Finnish SA: Administrative fine imposed on Posti for unlawful processing of personal data
Background information
- Date of final decision: 13 November 2024
- National case
- Legal Reference (s): Article 6 (Lawfulness of processing), Article 13 (Information to be provided where personal data are collected from the data subject) Article 5 (Principles relating to processing of personal data) Article 25 (Data protection by design and by default)
- Decision: Administrative fine, Compliance order, Reprimand
- Key words: Administrative fine, Lawfulness of processing, Right to be informed
Summary of the Decision
Origin of the case
The Finnish Supervisory Authority (SA) investigated the processing of personal data of Posti related to the creation of an electronic mailbox. The Finnish SA had received complaints about the forwarding of letters to Posti's online service without the customer's consent.
Key Findings
The controller had automatically created an electronic mailbox for customers without a separate request. The electronic mailbox had been linked to a wider set of services. The investigation showed that the customer could not choose whether to use the electronic mailbox or not, as the different services were linked together in a single contract. The electronic mailbox could not be dispensed with without the other services also ceasing. The Finnish SA considers that the service requested by the customer could have been provided without the automatic creation of an electronic mailbox. The controller did also not inform its customers clearly about the activation of the electronic mailbox. There were also technical settings in the service that did not meet data protection requirements. These included an automatically activated selector function and a pre-ticked checkbox.
Decision
The Finnish SA imposed an administrative fine of 2,4 million euros on the controller for unlawful processing (Art. 5 and 6.1 GDPR). The controller was reprimanded for the shortcomings in informing the customers and was ordered to correct its unlawful practices (Art. 13 GDPR). In addition, the DPA instructed the controller to take into account that electronic services must be built from the outset so that only necessary personal data is processed (Art. 25 GDPR).
For further information:
- National press release: Administrative fine imposed on Posti for data protection shortcomings in the OmaPosti service (English, Suomi, Svenska)