In Finland, the Office of the Data Protection Ombudsman (“Data Protection Authority”) imposed fines of 128.500 EURO on three companies for providing insufficient information, failing to conduct a data protection impact assessment and the unnecessary collection of personal data.

In the first case, the Company, Posti Oy which is the leading postal service operator, had not informed the data subjects of their rights including the right to object the disclosure of data. Upon the complaint by the individuals who had received direct marketing from various companies after making change-of-address notifications to Posti Oy, the Data Protection Ombudsman launched the investigation and, as a consequence, imposed fine of 100.000 EURO on Posti Oy.

In the second case, Kymen Vesi Oy which had processed the location data of its employees by tracking vehicles with a vehicle information system was fined of 16.000 EURO on the ground that they had not made the impact assessment required by the GDPR before starting to process the location data. It is stated by the Data Protection Authority that a data protection impact assessment is required if the processing is likely to result in a high risk to the rights and freedoms of data subjects.

In the third case, the Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects even though under the Finnish Act on the Protection of Privacy, the employer is only permitted to process data that is necessary in light of the employment relationship. In this sense, the company was fined of 12.500 EURO.

You can read the decisions here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law