#Privacy: Finnish DPA imposes GDPR fines on three companies

Finland’s Office of the Data Protection Ombudsman has disclosed that it has imposed administrative fines on three companies for data protection violations. 

The first company, Posti Oy, the leading postal service operator in Finland was fined EUR 100,000 following an investigation into customers receiving communications and direct marketing from multiple companies despite making change-of-address notifications to the service. 

The investigation, conducted by the DPA, revealed that Posti had not informed its customers about their right to object to the disclosure and processing of personal data. The violations impacted 161,000 customers in 2019 alone. 

Utility company Kymen Vesi Oy was hit with a EUR 16,000 fine for the unlawful processing of its employees location data. The company had not made the data protection impact assessment, as required by the EU General Data Protection Regulation (GDPR), before processing the location data. 

“The assessment is necessary for example if the location data of vulnerable individuals is processed or the location data is used for systematic monitoring,” the DPA explained.

The DPA also fined an unnamed company EUR 12,500 after it had been notified that the company had been collecting “unnecessary” personal data from both job applicants and employees. The company had asked for information relating to religious beliefs, family status, state of health, and possible pregnancies. 

According to the Finnish Act on the Protection of Privacy in Working Life, the employer “is only permitted to process data that is necessary in light of the employment relationship.”

The company was ordered to delete the unnecessary data. 

It should be noted that all three decisions are not final as they can be appealed. 

“This was the first time that the sanctions board imposed administrative fines for violations of data protection regulations. The board has the right to impose administrative fines for data protection violations,” the DPA said. 

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.