Finnish DPA imposes administrative fine for several deficiencies in personal data processing

4 June 2020

Finland

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine on Taksi Helsinki Oy for violations of data protection legislation on 26 May. The company had not assessed the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis. Deficiencies were also noted in the information provided to customers and the documentation of personal data processing.

The Office of the Data Protection Ombudsman started an investigation on Taksi Helsinki’s personal data processing in November 2019. Serious deficiencies were found in the company’s processing of personal data.

The impact of the processing had not been assessed in accordance with data protection legislation.

Taksi Helsinki replaced its camera surveillance system with one that records both video and audio in the summer of 2019. However, the company did not assess the compliance of the related personal data processing with the GDPR.

The Deputy Data Protection Ombudsman ordered the company to conduct a balance test to evaluate, for example the necessity of personal data processing and its impact on the interests and rights of the data subjects.

Taksi Helsinki also failed to conduct the impact assessments required by the GDPR before the start of processing. Data protection impact assessments would have been required for security camera surveillance, location data processing and automated decision-making and profiling connected to the company’s loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to carry out the required impact assessments.

No basis given for processing audio data

Taksi Helsinki reported that it processed the personal data of drivers, staff and the customers of its drivers with a camera surveillance system that records both video and audio. However, the company did not provide an explanation for why it only processed audio data from some of its taxis. The company later stated that the audio data had been processed by mistake.

The Deputy Data Protection Ombudsman found that the processing of audio data was not in line with the GDPR’s principle of data minimisation. She ordered Taksi Helsinki to ensure that the processing of audio data without appropriate grounds is stopped immediately.

Problems with basic data protection issues

The Deputy Data Protection Ombudsman’s investigation also revealed that Taksi Helsinki did not inform data subjects of the processing of their personal data in the manner required by data protection legislation. The notifications in the taxis did not say anything about audio recording or indicate from where customers could obtain information on it.

Neither did the company’s privacy statement contain information on the automated decision-making and profiling performed in its loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to change its policies for informing customers to provide clear information on its processing of personal data. The information must also be easily accessible.

Deficiencies related to documentation and the definition of personal data processing roles were also discovered in the investigation. The Deputy Data Protection Ombudsman ordered Taksi Helsinki to rectify its procedures.

Administrative fine imposed

Several serious shortcomings in the identification of risks, compliance with data protection principles and implementation of the rights of data subjects were identified in Taksi Helsinki’s processing of personal data.

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki. This amount was proportionate, effective and cautionary in the assessment of the board.

The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.

To read the full decisions in Finnish, click here.

For further information, please contact the Finnish DPA: tietosuoja(at)om.fi

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and his two Deputy Data Protection Ombudsmen and has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Finnish DPA imposes administrative fine for several deficiencies in personal data processing

Icelandic SA: the municipality of Reykjavík fined ISK 2,000,000 for the use of Google Workspace for Education

Icelandic SA: the municipality of Hafnarfjörður fined EUR 18.580 for the use of Google Workspace for Education

Icelandic SA: the municipality of Reykjanesbær fined EUR 16.590 for the use of Google Workspace for Education

Icelandic SA: the municipality of Garðabær fined EUR 16 590 for the use of Google Workspace for Education

Icelandic SA: the municipality of Kópavogur fined EUR 19.907 for the use of Google Workspace for Education