#Privacy: Finland DPA imposes GDPR fine against taxi company

The Office of the Data Protection Ombudsman has imposed an administrative fine against taxi company Taksi Helsinki for data protection violations. 

In November 2019, the Office of Data Protection Ombudsman launched an investigation into Taksi Helsinki’s personal data processing, and discovered serious deficiencies. 

Last summer, the company had replaced its camera surveillance system with one that recorded both audio and video, but failed to assess the legality of the related personal data processing as required by the EU General Data Protection Regulation (GDPR). Additionally, the taxi company also failed to conduct the impact assessments required by GDPR before the start of processing.

Subsequently, the Deputy Data Protection Ombudsman ordered Taksi Helsinki to conduct a balance test to evaluate the necessity of personal data processing and its impact, in addition to carrying out the required impact assessments. 

The investigation also revealed that upon replacing its camera surveillance systems, the company did not assess the compliance of the related personal data processing with the GDPR. The Deputy Data Protection Ombudsman found that the processing of audio data was not in accordance with the GDPR’s principle of data minimisation. The company was ordered to immediately stop the processing of audio data.

Importantly, the investigation discovered that Takski Helsinki did not inform data subjects of the processing of their personal data as required by the legislation. The notifications in the taxis did not mention anything about audio recording or inform customers where they could obtain information on it. 

Additionally, the company’s privacy statement did not contain information on the automated decision-making and profiling performed in its royalty scheme.

Following the investigation, the Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki.

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.