of this Regulation. Furthermore, the controller has stated that maintenance
that voice recording is switched off for all security cameras and
an add-on has been added to the cameras to prevent future use. 
The EDPS Office has tried to find out with the voice recording feature
the accuracy of the information on the installation of cameras equipped with
from the service provider of the holder, but has not received a reply to the request for
background.
According to bulletin 2 published on the registrar's website on 13 November 2019 in its cars
is a recording security camera, some of which records sound and images, some of which are mere images. You-
In a mass bulletin, the registrar states that the security camera is for car security
in order to guarantee. In another published by the registrar on its website on 15.11.2019
in bulletin 3, the controller states that it has been found that some of the cameras have
voice recording on and off. Recording camera surveillance data
on 25 May 202020, the
are processed in cars by a camera and sound recording camera surveillance system
through. 4
The registrar has defined the report it submitted on 12 December 201 in the appendix
in the privacy statement of the security camera
for the purposes of the processing of personal data in the context of the transfer
protection of the property of motorists and drivers, the control of operational processes
prevention of crime and the prevention of
settlement of accidents and damage to cars in the dealership between them and
in their vicinity. In its release of 13 November 2015, the registrar has announced a vote
and image, and some are afraid of image, for the purpose of security cameras.
guaranteeing security. 5
The purposes of the processing have been mentioned by the controller in his subsequent reply
6.3.2020 Ensuring the safety of the taxi driver and the passenger, as well as the
situations and security threats, as well as the controller
compliance with legal obligations when handing over video recordings
to the police.
3. Transparency of processing
3.1. Transparency of processing in the context of security camera surveillance
According to the report provided by the controller, the processing of personal data
visibility in the context of security camera surveillance is firstly ensured by
security camera. The notice is placed in
on the outside and inside of the car and, in the controller's view, on the notices
the data subject is informed of the existence of the security camera even before
and, where appropriate, from the inside. 
Aircraft, both exterior and interior, supplied by cars by the controller
The notifications mainly contain information on the formation of the price of a taxi ride.
Toa. At the bottom left of the message there is a black message text regarding the
safety cameras: “Car security camera. Registrar Taxi Hel-
zinc Oy. There is a surveillance camera in the car. The controller is Taxi Helsinki
Ltd." 
In addition to the notices in taxi cars, the controller’s website provides
the general data protection statement of the controller and the data protection
loste regarding recording camera surveillance. For recording camera surveillance
in the privacy statement of the recording camera surveillance
• The data transmission system of the controller for the processing of personal data
camera surveillance system for recording the image and sound of cars
through the system
• Registered groups
• Purposes of processing
• Legal basis of the proceedings 
• The legitimate interests of the controller when the processing is based on a general
Article 6 (1) (f) of the Regulation
• Personal data to be processed
• Information on safety camera surveillance notices placed in cars
• Information on the operators employed by the controller who receive
process such personal data
• Information about the recipients of personal data.
In other respects, the Security Camera Surveillance Privacy Statement refers to the controller
general privacy statement. The general data protection statement shall inform the
processing of data in so far as such data do not survive security camera surveillance
detailed data protection statement. Such a general privacy regulation
Required by Articles 12 and 13 and set out in the controller’s general data protection statement
information is 
• the identity and contact details of the controller
• Contact details of the Data Protection Officer
• Criteria for determining the retention period of personal data
• the right of the data subject to request from the controller access to data relating to him
personal data and the right to request the rectification or erasure of such data.
restricting or opposing the processing and the right to transfer
information from one system to another
In addition, the controller 's general privacy statement sets out the information on personal data
extradition outside the European Economic Area and the right to withdraw consent
when the processing of personal data is based on Article 6 (1) of the General Data Protection Regulation
paragraph (a).
In addition to safety camera notices and privacy statements, the controller has provided information
on the processing of personal data in the framework of camera surveillance on
in two bulletins: Information on Taxi Helsinki Taxi Safety Cameras
published on 13 November 2019 and the Voice Recording will be deleted from all Taxi Hel-
in the bulletin on security cameras for taxis brokered by sinki Oy, which has been published
15.11.2019.
In a press release published on 13 November 2019, the registrar has described security cameras
the processing of personal data as follows:
1. Taxis Helsinki cars have a recording security camera. Some cameras record
sound and image, part of a mere image.
2. Security cameras shall be automatic and continuous recording with a new file
flies over the old. The recordings remain for a few days, depending on the camera
I drive.
3. The security camera is in the car for safety and no recordings are made
or go through non-special situations such as criminal suspicions.
4. Security camera data shall only be released at the request of the authorities.
5. Taxi In accordance with the GDPR, Helsinki has taken care that the customer's information is
sheltered.
6. The privacy statements can be found on our website at www.taksihel-
sinki.fi/taksi-helsinki-oy/tietosuojaselosteet/
In addition, the controller regrets that it has not indicated clearly enough
in addition to the image in the security cameras, they record sound and tell you that the security camera is 
in the car only to ensure the safety of customers and drivers. In addition,
the holder states in his bulletin that the installation of the cameras has taken into account
the Protection Regulation and the 2001 decision of the Data Protection Board.
In relation to the data protection statements maintained by the controller, the controller 13.11. published
the bulletin specifies that security cameras are automatic and continuous,
where the new file is saved on top of the old one and that the recordings remain
I'll talk for a few days. The bulletin also adds to the privacy statement that
security camera data shall only be released at the request of the authority and that the
in accordance with the GDPR, the customer has ensured that the customer's data is protected.
In a press release published on 15 November 2019, the registrar announces that the audio recording
removed from taxis brokered by the controller.
The bottom bar of the websites of the bulletins published by the controller contains a link to
and further details of the controller’s general privacy policy.
and the security camera surveillance privacy statement
3.2. Transparency of processing in the context of the loyalty program
tomato decision-making
In connection with its loyalty program, the controller shall carry out an automatic
including profiling.
According to the registrar's report, it informs in connection with the loyalty program
automatic decision-making in its data protection statements and separate publications.
by means of notifications. In separate notifications, the controller refers to the notification
in the registrar's mobile application, as well as in the notices published on the website 6
regarding the launch of the loyalty program and its own loyalty program itself.
The registrar has submitted his report as an appendix on 12 December 2019 on his website
the general data protection statement described above and the marketing authorization
and the customer register’s privacy statement, both of which apply to customer and
processing of personal data of potential customers.
The Privacy Statement, which clarifies the General Privacy Statement, concerns the processing of personal data.
in particular the controller’s website, the controller’s application and the direct
in the context of marketing. It does not specify in the context of the loyalty program
personal data to be processed or its associated automatic decision-making. 
In the controller’s general data protection statement, the automatic decision-making
marketing, product and customer analysis may involve profiling.
and that the controller has a legitimate interest in using profiling, for example for marketing
customer analyzes. This right is mentioned in the privacy statement
opposes processing on the basis of a legitimate interest of the controller. The registrar is
In its reply of 6 March 202020, it stated that it had not taken any steps to
and the processing of personal data in connection with the customer analyzes mentioned in the description. In general
on the other hand, this privacy statement does not specify the loyalty program
legal basis and no information on the car to be carried out under the loyalty program.
decision-making, including profiling. 
In a press release issued on 6 September 2018, the registrar states that it will publish
a new loyalty program that allows taxi ride subscribers to have a loyalty program
as a so-called VIP customer, the opportunity to get past the queue to order a car
during urination. The registrar states in the press release that the loyalty program will be opened at the beginning
only for users of the registrar's mobile application. About the content of the loyalty program
it is said that that VIP clientele is achieved by running 10 mobile apps
taxi journey booked within 60 days and that the benefits of VIP membership are valid only
price per month. In addition, the loyalty program is announced to be launched on 10.9.
with the application update.
The registrar’s loyalty program website states that the loyalty program
The program can be accessed using the registrar's mobile application or account on a regular basis.
by downloading a taxi in the Helsinki metropolitan area from the registrar's taxi order number. So
age registrar says there are two loyalty levels: VIP and SuperVIP. 
You can become a VIP customer by placing at least 10 phone orders in 60 days. VIP-
Customer Phone Orders progress as the VIP customer calls the registrar
order number, the system identifies the VIP customer, after which the customer
the call is prioritized to the top of the queue. SuperVIP customership is achieved by making at least
10 application or phone subscriptions within 60 days. SuperVIP customer required
registration in the registrar's mobile application. In order to accumulate SuperVIP
loyalty points Phone orders must be placed under the same number.
from the mero registered in the application. The description also states that
In connection with a perVip customer relationship, you can check your own loyalty program
from the “My personal information” section of the mobile application and that information about the SuperVIP client subscription
appears in the car when you order from both app and phone orders. Mo-
the description of the more frequent loyalty levels states that with loyalty
calls or calls and taxi orders always go past the queue even during peak hours. 
In addition, the Loyalty Program website states that “Each taxi ride is 10 points
and 100 points, you become a VIP or SuperVIP customer. That is, everyone
the ride will take you not only to your destination, but also closer to VIP membership! Loyalty level
the benefits are always available to you one month at a time. The system always checks the order
what your level is and thus know how to configure your call or subscription correctly.
Loyalty does not require anything from you and does not oblige you to do anything. You can only
enjoy the priority it brings. ” Likewise, the loyalty program shows where
its mobile app can be downloaded.
The websites of the notices published on the controller’s website as described above
There is a link in the bottom bar of the page to the Privacy Statement page, where you can still find
the controller’s general privacy statement and the marketing and customer registration
the privacy statement. 
The menu of the registrar's mobile application shows how many points are
the user of the application needs to reach the VIP level. When navigating from the application menu
from ‘Settings’ to ‘Terms of Use’, you can access the controller application.
options. The Terms of Use contain some information related to the processing of personal data,
but no information about the loyalty program or related processing of personal data.
At the bottom of the Terms of Use page is a link to what is on the registrar's website 
general data protection statement. 7 Loyalty program or related personnel
no information on data processing can be found in the menu of the mobile application
'Contacts and questions' or elsewhere in the application.
4. Actors involved in the processing of personal data and their roles
The controller considers himself to be the controller with regard to the personal data he processes.
The controller has defined the following actors as its processors of personal data
In connection with the reply submitted on 12 December 2019:
• Telia / Inmics
• MTI
• Zendesk
• Nets
• Benemen
• Motorists 
• Drivers
In its reply of 6.3.2020, the controller has defined the following:
operators as processors of personal data:
• Avenla Oy
• Zendesk Inc.
• Arena Interactive Oy
• LINK Mobility Oy
• Telia Inmics-Nebula Oy
• MTI Ltd, Data processing agreement
• Atea Finland Oy
• Mediatoimisto Voitto Oy
• Nets Finland Oy
• Benemen Finland Oy
• Koodiviidakko Oy
• Mediamaisteri Oy
The registrar has provided the information specified in his reply of 6.3.2020
agreements on the processing of personal data with processors of personal data.
The registrar has stated in his report of 6.3.2020 that it works at least for orders
with taxi drivers in connection with the receipt and execution of orders
yhteisrekisterinpitäjänä. For this reason, the registrar has not provided taxi drivers
agreements on the processing of personal data with The registrar submits that it
will further clarify the arrangement between it and motorists, in particular their
treatment operations where it and the motoring companies jointly determine
the purposes and means of the processing of personal data. 
According to the data controller's report, order brokerage software must be placed in taxi cars
The terminal is Android-based. In addition, the controller shall notify in the 'Contacts and Questions' section of its mobile application that its mobile application
use the various software licenses that are
• MIT licensed components: Adform tracking, SAMKeychain (iOS only)
• Apache License 2.0 licensed components: KeyBoardVisibilityEvent
(Android Only), Snackbar (Android only), Volley (Android only), Scytale
(Android Only)
• Facebook Licensed Components: Facebook SDK
• Google Licensed or Google Premium Plan Components:
Protobuf, Google Maps, Google Place.
5. Description of processing operations
As an annex to the report submitted on 12 December 2019, the data controller has submitted
in accordance with Article 30 of the General Data Protection Regulation.
its obligation to draw up a report on the processing operations.
In addition, in his reply of 6 March 2019, the controller stated that the data
In accordance with Article 30 of the General Data Protection Regulation, the following
information:
• The purposes of the processing of personal data; 
• The categories of personal data to be processed and the groups of data subjects; 
• Groups of recipients of personal data; 
• Transfer of personal data to a third country and criteria for data transfer; 
• Where possible, those designed to delete personal information
deadlines; and
• Where possible, a general description of the technical and organizational aspects
security measures. 
6. Data protection impact assessment
6.1. Impact assessment on the processing of location data
On 6 February 2020, the controller submitted a data protection impact assessment,
concerning the processing of location data and drawn up in accordance with the
according to the date appearing in the document, 4 December 2019.
The impact assessment on the processing of location data includes the following main
sections: description of personal data, contributing to the proportionality and necessity of the processing
measures to promote the rights of the taxi customer and the motorist / driver (hereinafter
measures to manage risks to the client’s rights and freedoms.
describes the involvement of stakeholders, the measures planned to address the risks
protection and security measures and mechanisms to ensure the protection of personal
data protection.
According to the response provided by the registrar on 6 March 2019, it has taken the MTI
to use the brokerage software in June 2017. Previously delivered on 12.12.2019
according to the study, all taxi orders are logged in the MTI brokerage system. The system
the order number of the order, the number of the car making the order, the driver
id, the customer’s pick-up address, any destination address, and the departure and arrival
moment to destination. The ride route is stored in the system as well as in the car
speeds. In most cases, the customer's telephone number is also linked to the order. customers
the name and e-mail address may also be stored (depending on the subscription channel).
6.2. Data protection impact assessment on security camera surveillance
In its reply of 6 March 2020, the controller considered that it should not have drawn up a
data protection impact assessment pursuant to Article 35 of the Data Protection Regulation
the use of personal data in the context of security camera surveillance of taxi cars
the General Data Protection Regulation, the Data Protection Act or the decision of the
on the basis of that list.
According to the report provided by the controller, it collects security camera surveillance
video and audio recordings that are time- and location-specific.
The security cameras in the registrar's report describe not only the interior of the taxi car but also
taxi car environment. Iltasanomat, the registrar’s service manager, was given 13 November 2019
According to this video interview, newer security cameras record in addition to the image
sound and describe the interior of the car in addition to the front of the car. 8
The controller has clarified that the number of its registrants is calculated in hundreds of
that it handles around four million taxis a year and that its
it covers a total of more than 2,000 cars with recordable security camera surveillance. Val-
most of the taxis brokered by the controller operate mainly in the main
tick in the area.
According to the information on the controller’s website, the controller provides information
taxi services for specific customer groups, such as seniors
disabled taxi services.
6.3. Data protection impact assessment for automatic decision - making
In its reply of 6 March 2020, the controller considered that it should not have drawn up a
data protection impact assessment pursuant to Article 35 of the Data Protection Regulation
automatic decision-making in the context of its loyalty program,
including profiling, the processing of personal data
a list decided by its Data Protection Regulation, the Data Protection Act or the Data Protection Officer
by.
According to the registrar’s report, the car operated by its loyalty program
decision-making is limited to identifying phone or application subscriptions. Provided
the registrant has ordered a taxi ride by phone or using the ordering application 10 times
Within 60 days, the customer will be automatically classified as a VIP customer,
when placing a new order, passes a possible queue. The controller considers that
its automatic decision-making in the context of the loyalty program
purchase, including profiling, has no legal effect or other significant effect.
to the data subject. 
Based on the data controller's report, the personal data it processes are automatic
decision-making, including profiling, is based on telephone numbers,
information on orders placed with the taxi application and whether the registered
VIP level.
Legal issues
1. Does the controller process personal data collected in connection with security camera surveillance with the general public?
in accordance with Article 6 (1) (f) of the Data Protection Regulation
2. Is the processing of both audio and video data in the context of security camera surveillance by the controller
the principle of minimization in accordance with Article 5 (1) (c) of the General Data Protection Regulation
according to the
3. Does the information provided by the controller to data subjects reflect the general data protection Regulation 12?
the information required by Article 1 (1) in such a way that such information can be easily understood; and
at hand
3.1. Regarding security camera surveillance by the controller in taxi cars
3.2. Regarding the automation of the controller in the context of the loyalty program
decision-making, including profiling
4. Has the controller identified the actors involved in the processing of its personal data in the
in accordance with Article 4 (7) to (8), Article 26 and Article 28 of the 
5. Does the description of the processing operations provided by the controller comply with Article 30 of the General Data Protection Regulation?
requirements of this Article
6. Data protection impact assessment
6.1. Does the location data processing data provided by the controller correspond to
requirements of Article 35 of the General Data Protection Regulation
6.2. Is the controller obliged to draw up a security camera surveillance of taxi cars?
Article 35 of the General Data Protection Regulation on the processing of personal data
data protection impact assessment in accordance with
6.3. Is the controller obliged to draw up a program in connection with the loyalty program?
automatic decision-making, including profiling, public information
data protection impact assessment under Article 35 of the Data Protection Regulation
The matter is pending before the Sanctions Chamber of the EDPS 
7. If the activities of the controller are considered to be as described in the above paragraphs
the matter is contrary to or incomplete in the General Data Protection Regulation
whether the General Data Protection Regulation should be laid down in Article 58 of the General Data Protection Regulation
administrative penalty fee in accordance with Article 2 (2) (i) and Article 83 and its
amount.
Decision of the Assistant Supervisor
1. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation,
Article 6 (1) (f) of the General Data Protection Regulation.
the balancing test required by the first subparagraph and provide a report on the measures taken
to the Office of the Data Protection Officer within one month of the adoption of this Decision.
2. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation,
the controller to ensure that the processing of audio data in taxi security cameras
in the event of supervision without objective justification shall be terminated immediately. The controller shall
report on the measures taken to the Office of the Data Protection Officer within one month
within one month of the adoption of this Decision.
3. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation,
the controller to change the security camera surveillance and the loyalty program
automatic decision-making, including profiling,
information processing practices in such a way that the information it provides to data subjects
all the information required by Article 12 (1) of the General Data Protection Regulation
in an easily accessible and comprehensible form, and to provide a report on the action taken.
the Office of the Data Protection Officer within one month of the adoption of this Decision.
the two.
4. The Assistant EDPS shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation,
the controller to comprehensively define the operators
to the controller as a processor of personal data. In addition, the controller must determine to what extent it
acts as joint registrar in accordance with Article 26 of the General Data Protection Regulation for taxi
and entrepreneurs. The controller shall submit to the Office of the Data Protection Officer for information
within one month of the adoption of this Decision
4.1. An explanation of how the controller has defined the software of the Taxi Helsinki mobile application
the role of licensing providers vis-à-vis the controller in relation to the processing of personal data
and on what basis.
4.2. Arrangements for joint registration with taxi drivers, and
4.3. An explanation of any other measures taken in relation to the processing of personal data
actors and their roles from the point of view of the processing of personal data.
5. The Assistant Data Protection Supervisor shall, in accordance with Article 58 (2) (d) of the General Data Protection Regulation,
the controller to bring the processing of personal data into line with the general
requirements of Article 30 of the Protection Regulation and to provide a report on the measures taken
to the Office of the Data Protection Officer within one month of the adoption of this Decision.
6. Data protection impact assessments
6.1. In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Assistant
that the controller must draw up a personal data processing plan.
processing of personal data pursuant to Article 35 of the General Data Protection Regulation
spring impact assessment.
6.2. In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Assistant
that the controller must draw up a security camera
general data protection regulation on the processing of personal data in connection with
Data protection impact assessment under Article 35. 
6.3. In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Assistant
that the controller must prepare the content of its loyalty program
automatic decision-making, including profiling.
processing of personal data pursuant to Article 35 of the General Data Protection Regulation
the impact assessment.
In this context, the Assistant EDPS draws attention to the general provisions of the
the obligation to consult the supervisory authority in accordance with Article 36 thereof, if
based on the impact assessment, there is a need for this.
Grounds for the decision of the Assistant Data Protection Supervisor
1. Legitimate under Article 6 (1) (f) of the General Data Protection Regulation
advantage as a basis for addressing security camera surveillance and the lack of
test
Article 6 of the General Data Protection Regulation lists the situations in which the processing of personal data may take place
can be considered legal. According to paragraph 1 (f) of that Article, one of these situations
responses have it, when the treatment is necessary for the operator or a third party authorized to
interests, except where the interests of the data subject or
rights and freedoms override such benefits, especially if the data subject is a child (later
legitimate interest).
According to recital 47 of the General Data Protection Regulation, such a legitimate interest may exist
exist, for example, where there is a relevant and relevant relationship between the data subject and the controller.
such that the data subject is a customer of or employed by the controller.
According to the same paragraph, the existence of a legitimate interest must in any event be
basis; must assess, inter alia, whether the data subject can reasonably expect the collection of personal data
at the time and in the context that personal data may be processed for that purpose. eTEN
the interests and fundamental rights of the data subject could override the interests of the controller if the
processed in circumstances where the data subject cannot reasonably expect further processing.
According to Article 5 (1) (a) of the General Data Protection Regulation, personal data must be
lawfully, properly and transparently for the data subject. Article 2 of the same article
paragraph 1, the controller shall be responsible for it and shall be able to demonstrate that paragraph 1
has been complied with (the so-called obligation to demonstrate).
The application of a legitimate ground of priority under the General Data Protection Regulation requires
on the one hand the legitimate interests of the data controller or third-party evaluation of the existence and
on the other hand, an assessment of whether the legitimate interest of the controller overrides the interests of the data subject or
rights or freedoms. The existence of a legitimate interest of the controller may be demonstrated by this
with the so-called balance test. 
The Office of the Data Protection Supervisor has included in its guidelines published on 24 May 2018
the use of its legitimate interest as a legal basis. In particular, the performance of the balancing test
the Office of the Security Officer instructs that the test must be prepared in accordance with the obligation to demonstrate
a written description enabling the controller to demonstrate, where appropriate, that the activity is of a general nature
in accordance with the Data Protection Regulation. In its instructions, the EDPS shall specify the balance
six steps for performing the test with explanations. The guidelines call for the test to be repeated.
and update the description if the purpose, nature or purpose of the processing of personal data
the context changes. 
The statement received from the controller indicates that it has not prepared or documented a
legitimate interest in accordance with Article 6 (1) (f) of the Data Protection Regulation.
the balancing test required for the application of the
Therefore, the EDPS considers that the controller has not been able to demonstrate
in accordance with Article 5 (2) of the General Data Protection Regulation, that the processing of
in the context of camera surveillance complies with Article 5 (1) (a) of the General Data Protection Regulation.
and Article 6 (1) (f).
The EDPS draws attention to the fact that the opinion of the Data Protection Board of 25 February 2002
This Decision concerns the processing of audio data in the context of security camera surveillance. Now under evaluation
the processing of personal data and the technology used in connection therewith have changed
significantly, so that the controller cannot rely on
the decision of the panel and the assessments made in the context of the impact of the
the interests, rights or freedoms of data subjects, as such. 
Nor can the data controller’s claim that the general data protection regulation
application of Article 6 (1) (f) of this Regulation, including those relating to the balancing test
requirements, the legal situation would be so unclear that compliance could not be required by the
from suppliers. The EDPS draws attention to the fact that the information contained in the balancing test
and the obligation to document in accordance with the obligation to demonstrate is defined in the
protection regulation and that the general data protection regulation does not require a balancing test in a particular
in terms of. The EDPS also draws attention to the controller's argument
that the website of the Office of the Data Protection Officer contains a comprehensive and practical
how the balance test can be performed.
2. The processing of audio and video data in the context of security camera surveillance
in the light of the principle of minimization set out in Article 5 (1) (c) of the Regulation
According to Article 5 (1) (c) of the General Data Protection Regulation, personal data must be:
appropriate and relevant and limited to what is necessary in
for which they are processed (the so-called data minimization principle).
According to recital 39 of the General Data Protection Regulation, ‘… personal data should be
and relevant and limited to what is necessary for the purposes for which they are processed.
of view. This requires, in particular, that the retention period for personal data be as short as possible.
Personal data should only be processed if the purpose of the processing cannot reasonably be achieved
by other means. "
The report received from the controller and any other report obtained by the EDPS’s office is
ests. The Office of the EDPS has not been provided with unambiguous information on whether the
the controller intended to process both audio and video data in the context of security camera
conjunction. 
On the basis of the report provided by the controller and the publicly available information, it is
that the controller has been aware that the audio data will be processed in some of its transmission
taxi vehicles covered by this Regulation and that it has considered such treatment to be appropriate
at least until 15 November 2019, as soon as cameras with voice recording function are installed.
said housing. The controller may be deemed to have taken steps to terminate the processing
December 20, 2019, when it called the cars covered by its brokerage service for voice recording operations
to deactivate. 
Although the controller has reformulated the purposes of the processing as the case progressed,
safety and the investigation of criminal offenses and damage can be considered as the basis for the
common elements for the purposes of security camera surveillance when such processing
based on a legitimate interest. Until the controller has taken steps to
to eliminate flight and when voice recording has still been used in some cars, processing
purposes, the report provided by the controller and publicly available must be considered
including monitoring of operational processes on the basis of privacy statements. 
In its report, the controller has not provided any justification as to why it has processed the
in addition to the data, audio data in some of their cars. On the other hand, the controller has
argued at a later stage that the processing of audio data was an error. As above
it has emerged that this is inconsistent with other clarification received in the case.
Since, on the basis of the controller’s report, it processes image data in all its cars,
the processing of image data shall be deemed to be its normal processing and the processing of
van beyond this.
The security camera surveillance practice indicated by the controller, in which only part of its
In addition to image data, voice data and data from the controller are also recorded.
On the basis of this report, it can be concluded that the processing of audio data has not been necessary
for the purposes defined by it and that it has been able to achieve the security camera
the purposes of the processing of personal data which it has defined for the purposes of
by.
Accordingly, the EDPS considers that the processing of the controller's voice data is secure.
In addition to image data in the context of camera surveillance, there has been no
accordance with the principle of data minimization in paragraph 1 (c) and has not been able to
demonstrate compliance with the same section of the General Data Protection Regulation
in accordance with Article 5 (2) of that Regulation.
3. Transparency of processing as required by Article 12 (1) of the General Data Protection Regulation
in this way
Article 12 of the General Data Protection Regulation requires the controller to take appropriate action
measures to provide the data subject with the information in accordance with Articles 13 and 14 and Articles 15 to 22 and
All processing information in accordance with Article 34 in a concise, transparent, easily accessible manner
in a comprehensible and accessible form in clear and simple language, in particular
where the information is intended specifically for a child. The information must be provided in writing or otherwise
and, where appropriate, in electronic form.
According to Article 13 of the General Data Protection Regulation, when collecting personal data
personal data must be provided by the controller to the data subject when personal data are received
all of the following information: 
(a) the identity and contact details of the controller and, where applicable, of any such representative;
information; 
(b) where applicable, the contact details of the Data Protection Officer;
(c) the purposes for which the personal data are processed and the legal basis for the processing;
d) the legitimate interests of the data controller or a third party, if the processing is based on Article 6
Paragraph 1 (f); 
(e) the recipients or categories of recipients of the personal data; 
 (f) where applicable, the fact that the controller intends to transfer personal data to a third party
country or international organization, and information on the adequacy of the data protection to the Commission
the existence or absence of a decision, or in the case of Articles 46 or 47, or
Referred to in the second subparagraph of Article 49 (1), information on appropriate or
and how to obtain a copy of them or where they are placed.
making available.
In addition to the information referred to in paragraph 1, the controller shall, when personal data
provide the data subject with the following additional information necessary for the proper and
to ensure fast handling: 
(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period; 
(b) the right of the data subject to request from the controller access to personal data concerning him or her;
the right to request the rectification or erasure or processing of such data
restriction or opposition to processing and the right to transfer data from one system to another; 
(c) the right to withdraw consent at any time without prejudice to the grounds for
the lawfulness of the processing carried out before its cancellation, if the processing
based on Article 6 (1) (a) or Article 9 (2) (a); 
(d) the right to lodge a complaint with the supervisory authority; 
(e) whether the provision of personal data is a legal or contractual requirement or
the requirement for the conclusion of the contract and whether the data subject is obliged to supply
personal data and the possible consequences of not providing such data; 
(f) automatic decision-making, including the procedure referred to in Article 22 (1) and (4);
the existence of filing, as well as, at least in these cases, the relevant data for processing
as well as the significance and possible consequences of that processing.
to the data subject.
3.1. Registrar 's information policy regarding security camera surveillance
The information required by Article 13 (2) (de) of the General Data Protection Regulation is missing
from the controller’s privacy statements in its entirety, and the controller has not demonstrated that
dot would be available to registrants elsewhere.
When informing the controller of the processing of voice data, the security camera surveillance
there is a mismatch between the various channels of communication. First, in taxis
the security camera surveillance notification does not specifically describe or mention the
flying.
The notices on the taxis also do not refer to the security camera of the controller.
privacy statement or elsewhere from which passengers would have been informed
processing of audio data. Information on the processing of audio data has been found only for security camera surveillance
on 13 November 2019 and 15 November 2019 on the website of the controller.
following the publication of these bulletins. 
The controller has been deemed to have processed or processed audio data as described above.
Consequently, the controller has not informed the data subjects of its processing of personal data.
Article 12 (1) of the General Data Protection Regulation
and has not informed the data subjects about the processing of audio data
security camera surveillance in such a way that this would have been the case under Article 5 of the General Data Protection Regulation
as required by Article 12 (1) (a) and Article 12 (1) 
understandable and accessible and has not been able to demonstrate compliance with the
accordance with Article 5 (2) of the General Data Protection Regulation.
3.2. The controller’s information policy regarding transactions made in connection with the loyalty program
automatic decision-making, including profiling
Contrary to Article 12 (1) of the General Data Protection Regulation, the controller's privacy statements are missing
information pursuant to Article 22 of the General Data Protection Regulation.
the right not to be subject to automatic individual decisions, including profiling,
in. The controller has not shown that this information can be found elsewhere.
The controller 's privacy statement shall not contain information in accordance with Article 13 (1) (c)
the legal basis on which its automatic loyalty program
decision-making, including profiling. The loyalty program cannot be
the marketing, product and product information referred to in the data protection statement of the
analyzes which it claims to carry out on the basis of a legitimate interest, even if that
processing may involve automatic decision making, including profiling, as it does not
has not yet undertaken that treatment. The controller has not demonstrated
that information on the grounds for processing could be found elsewhere.
The legal basis for automatic decision-making in the context of the loyalty program
when it is unclear, the data subjects' rights are also not communicated in a transparent manner. In particular,
Article 21 (1) of the General Data Protection Regulation
the meaning of the processing in the legitimate interest of the controller remains unclear. 
The registrar’s automatic decision-making process in the context of the loyalty program
including profiling, the data protection statements lack the general data protection regulations
information pursuant to Article 13 (2) (f) thereof,
the existence of the profiling referred to in Article 22 (1) and (4)
relevant information on the processing logic as well as
significance and possible consequences for the data subject. 
The registrar’s loyalty program website describes how to determine VIP membership.
its grounds. The Loyalty Program website lacks unambiguous information about the autoresponder
the existence of a decision and the processing of personal data concerning it. This information is
in particular to enable data subjects to exercise their data protection rights
during processing. 
The privacy statements on the registrar's website are not linked to the loyalty program
website or vice versa in such a way that the data subject receives it in an easy and comprehensible form
an overview of the processing of personal data by the controller in the framework of loyalty
in the context of its program.
The EDPS considers that the information policy of the controller does not
automatic decision-making under the program is the responsibility of the General Data Protection
conditions laid down in Article 12 (1) of the Regulation. The controller has not demonstrated
information elsewhere. Consequently, it has also not been able to demonstrate
compliance with Article 12 of the Data Protection Regulation and Article 5 (2) of the General Data Protection Regulation
in accordance with.
4. Actors involved in the processing of personal data 
According to Article 4 (7) of the General Data Protection Regulation, “controller” means the
a list of any person or entity, authority, agency or other body, alone or jointly
defines with others the purposes and means of the processing of personal data; if such processing
purposes and means are defined in Union or Member State law, the controller
or specific criteria for his appointment may be laid down in Union law or in the Member States.
in accordance with national law. For the purposes of paragraph 8 of the same Article,
natural or legal person, authority, agency or any other body which
processes personal data on behalf of the controller.
According to Article 26 of the General Data Protection Regulation 
1. If at least two controllers jointly determine the purposes and means of processing, they shall:
are joint registrars. They define each other in a transparent manner
each area of responsibility in order to comply with the obligations laid down in this Regulation,
the exercise of registered rights and the provision of information in accordance with Articles 13 and 14
unless and to the extent applicable to data controllers
Union law or the law of a Member State defines the responsibilities of controllers
areas. In connection with the arrangement, a contact point may be designated for data subjects.
2. The arrangement referred to in paragraph 1 shall duly reflect the common registers
the real roles and relationships of keepers vis-à-vis data subjects. Key elements of the arrangement
must be available to the data subject.
3. Notwithstanding the terms of the arrangement referred to in paragraph 1, the data subject may
their rights under this Regulation in relation to each controller and each controller.
will be opposed.
Pursuant to Article 28 (3) of the General Data Protection Regulation, the processing of personal data
processing shall be determined by agreement or other provision of Union law or of the law of a Member State.
a legal instrument in accordance with national law which binds the controller in relation to the
the subject and duration of the processing, the nature and purpose of the processing,
the type of personal data and the categories of data subjects, the obligations and rights of the controller. Here
agreement or other legal instrument shall provide in particular that the personal data
processor 
(g) process personal data only in accordance with the documented instructions issued by the controller
transfer of personal data to a third country or
unless the law of the Union applicable to the controller
or the law of a Member State requires otherwise, in which case the personal data
The controller shall inform the controller of this legal requirement before
unless such information is prohibited by that law in the public interest.
for important reasons; 
(h) ensure that persons entitled to process personal data have undertaken to comply with
to be bound by an obligation of professional secrecy or are subject to appropriate legal
the maintenance obligation; 
(i) take all measures required by Article 32; 
(j) comply with the conditions for the use of another processor referred to in paragraphs 2 and 4;
tyksiä; 
(k) taking into account the nature of the processing operation, assist the controller in
and organizational measures, as far as possible, to
obligation on the operator to respond to requests for registration as provided for in Chapter III.
exercise of the rights of the data subject;
(l) assist the controller in ensuring that the obligations laid down in Articles 32 to 36 are complied with
shall be complied with, taking into account the nature of the processing and the availability of personal data to the controller
available information; 
 (m) remove or restore processing services at the discretion of the controller
upon completion of the provision, all personal data shall be transferred to the controller and deleted
copies, unless required by Union law or the law of a Member State
retain personal information; 
(n) make available to the controller all information necessary for the purposes of this Article.
to demonstrate compliance with those obligations, and shall allow the controller or
audits carried out by another auditor authorized by the controller, such as inspections,
as well as participating in them.
The EDPS considers that the controller has defined his role in the general
in accordance with Article 4 (7) of the Data Protection Regulation. In addition, processors of personal data
at least those operators with whom the controller has drawn up a personal data
sittelysopimuksen.
For software license providers of the registrar's mobile application, the registrar does not
has not identified any operator as a processor of personal data and has not provided a clear
the role of these actors in the processing of the controller’s personal data; or
measures taken with them with regard to the processing of personal data. From public sources
at least AdIT tracking and Facebook licensed by MIT
SDK services basically include the processing of personal data. According to public sources,
whereas the inclusion of these services in the application also requires some form of relationship;
such as the conclusion of a contract or the acceptance of terms of use, the subscriber and its
between. 
In its reply of 6 March 2020, the registrar has submitted the report submitted on 12 December 2019.
by way of derogation, that the taxi driver undertakings covered by the controller do not
would be processors of personal data but that they would act as independent controllers on the one hand and
on the other hand, as joint controllers with the controller referred to in this case. registration
According to the controller, the joint registrar would be concerned, for example, with taxi bookings.
upon receipt and execution of orders. The controller has not
the Office of the European Data Protection Supervisor in accordance with Article 26 of the General Data Protection Regulation.
of these, an arrangement between it and the motorist companies or other clarification of the joint registrar
to demonstrate. According to the registrar's reply of 6.3.2020, it will come in the future
to clarify the arrangements between it and motorists, in particular as regards their handling operations,
where it and the motorists jointly determine the purposes for which the personal data will be processed; and
means. 
In his report, the controller has stated that the personal data processed by him are not
outside the European Economic Area without an appropriate transfer basis. Help-
In this context, the EDPS has not
questions are limited to the field covered by this Decision.
else- where.
For the reasons described above, the EDPS considers that the controller is not in a position to
have shown that it has defined the personal data which it processes as controller
comprehensive processing of personal data involved in the processing.
Similarly, the Deputy Data Protection Officer considers that the controller has not been able to demonstrate that:
it would have defined the common register as required by Article 26 of the General Data Protection Regulation.
the purposes and means of processing with the motorists they consider to be
when they act as the joint registrar, as indicated by the controller. Registrar
nor has it shown that it drafted the same article 
mutual agreement on the joint registrar with the joint registrar.
Consequently, the controller has not been able to demonstrate the points of the Regulation described above
in accordance with Article 5 (2) of the General Data Protection Regulation.
5. Description of processing operations
According to Article 30 of the General Data Protection Regulation, each controller and, where
the registrar's representative shall keep a record of the processing operations for which he is responsible. It-
the statement must include all of the following information:
(a) the identity of the controller and any joint controller, the representative of the controller and the
the name and contact details of the security officer; 
(b) the purposes of the processing; 
(c) a description of the categories of data subjects and the categories of personal data; 
(d) the categories of recipients to whom the personal data have been or will be disclosed;
including recipients in third countries or international organizations.
JAT; 
(e) where applicable, information on the transfer of personal data to a third country or internationally
organization, including information on which third country or international organization is
appropriate safeguards in the case of Article 49
The transfer referred to in the second subparagraph of paragraph 1; 
(f) as far as possible, the planned deadlines for deleting the different categories of data; 
(g) as far as possible, a general description of the technical specifications referred to in Article 32 (1)
and organizational security measures. 
That statement shall be in writing, including in electronic form. The register
the keeper shall make the report available to the supervisory authority upon request. The obligation to maintain
this description of processing operations does not apply to a company or organization with less than 250 employees,
unless its processing is likely to jeopardize the data subject 's rights; and
freedoms, the processing is not incidental or subject to the conditions referred to in Article 9 (1).
specific categories of data or the convictions or infringements referred to in Article 10.
personal data.
According to recital 82 of the General Data Protection Regulation, the controller or the
The controller should keep a register of the processing operations for which he is responsible.
demonstrate that they comply with this Regulation. Registrars and personal information
processors should be required to cooperate with the
processing records on request in order to allow processing operations
monitor on their basis.
As described above, the controller has provided a general privacy statement, recordable
a detailed privacy statement on security camera surveillance as well as a marketing
detailed privacy statement. 
The data protection statements of the controller may be considered to cover the following
information in accordance with Article 30 (1) (bd), (f) and (g) of the Safeguard Regulation. The same
The information in points (a) and (e) of this Regulation is only partially clear. 
Information pursuant to Article 30 (1) (a) of the General Data Protection Regulation shall be
the name and contact details of the controller and the contact details of the data protection officer. Representative of the controller
the name of the controller and the data protection officer are missing. Also, no information can be found in the privacy statements
in the reply provided by the controller on 6 March 2019.
organ- isation.
In accordance with Article 30 (1) (e) of the General Data Protection Regulation, the controller is
included in the privacy statements information on transfers of personal data to third countries and
applicable transfer criteria. The registrar's privacy statements, on the other hand, lack information
the countries to which the personal data are transferred.
The Assistant EDPS considers that the privacy statements provided by the controller are not
meets the requirements of the General Data Protection Regulation as described above.
the controller has thus not demonstrated that it has complied with Article 30 of the General Data Protection Regulation.
obligations under this Article and has not been able to demonstrate compliance with
in accordance with Article 5 (2) of the General Data Protection Regulation.
The EDPS also considers, firstly, that the General Data Protection Regulation does not
require that a report on the processing operations be drawn up in a specific form other than that
in writing, including in electronic form. The report processing operations can therefore
in any document format. The table published by the EDPS Office
The advantages of this format can be seen in the clear structure and concise presentation, but it is
however, only one example of report processing operations to prepare. Secondly, the general
nor does the protection regulation require the document to be designated as a description of processing operations.
Most importantly, however, the content of the document complies with Article 30 of the General Data Protection Regulation.
conditions. However, it may be justified from the point of view of the registrar's document management
designate documents according to which section of the General Data Protection Regulation
the medication document is intended to show. Third, attention must be paid to the general
The record of processing operations in accordance with Article 30 of the Data Protection Regulation is
under Article 5 (2) of the General Data Protection Regulation.
to the Authority on the one hand and the Authority on the other
the primary evaluation document and the tool for obtaining an overall picture of the controller’s
processing of personal data. 
6. Data protection impact assessment
According to Article 35 (1) of the General Data Protection Regulation, if a certain type of processing
new technology is likely to cause - the nature, extent,
the rights and freedoms of the natural person.
high risk, the controller shall carry out an assessment of the planned
the effects of processing operations on the protection of personal data. One estimate can be used in a similar
similar high-risk treatment operations.
A data protection impact assessment is required by Article 35 (3) of the General Data Protection Regulation
in particular, inter alia, where the processing involves the death of natural persons
systematic and comprehensive assessment of individual characteristics based on automatic
processing, such as profiling, and leads to decisions
legal effects or which have a similarly significant effect on a natural person.
manner; and when the processing of personal data is a systematic area open to the public
control. The data protection impact assessment is covered by the General Data Protection Regulation 35
accordance with Article 7 (7)
(a) a systematic description of the treatment operations envisaged and the purposes of the treatment,
including, where appropriate, the legitimate interests of the controller; 
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 
 (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1;
and 
(d) the measures planned to address the risks, including protection and security measures;
mechanisms and mechanisms to ensure the protection of personal data and to demonstrate that
taking into account the rights of data subjects and other interested parties, and
legitimate interests.
Pursuant to Article 99 (2) of the General Data Protection Regulation, the General Data Protection Regulation is to be initiated
to apply on 25 May 2018.
According to recital 84 of the General Data Protection Regulation, compliance with this Regulation
in cases where processing operations are likely to involve natural persons.
the high risk to the rights and freedoms of individuals, the controller should be responsible for
impact assessment, in particular on the origin,
to assess the specific nature and severity of the disease. The outcome of the evaluation should be taken into account
determining the appropriate steps to be taken to demonstrate that the personal
processing of personal data complies with the provisions of this Regulation. If the data protection
assessment shows that there is a high risk of
the operator cannot take appropriate measures to reduce the cost of available technology and
the supervisory authority should be consulted prior to the processing.
In its Guidance on Impact Assessments 9, the Data Protection Working Party has provided examples of
where an impact assessment should be carried out. According to the guidelines, the data protection
assessment must normally be carried out in accordance with Article 35 (3) of the General Data Protection Regulation
in addition to processing operations, if the processing of personal data fulfills two of the following conditions
criteria. The more of these criteria are met, the more likely it is that personal data will be
high risk to the rights and freedoms of data subjects:
• Evaluation and scoring of personal data (including profiling and forecasting)
• Automatic decision-making with legal effects
• Systematic monitoring of data subjects
• Data belonging to specific categories of personal data or otherwise very personal
processing
• Large-scale data processing
• Merging data sets
• Processing of vulnerable personal data
• Application of new technical or organizational solutions or innovative
use
6.1. The general information contained in the location data impact assessment prepared by the controller
compliance with Article 35 (1) and (7) of the Protection Regulation
The registrar processes location information in connection with its MTI taxi brokerage software. It is
the MTI system before the application of the General Data Protection Regulation. Location-
an impact assessment on data processing was prepared on 4 December 2019. The impact assessment is
thus drawn up when the matter under consideration has already been pending and the processing of personal data has taken place
during the period of application of the General Data Protection Regulation for about one and a half years. 
9 Guidance from the Data Protection Working Party on data protection impact assessments and ways to find out
‘high risk’ within the meaning of Regulation (EU) 2016/679 of 4 April 2017,
revised and approved on 4 October 2017, p. 10 ff 
The controller has not identified this in its impact assessment on the processing of location data
in accordance with Article 35 (7) (a) of the General Data Protection Regulation.
the basis on which it processes personal data. A legitimate interest refers to a
one of the specific interests pursued by the controller
by means of data processing. Instead, the controller has recorded in the impact assessment
the purpose of the processing and the need for the processing of personal data. For example,
with regard to the process, it should be noted that customer relationship management, or the
existence of a process, is not a legitimate interest of the controller.
By contrast, the controller is not covered by Article 35 (7) (b) of the General Data Protection Regulation.
assessed the proportionality of its processing operations as required by that processing
purposes. Assessing the proportionality of the processing operations requires the Data Protection Team
According to the Guidelines on Data Protection Impact Assessment 10, on the one hand, the
on the one hand, and the characteristics of the personal data processed on the other, in particular
in accordance with Article 5 (1) (c) and (e) of its Data Protection Regulation. In particular,
the personal data processed are missing from the impact assessment provided by the controller
assessment and justification of the general data protection regulation’s principle of minimization and
in accordance with the principle of subsidiarity. 
According to Article 35 (7) (c) of the General Data Protection Regulation
shall include an assessment of the rights and freedoms of data subjects referred to in paragraph 1.
vista risks. According to the instructions of the Data Protection Group, risk means a scenario in which:
describe the event and its consequences and assess their severity and probability. 11
In a data protection context, risk can thus be described as a real-life event that typically has
negative effects on the exercise of the data subject's rights and freedoms. These events
and their consequences have varying degrees of severity and probability. The registrar does not
has not included in its assessment such scenarios or real-life events that would constitute
risk to the data subject’s rights, even though the controller has
the origin, nature, severity, risk management, threats and
measures taken. Thus, they have not in fact been explicitly defined by the controller.
risks to the controller’s rights and freedoms
in accordance with Article 35 (7) (c) of the General Data Protection Regulation. 
In its assessment, the controller has identified measures that could
measures pursuant to Article 35 (7) (d) of the General Data Protection Regulation.
you to address the risks. However, these recorded measures cannot be taken into account
assessing whether the controller’s impact assessment on the processing of location data
substantive requirements of the General Data Protection Regulation, as there is no controller
the risks associated with the processing of personal data have been properly identified as described above.
In the absence of a definition of risks, there are also no related management and other measures
possible to define in accordance with the General Data Protection Regulation.
For the reasons set out above, the Assistant EDPS considers that it is not provided by the controller
in the Impact Assessment on Data Protection on the Processing of Location Data
shortcomings and has not been drafted in a timely manner in accordance with Article 35 (1) of the General Data Protection Regulation.
in accordance with Similarly, the impact assessment does not comply with Article 35 of the General Data Protection Regulation.
the conditions set out in paragraph 7 of this Article. 
10 Data Protection Panel Impact Assessment Guide, Annex 2, p. 26
11 Data Protection Team Impact Assessment Guide, p. 7
6.2. Preparation of a data protection impact assessment on security camera surveillance in taxis
cars under Article 35 (1) of the General Data Protection Regulation
Elsewhere in his report, the controller has indicated that it deals with security camera surveillance.
at least in the part covered by its transmission
in taxi cars, in addition to image data, audio data for monitoring purposes. That personal information
the purpose has been, as indicated by the controller, mainly to drivers and passengers
safety and working conditions for drivers. For the purpose of that processing,
the registrar has also identified damage situations and safety endangerment situations
settlement. In addition, the controller has defined the purpose of the processing as
control of their activities. 
The processing of personal data in the context of security camera surveillance is objective
as a whole is about control. Collection of security cameras installed in taxi cars
information can be used to verify a variety of security, personal and
property damage and criminal incidents, as well as in taxi cars and their vicinity.
events and practices more generally. Security by the controller
camera surveillance must be considered systematic, as it has been introduced in all Taxi
in taxi cars covered by the ham and carried out in a uniform manner in the continuous recording
with security cameras. 
According to the Data Protection Working Party, sensitive or highly personal information does not 12
limited to specific categories of personal data under Article 9 of the General Data Protection Regulation.
information on convictions or infringements referred to in Article 10. sensitivity of
information of a very personal nature also covers others in a general sense
sensitive personal data as they relate to household and private activities,
or because they affect the exercise of a fundamental right or because their infringement involves
clearly on the daily life of the registered person. 
It must be considered probable that, in the context of security camera surveillance,
very personal information. For example, a telephone conversation during a taxi ride or
traveling in a particular company may transmit information on data subjects which
could cause harm to the data subject in their normal life. In addition
considered likely that the majority of data subjects were not aware that
in the car in which they have traveled may have been collected in connection with security camera surveillance.
audio data and therefore may not have been able to take this into account.
in taxi cars in their behavior.
On the basis of the controller’s report, the
the processing of personal data as a whole must be considered large-scale. This is especially supported by
the amount of personal data processed, the large number of data subjects affected, the
the number of taxis covered and the number of taxi rides provided per year. large-scale
In addition, security cameras must store personal data
not only of the passenger who booked the taxi ride, but also of the passengers traveling with him.
in which case it is likely that security camera surveillance will in fact be subject to multiple
times the number of natural persons compared to the registrars who placed the order.
röityihin. In addition, it should be noted that personal data processed by security camera surveillance
are not limited to video and audio recordings of natural persons who are already
collect a wealth of different types of personal information about natural persons traveling in taxi cars
12 Guidance on the Impact Assessment of the Data Protection Team, p. 11
persons. In addition, according to a report provided by the controller, security camera surveillance
The image and sound recordings collected in this connection are time- and place-dependent, which can be
considered to further increase the amount of personal data processed, but also to emphasize
the possible effects of the processing of personal data on data subjects. The duration and permanence of personal
the report provided by the controller shows that the
is part of its normal activities and the processing of personal data. The registrar is
has taken steps to ensure that security camera audio recording is turned off
off in December 2019. The geographical scope of the registrar's business is
focused on the information available on its website for the Helsinki metropolitan area, but
There are also taxi cars available elsewhere in Finland. The registrar is Finland’s largest taxi
ride brokerage company. 
In addition, the data protection risk assessment of security camera surveillance shall take into account at least:
processing of data on vulnerable data subjects. In a weaker
there is an imbalance between the power relations between the data subjects and the controller;
which may manifest itself, for example, as difficulties for vulnerable data subjects, or
inability to exercise their data protection rights. Taxi ride services are provided
in principle for all categories of persons and security camera surveillance is therefore
children and the elderly, for example. Particularly disadvantaged
the group of registered persons consists of taxi drivers who are employed in the
with the motorist partners of the registrar. 
For the reasons set out above and in the light of the four Data Protection Working Groups, the
that the security camera surveillance carried out by the controller
Article 35 (1) of the General Data Protection Regulation
rights and freedoms of the individual and should have been the subject of an information
data protection impact assessment before initiating the procedure under assessment.
and the controller has not been able to demonstrate compliance with that paragraph of
in accordance with Article 5 (2) of the General Data Protection Regulation.
Similarly, since the obligation to carry out an impact assessment can already be demonstrated by the
As regards Article 35 of the basic Regulation, it is not necessary to examine whether the same processing operation should have been
protection impact assessment on other grounds.
The EDPS draws attention to the fact that automatic decision-making,
including profiling, it is not appropriate to comply with Article 22 of the General Data Protection Regulation.
appropriate before carrying out an impact assessment.
6.3. The data protection impact assessment for the controller loyalty program
automatic decision-making, including profiling
The application of Article 35 (3) (a) of the General Data Protection Regulation requires that:
automatic processing, such as profiling, involves the personal identification of a natural person
systematic and comprehensive assessment of the risks and that such automatic processing
decisions which have legal effects on or affect a natural person
to a natural person in a similar way significantly. Article 35 of the General Data Protection Regulation
The list in paragraph 3 of the Directive is not exhaustive as described above, but the data protection impact.
should also be carried out in other cases where the processing of personal data is likely to
poses a high risk to the data subject's rights and freedoms
taking into account the nature, extent, context and purposes of the processing. 
On the basis of the controller’s report, the personal data processed by it shall be
including profiling, are limited to telephone numbers,
orders placed with the application and whether the registrant has reached VIP level.
A systematic and comprehensive assessment of a person’s personal characteristics
with regard to the requirement for automatic decision-making, it should be noted that
including profiling, the assessment of personal characteristics is limited to practical
how often a particular person uses a taxi.
Although the personal data carried out by the controller in connection with that processing operation
the evaluation of the features takes place with each taxi order and can thus be considered
systematic, not for taxi orders made by telephone or by means of an ordering application, their
and the processing of VIP customer data can be considered as Article 35 of the General Data Protection Regulation.
comprehensive characteristics of a natural person within the meaning of Article 3 (3) (a)
evaluation. Since the first subparagraph of Article 35 (3) (a) of the General Data Protection Regulation
the two cumulative requirements of this Directive are not met, its second registered requirement
black, that is, the automatic decision - making of a decision with legal effect, or
other significant effects should not be assessed in this context.
For the reasons described above, the EDPS considers that the controller should not have come
prepare a data protection impact assessment in accordance with Article 35 (3) of the General Data Protection Regulation
in accordance with point (a). It remains to be seen whether it should have been drafted on data protection
impact assessment pursuant to Article 35 (1) of the General Data Protection Regulation, ie if the
processing of personal data may be considered likely to pose a high risk to natural
freedoms and rights of the individual, taking into account the nature, scope, context and purposes of the processing
taking.
When assessing the obligation of the controller to carry out a data protection impact assessment
pursuant to Article 35 (1) of the Data Protection Regulation, the Assistant Data Protection Supervisor
pay attention to the personal characteristics defined by the Data Protection
evaluation and scoring criteria, automatic decision-making
has legal effects or similar significant effects on the large-scale processing of data
and the processing of registered data on vulnerable data subjects.
criteria.
With regard to assessment and scoring based on personal characteristics,
as described above, personal data processed in the context of automatic decision-making
Dots manifest a person's qualities in terms of something other than the practice of how often he or she
use taxi services. Based on the report provided by the registrar, it does not process
other such information from registrants in the automated version of the loyalty program.
in the context of its decision-making. On the basis of a report provided by the registrar, the VIP
verification of the battery and the provision of its benefits to suitable persons
the scoring of data subjects based on the number of taxi orders it places, no taxi service
the frequency of use of the services is not apparent from the number of employees in the loyalty program.
with regard to data processing, other than the verification of VIP membership. Apulaistieto-
the EDPS considers that the processing of personal data concerning the scoring of persons does not occur
likely high risk to the rights and freedoms of data subjects.
Automatic decision-making, including profiling, based on tasks registered
the legal and other significant effects of decisions on
and the group has considered that such effects include, for example, outside individuals
or discrimination, and the conditions of the criterion are not met if the effects of the treatment are natural 
persons are few or non-existent. 13 The controller has considered in his reply
6.3.2020 that the processing in question has no legal or other significant effects on the
the data subjects. 
The EDPS notes that the decisions taken on the basis of this processing operation
The actual effects of these are in principle limited to the fact that the person ordering the taxi receives
a taxi ride either faster, slower or in an extreme case where he is queued in front of him
becomes only VIP customers, he will only receive a taxi forwarded by the registrar for a long time
after or not at all. Based on the effects described above, the Assistant Data Protection Supervisor
Considers that this processing of personal data has mainly only a minor effect on the
given that the controller has significant market power.
Despite this, other taxi drivers and taxi services are also available
service providers. The effects of such processing of personal data could be greater,
if the services provided by the controller were the only pick-up services used by a particular group
environment.
The assessment of a large-scale processing must take into account, on the one hand, that the
only limited types of personal data are covered. On the other hand, the processing of personal data
the amount can be considered large. According to the controller’s report, the controller’s
The center handles around four million taxi rides a year, with the majority of orders coming from digital
subscription channels and about a third by telephone. In this case,
taxi orders and the associated automatic processing of VIP-customers
more than a million times a year. In addition, taking into account the
processing of personal data can be considered as large-scale in this respect.
In addition, it should be noted that this processing is part of the controller’s normal
processing of personal data and has lasted since September 2018 as indicated by the controller.
Kaen. 14 The geographical implications of the processing of the controller’s personal data are
the metropolitan area, but the services it provides are available to both its registered
may be located elsewhere. Automatic decision-making, including profiling,
processing of personal data in the context of a controller loyalty program is
as a whole.
With regard to the processing of data relating to vulnerable data subjects, it may be
as has been pointed out above with regard to security camera surveillance, that the controller is dealing with
data on data subjects likely to be in that position. Automatic decision making,
including profiling, it should also be noted that persons in this position
may not be able to exercise their right to oppose the automatic decision against them.
-making. 
If the condition specified by the two Data Protection Groups is met, the Assistant Data Protection Commissioner
Considers that automatic decision-making by the controller, including
profiling is likely to pose a high risk to the rights and
pauksille. Accordingly, the EDPS considers that the controller should have drawn up
automatic decision-making in the context of its loyalty program, in accordance with
including profiling, in accordance with Article 35 (1) of the General Data Protection Regulation
impact assessment before proceeding, taking into account the treatment
nature, scope, context and purposes. Consequently, the controller has not been able to
13 Data Protection Team Impact Assessment Guide, p. 10
14 Registrar's press release on 6 September 2018https://www.taksihelsinki.fi/taksi-helsinki-oy/ajankohtaista/lehdis-
release on / taxi-helsinki-launching a customer loyalty program-perched-sitting-vip customer /
to demonstrate compliance with that paragraph of Article 5 of the General Data Protection Regulation
In accordance with paragraph 2.
Summary of the decision of the Assistant Data Protection Supervisor
As described above, the processing of the controller’s personal data has revealed a general data protection
serious shortcomings in compliance with this Regulation. The processing of personal data does not
the processing conditions provided for in Articles 5, 6, 12, 26, 28, 30 and 35 of the Regulation. So extensive
shortcomings in the processing of personal data are also reflected in Article 25 of the General Data Protection Regulation
procedure and shortcomings in the built-in and default data protection
technical and organizational measures required by Article 24. 
Signatures
The Assistant 
_________________________
Anu Talus
Inspector general 
_________________________
Jyri Poutala 
Decision of the Sanctions Chamber on the imposition and amount of the sanction fee
Having regard to the decision of the Assistant Data Protection Supervisor on the infringement of the Regulation
overall, the infringements reflect serious deficiencies in the processing of personal data.
under Article 83 of the General Data Protection Regulation.
effective, proportionate and dissuasive sanction
imposition of a levy.
The Sanctions Chamber of the Office of the Data Protection Officer lays down a general data protection regulation 58
accordance with Article 83 (2) (i) of the General Data Protection Regulation and Article 83 of the
pursuant to section 24 of the Data Protection Act to the registrar 72,000.00 (seventy-two thousand) euros
administrative penalty to be paid to the State. 
In assessing the amount of the administrative penalty fee, account has been taken of the
aggravating and mitigating factors in accordance with Article 83 (2) thereof.
The controller has not responded to the EDPS’s request for a hearing.
that the corona situation would be a factor in reducing the administrative penalty.
However, in assessing the amount of the administrative penalty payment, the
exceptional situation. It is common knowledge that the corona situation is
significantly into taxi operations. As these effects are not yet visible in the Sanctions
be from the available information on the turnover of Taxi Helsinki, is the Sanctions College
generally considered the effects of the corona situation as reducing the amount of the penalty payment
factor. An administrative penalty fee is enforced, such as the execution of a fine
(672/2002).
Grounds for the decision of the Sanctions Chamber
Pursuant to Article 58 (2) (i) of the General Data Protection Regulation, each supervisory authority
the Authority has the remedial power to impose an administrative fine under Article 83 here
in addition to or instead of the measures referred to in paragraph 1, in each individual case
depending on its circumstances.
According to Article 83 (1) of the General Data Protection Regulation, each supervisory authority must:
ensure that the imposition of administrative fines for infringements of this Regulation
in accordance with this Article in each individual case
relationships and cautionary.
Under Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed
in accordance with the circumstances of each individual case in Article 58 (2) (a) to (h) and (j)
in addition to or instead of the measures referred to in When deciding on the imposition of an administrative fine,
the amount of the administrative fine must be taken in each individual case
take due account of the following:
(e) the nature, gravity and duration of the infringement, the nature, extent or purpose of the processing in question;
the number of data subjects affected by the infringement.
and the extent of the damage suffered by them;
(f) willful misconduct or negligence;
(g) the action taken by the controller or the processor on data subjects;
to mitigate the damage caused; 
 (h) the degree of responsibility of the controller or the processor, taking into account their 25
and the technical and organizational measures it has taken pursuant to Article 32; 
(i) any previous similar breaches by the controller or the processor; 
(j) the degree of cooperation with the supervisory authority in order to remedy the infringement and
to mitigate adverse effects; 
(k) the categories of personal data affected by the breach; 
(l) the manner in which the infringement came to the notice of the supervisory authority, in particular
the controller or processor of the breach and to what extent; 
(m) if the controller or processor concerned has previously been designated
measures referred to in Article 58 (2) on the same subject, those measures
compliance; 
(n) approved codes of conduct pursuant to Article 40 or approved codes of conduct pursuant to Article 42;
compliance with ignited certification mechanisms; and
(o) any other aggravating or mitigating factors applicable to the case, such as the
any financial advantage derived directly or indirectly from the Commission or any
losses incurred.
Pursuant to Article 83 (3) of the General Data Protection Regulation, if the controller or the
intentionally or negligently infringes the processing operations in the same or related processing operations.
several provisions of this Regulation, the total amount of the administrative fine shall not exceed
the fine imposed for the most serious infringement. 
Pursuant to Article 83 (5) of the General Data Protection Regulation, infringements of the following
an administrative fine of up to EUR 20 000 000 shall be imposed in accordance with paragraph 2,
or, in the case of an undertaking, 4% of its annual worldwide
whichever is the greater: 
(a) the basic principles of processing referred to in Articles 5, 6, 7 and 9, the conditions for
including operations;
(b) the rights of data subjects in accordance with Articles 12 to 22; 
According to Article 24 of the Data Protection Act, the administrative procedure provided for in Article 83 of the Data Protection Regulation
the fine (administrative penalty fee) shall be imposed by the Data Protection Officer and the
a panel of sanctions formed jointly by the parties. The Data Protection Officer shall act on the
Chairman. 
Consultation of the controller on the imposition of a penalty fee
The controller has been consulted on the imposition of a penalty fee in a supplementary report submitted on 13 February 2020.
request for consultation and consultation. In its reply of 6 March 2020, the controller submitted
I find that the conditions for imposing a penalty payment are in no way met. Re-
The Registrar considers that, in addition to rectifying the shortcomings identified in this case,
swing note. In this respect, the controller refers to the Office of the Data Protection
previous decisions which, in addition to rectifying deficiencies, have been sanctioned
mautus.
• In the case of security cameras, the controller considers that the imposition of a penalty fee
Article 83 (2) of the General Data Protection Regulation.
basis
pay attention
specially
the following
following:
In the light of the explanation provided, the potential infringement has been minor and
short-lived and no damage has been shown; 
• The possible violation has not been intentional and at most slightly negligent; 
________________________________________
Page 31
31 (35)
Office of the Data Protection Officer
PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi
• The controller has taken immediate action to remedy a possible breach.
and mitigate adverse effects; 
• The data controller has himself informed the data subject of the possible infringement and its
jaustoimista; 
• The controller has cooperated with TSV and taken steps to remedy the breach
as well as to alleviate possible side effects, an immediate first TSV has been performed
Taxi after a request for clarification to Helsinki; and
• Taxi Helsinki has not committed any previous violations. 
For matters other than security cameras, the controller shall consider that the penalty fee
Article 83 (2) of the General Data Protection Regulation
the following points in particular:
• In view of the explanation provided in the case, the possible infringement has been minor and not
no damage has been shown; 
• The possible violation has not been intentional and at most slightly negligent; 
• Taxi Helsinki has immediately taken steps to rectify the possible violation
and mitigate adverse effects; 
• Taxi Helsinki has co-operated with TSV to rectify the infringement and
to mitigate possible adverse effects; and
• Taxi Helsinki has not committed any previous violations. 
Assessment of the imposition of a penalty payment
In accordance with Article 83 (1) of the General Data Protection Regulation, the imposition of a fine
taking into account the specificities of the case at hand. registration
In the course of the consultation, the EDPS has referred to previous decisions of the EDPS Office.
in cases where no penalty payment has been imposed but the penalty has been imposed
processing of personal data of the country in accordance with the General Data Protection Regulation and the note issued.
Such decisions shall not have wider legal effects and
consideration of the framework is made on a case-by-case basis. The amount of the penalty payment
In this individual case, the decision to
infringements of the General Data Protection Regulation decided by the EDPS and the
on the basis of the information provided for in
The administrative penalty payment must be effective, proportionate and dissuasive in the individual case
deterrent. As regards efficiency, it should be noted that in the present case
a mere provision under Article 58 (2) (d) of the General Data Protection Regulation
sufficient consequence of the controller’s processing of personal data in breach of the General Data Protection Regulation.
taking into account the Proceedings against the controller’s general data protection regulation are
serious shortcomings in the General Data Protection Regulation and the data subject
rights and freedoms. Apulaistietosuojavaltuu-
According to the above summary, these shortcomings reflect the requirements of the General Data Protection Regulation.
more comprehensive anti-trust procedure. An administrative penalty fee may be
considers it an effective way to address the failure of the controller to intervene in the
obligations under this Decision under the General Data Protection Regulation.
neglect of victories. 
The amount of the administrative penalty payment shall be proportionate to the
the business of the registrar and its financial situation. The administrative penalty fee
account shall be taken of the annual worldwide accounts of the controller for the preceding financial year.
konaisliikevaihto. In its reply of 6 March 2020, the registrar has stated the previous financial year
________________________________________
Page 32
32 (35)
Office of the Data Protection Officer
PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi
total turnover of EUR 10.1 million. Financial statements for the previous financial year, ie 2019
had not yet been completed on the basis of the controller's reply. Notified by the controller
the revenue data for the financial year 2019 must be considered credible as provided by the registrar
According to the 2018 financial statements, net sales in 2018 were EUR 8.792 million and in 2017
EUR 7.325 million.
The administrative penalty payment must be dissuasive in nature. Monetary
The imposition of a fee shall have such an economic effect on the controller that:
it is not indifferent to its business. The sanction should motivate the
to avoid future breaches of the General Data Protection Regulation. 
Assessment of the maximum amount of the penalty payment
The Assistant Data Protection Supervisor has considered in his decision that the controller had acted
Articles 5, 6, 12, 26, 28, 30 and 30 of the General Data Protection Regulation.
Articles 35 and 25 of the General Data Protection Regulation
procedure contrary to this Article. 
Of these, breaches of Articles 5, 6 and 12 are the most serious breaches of the general data protection
higher penalty category in accordance with Article 83 (5) of the Regulation. 
Consequently, the maximum amount of the administrative penalty applicable is determined by the general rules
in accordance with Article 83 (5) of the Data Protection Regulation and shall not exceed the
pursuant to Article 83 (3) of the Regulation.
Assessment of aggravating and mitigating circumstances
The nature, gravity and duration of the infringement, the nature, extent or purpose of the processing in question
the number of data subjects affected by the infringement and to them
the amount of damage caused
Mitigating circumstances in accordance with Article 83 (2) (a) of the General Data Protection Regulation
on the one hand, the fact that the controller has dealt with security camera surveillance can be considered as branches
audio data for a limited time. In addition, the controller has undertaken security camera
following a request for clarification addressed to it.
On the other hand, the controller should have assessed and placed in the context of security camera surveillance
processing of persons in accordance with the general data protection regulation by the time
when the General Data Protection Regulation came into force, and to take into account and ensure its requirements
before the introduction of new devices with sound recording.
It should also be borne in mind that the processing of personal data is a key condition for
the business of the controller and has acted in breach of the general data protection regulation
systematically in the normal course of business. The controller shall process the
and the processing of personal data involves a significant number of data subjects and
kilötietotyyppejä. 
Damage to data subjects is limited to the availability of personal data concerning them
processed unlawfully, which is likely to create a sense of insecurity and privacy.
feeling of loss of protection. Likewise, the general privacy regulation of the controller
As a result of the antitrust proceedings, data subjects have been in a worse position to control them
the lawfulness of the processing of personal data concerning In addition, account must be taken of
the fact that the controller can be considered as processing in the normal way 
________________________________________
Page 33
33 (35)
Office of the Data Protection Officer
PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi
information on vulnerable data subjects. For registered
no financial damage has been identified during the investigation. 
Intentional or negligent infringement
Proceedings contrary to the controller's regulation must be considered negligent. productivity
the imposition of an administrative penalty must be regarded as
as a supporting factor. Aggravating in terms of imposing an administrative penalty payment
it may be considered that, pending the outcome of the case, the controller 's conduct is
revealed a number of fundamental shortcomings in the processing of personal data.
Actions taken by the controller or processor of data subjects
to mitigate the damage
As mitigating circumstances for the imposition of a penalty payment, account shall be taken of
the registrar has voluntarily discontinued and sought to ensure that the security camera surveillance
no longer process audio files and has, on the basis of its report, committed itself to
to share shortcomings in the processing of personal data. On the other hand, it should be noted that
the controller has taken action and is committed to rectifying the deficiencies only to the controller
following a request for clarification. 
For other irregularities, the fact that the
by or after the date of application of this Regulation.
that the processing of personal data would comply with the general data protection regulation.
The degree of responsibility of the controller or processor, taking into account their 25 and 32
technical and organizational measures taken pursuant to this Article 
The mitigating liability of the controller may be considered to be the measures it indicates
before and during the investigation. On the other hand, the
breaches of the protection regulation show serious disregard for the processing of personal data
the effects on data subjects, in which case the security of processing
subsequent measures have not been based on a proper assessment.
Any previous similar breaches by the controller or processor 
There are no previous similar infringements against the controller.
Degree of cooperation with the Authority to remedy the breach and its possible
to mitigate side effects
A mitigating circumstance is that the controller may be considered to have acted in a
in cooperation with the Authority and on the basis of its report
remedial action.
Groups of personal data affected by the breach
An aggravating circumstance is the fact that the controller deals with large-scale
personal data relating to data subjects. In particular, location and imagery of data subjects
and there is a higher than usual risk involved in processing audio data. 
________________________________________
Page 34
34 (35)
Office of the Data Protection Officer
PO Box 800, FI-00531 Helsinki - tel. +358 29 566 6700 (exchange) - tietosuoja@om.fi - www.tietosuoja.fi
The manner in which the breach came to the attention of the supervisory authority, in particular whether the controller reported
or the controller of the personal data breach and to what extent 
The Office of the Data Protection Officer was initially informed of the case concerning the controller.
dose made by the anonymous registrant concerned. The case concerning the controller
and was opened as an own-initiative inquiry.
Any other aggravating or mitigating factors applicable to the case, such as the
any economic advantage derived directly or indirectly from the infringement or any
losses
A mitigating circumstance may be considered to be the fact that the controller has
demonstrated its commitment to improving its data protection in the future.
In the light of the above, the Sanctions Chamber of the Office of the Data Protection Officer
proceedings against the controller in the context of the general data protection regulation
in accordance with Article 58 (2) (d) of the General Data Protection Regulation
in accordance with Article 58 (2) (i) of the General Data Protection Regulation
administrative penalty fee.
The College of Sanctions considers that the infringements of the General Data Protection
effective, proportionate and dissuasive penalty
EUR 72,000.00 (seventy-two thousand).
Applicable law
The explanatory memorandum shows.
Appeal
According to section 25 of the Data Protection Act (1050/2018), the Deputy Data Protection Commissioner and the Sanctions Chamber
decisions may be appealed to an administrative court in accordance with the law of the
administrative proceedings (808/2019). The appeal is made to the administrative court.
The notice of appeal is attached.
Service
The decision will be notified by post in accordance with section 60 of the Administrative Procedure Act (434/2003)
against.
More information 
For more information on this decision, please contact Anu Talus, Deputy Data Protection Commissioner, anu.talus@om.fi.