GDPR Enforcement - Key Takeaways From the Recent Decisions of the Finnish Authority

Authors: Erkko Korhonen, Emma Swahne, Liisa Vaaraniemi

Approximately one and a half years after the General Data Protection Regulation (2016/679, the “GDPR”) became applicable in the EU, Finland has finally gained national GDPR case law as the Finnish Data Protection Authority published its first GDPR enforcement actions. To date, in Finland there are a total of five (5) published GDPR enforcement decisions. Although none of the cases led to administrative fines, the cases provide some valuable information on the authority’s enforcement practices. We have further analysed the three most interesting cases and their key takeaways.

Misleading Information to Data Subjects About a Data Breach

In the case (60/171/2020, 3.1.2020, in Finnish) concerning a Finnish bank, the Deputy Data Protection Ombudsman issued a reprimand to the bank for failing to provide the data subjects with information on a data breach transparently as required under GDPR Article 5 and Article 12.

The bank had been subject to a data breach that affected approximately 17,000 individuals. Consequently, the Data Protection Authority ordered the bank to notify the affected data subjects. The bank sent a letter to 9,000-10,000 data subjects, but was not able to reach approximately 7,000 of the affected data subjects personally due to the lack of sufficient contact information. The bank also published a public notice about the breach on its website and Facebook to reach all of the affected data subjects. However, the notice on the website and Facebook contained a statement saying that “all the parties involved have been provided with further information personally”. As 7,000 affected data subjects had not been contacted personally (by a letter), the public notice may have caused such data subjects to assume that they had not been affected by the data breach since they had not been informed personally. Hence, the information had not been given in a transparent manner.

Key takeaways:

• Clear and transparent communication to data subjects is “a must” – whether the communication concerns data breaches or processing activities in general.
• Ensure sufficient processes for handling a data breach matter and pay attention to the communication – a mere notice is not sufficient if the content is not sufficient, correct, and transparent.

Insufficient Practices Regarding Consent and Right to Object

In the matter concerning a company operating movie theatres (6465/182/2018, 28.11.2019 (in Finnish, a summary in English)), the data controller provided a loyalty scheme, which had to be joined in order to be able to reserve movie tickets and purchase electronic serial tickets. In addition, consumers could not join the customer loyalty scheme without ticking the box indicating consent to direct marketing.

The GDPR (Recital 32) provides that “consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them”. The Article 29 Working Party (the predecessor of the European Data Protection Board) has in its Consent Guidelines further stated that “[I]f the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom”. Furthermore, if a consent is given in the situation of “bundling” consent with acceptance of terms or conditions or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, it is presumed not to have been freely given (GDPR Recital 43).

According to the decision by the Data Protection Ombudsman, such practice is not in compliance with the GDPR’s requirements regarding freely given consent as a basis for processing personal data, and hence the respective consents are considered invalid.

The Deputy Data Protection Ombudsman recognised that direct marketing may be the core purpose of a loyalty scheme. However, that was not the case in this matter, since joining the loyalty scheme was the only way of, for instance, to reserve tickets.
In the same decision, the Deputy Data Protection Ombudsman assessed the right of objection. The data controller had in connection with obtaining a consent for direct marketing stated the data subject may afterwards, through his/her profile, object to the direct marketing. However, the Deputy Data Protection Ombudsman concluded that the data subjects must be provided with an opportunity to object to the processing for marketing purposes already at the time of collection of personal data (i.e. in connection with the registration to the loyalty scheme).

The decision does not provide clarity on the question of how a consent for the electronic direct marketing should be construed in relation to the legal basis under the GDPR. The GDPR provides that the processing of personal data for direct marketing purposes may be regarded as having been carried out for a legitimate interest (i.e. GDPR Article 6.1(f)). However, the E-privacy Directive from 2002 (and national legislation implementing the directive) requires a prior consent for electronic direct marketing (subject to certain exemptions). We would fend off an interpretation that the consent for electronic direct marketing would automatically be considered or require consent as a legal basis for the related processing.

As an enforcement measure, the Deputy Data Protection Ombudsman ordered the data controller to rectify the non-compliant practices described above and also issued a reprimand. The Deputy Data Protection Ombudsman explicitly stated that consideration of suitable sanctions was effected by the fact that the legal state has been unclear since the GDPR became applicable.

Key takeaways:

• Consent for e-marketing must meet the strict requirements under the GDPR.
• Separate consent for each purpose – processing for several purposes cannot be bundled under a single consent, but instead a separate consent should be sought for each purpose.
• Consent cannot be a condition for the provision of a service: If the data subject cannot use the service without giving their consent for direct marketing, the consent is not freely given.
• Data subjects must have the right to object to the processing at any time, including at the time of collection of the personal data.

Excessive Authentication Practices

In the case (7713/163/2018, 22.11.2019 (in Finnish, a summary in English)), the data controller (a company operating movie theatres) had required, as a rule, its customers to send a photograph of their passport or both sides of their identity card, along with a photograph of the person’s face next to the identity card to confirm their identity when submitting a request to use data subject's right. These practices have required the data subjects to provide more data than the data controller originally had on the data subjects. In light of the GDPR (Recital 57), the Deputy Data Protection Ombudsman considers the practice conducted by the data controller to exceed the limits set by the principle of minimisation and by the GDPR Article 12.2 and Article 12.6 on the conditions to request additional information.

According to the decision by the Deputy Data Protection Ombudsman, the GDPR Article 12.6 does not allow the data controller to request and process any additional information that is not necessary to identify the individual making the request to exercise data subjects’ rights. The means used to identify the data subject to facilitate the exercise of data subjects' rights must be aligned with the personal data processing principles pursuant to the GDPR Article 5, especially the principles of storage limitation, data minimisation and integrity and confidentiality. Hence, additional information should not be requested as a rule, but only if there is reasonable doubt about the identity of the requestor, and the information is required for identification purposes.

In the same decision, the data controller was also reprimanded for not having told its customers that their telephone calls were being recorded.

Key takeaways:

• Compliance with data subjects’ requests is in the core of the GDPR – controllers should have in place processes for responding to requests, including for confirming the identity of the data subject making the request.
• GDPR Article 12.6 can only be applied on a case-by-case basis – collection of additional information for identification purposes cannot be a regular practice.
• GDPR principles (including data minimisation and storage limitation) should also be applied to data collected for the purpose of confirming the identity of the data subject.