Finland's first GDPR sanctions have been imposed – what did we learn?
On 25 May 2020, the General Data Protection Regulation (the "GDPR") has been applied for two years. A few days prior to the GDPR's anniversary, the first administrative fines for violations of data protection were imposed in Finland. In Finland, an administrative fine under the GDPR may be imposed by the Sanctions Board formed jointly by the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen.
On 18 May 2020, the Sanctions Board imposed administrative fines in three cases, two of which were also governed by national data protection legislation in addition to the GDPR. The amount of fines ranged from EUR 12,500 to EUR 100,000. It can be seen from the reasoning by the Sanctions Board that significantly higher fines were also discussed. In addition to the administrative fines, reprimands were issued in all decisions. One of the decisions ordered the company to bring its processing operations into compliance with the provisions of the GDPR and the complementary national legislation. The decisions are not yet final and can be appealed against in the administrative court.
Facts of the cases
In the first case, an administrative fine of EUR 100,000 was imposed on Posti Ltd., the Finnish postal services company, for the lack of transparency in processing of personal data and its inadequate information practices. The issue at hand was that after the data subjects made change-of-address notifications to Posti Ltd., they received direct marketing and other communications from a number of different companies. According to the Sanctions Board, Posti Ltd. had not sufficiently disclosed, for example, the data subject's right to object to the processing of his or her personal data.
In the second case, an administrative fine of EUR 16,000 was imposed on Kymen Vesi Oy. The company had used location data from the vehicle information system to monitor the employees' working hours, among other things. The fine was imposed for failing to carry out a data protection impact assessment and failing to comply with privacy by design and privacy by default requirements. In addition to these, the company had inadequately carried out its responsibilities as a controller.
In the third case, an unspecified controller was fined EUR 12,500. The controller had used a form in recruitment where it collected applicants' information on, among other things, place of birth, church, family relationships, housing, spouse's name, spouse's occupation and job, children's years of birth, state of health and whether the applicant was pregnant. Many of these data belong to so-called special categories of personal data. The controller was ordered to bring the processing operations into compliance with the provisions of GDPR and the national complementary legislation. In addition, the controller was issued a reprimand due to shortcomings in the record of processing activities, accountability, compliance with the privacy by design and privacy by default requirements, and carrying out its responsibilities as a controller.
Observations based on the decisions
Many interesting observations, which also clarify the present legal state, can be made from the decisions of the Sanctions Board. Firstly, it seems clear that imposing administrative fines cannot come as a surprise to controllers. Based on the decisions, the controllers were asked to give a prior statement on their view of the fines, for example, whether some mitigating circumstances should be taken into account when imposing the administrative fine.
Another interesting observation is that none of the sanctions imposed directly concern the non-exercise of the data subject's rights (pursuant to Chapter III of the GDPR), even though, for example, the communications regarding Posti Ltd. specifically concerned the data subject's right to object to the processing of his or her data. It appears from the decisions that the complainants were not, in principle, considered to be parties under the Administrative Procedure Act (434/2003), thus for example, the complainant would not have a right of appeal against the sanctions imposed.
The third relevant finding is that two of the three decisions concerned the personal data of employees and job applicants. Indeed, the decisions of the Data Protection Ombudsman also guide companies to be careful with their internal groups of data subjects: the GDPR does not only protect the data of a company's customers, but of all data subjects, such as the company's own employees and job applicants.
Fourthly, it should be noted that the Deputy Data Protection Ombudsman emphasized in her decision that the mere fact that a previous decision from the Data Protection Ombudsman's Office did not take a stand on a particular issue, does not mean that the activity is acceptable. At least the decision concerning Posti Ltd. states that the matter was brought to the attention of the Office of the Data Protection Ombudsman as early as 2017, i.e., before the application of the GDPR. The Office of the Data Protection Ombudsman has consistently held in its decisions following the GDPR that if a case was brought before the Office before the application of the GDPR and the same situation continues to be non-compliant with the GDPR after 25 May 2018, the provisions of GDPR will apply.
Fifth, and perhaps the most relieving factor for a controller, is that according to the decisions, the controller's active response to the authority's requests for clarification and immediate action at the clarification stage have been considered mitigating factors in determining the amount of administrative fines. In addition, the small number of data subjects affected by the processing in question, has been considered as a reducing factor when determining the amount of the administrative fine. However, the decisions do not provide any more precise indication on the method of calculating the amount of fines than the thresholds set by the provisions in the GDPR concerning remedial powers.
Conclusions and final remarks
The Office of the Data Protection Ombudsman reacts to companies' operations especially on the basis of complaints. Therefore, a controller can seek to manage its risk, for example, by regularly checking whether there are any complaints regarding its operations pending before the authority. However, the authority is not bound by the complaint or its content. For this reason, controllers and processors must regularly review the implementation of data protection in their operations as a whole. For example, the importance of carrying out a data protection impact assessment and its careful implementation and documentation have been clearly emphasized following these decisions.
Recently, the Office of the Data Protection Ombudsman has been actively handing down decisions especially in the private sector and communicating them widely. The content of the decisions needs to be closely monitored, as public authority practice plays an important role in clarifying the sometimes very general requirements of the GDPR. Similarly to the European case law, emphasis has been placed also in Finland especially on the implementation of the principles and adequate informing of the data subjects. Controllers and processors of personal data should regularly evaluate their own processing and, for example, update their information practices on a regular basis if deemed appropriate.