Administrative Court: Office of the Data Protection Ombudsman's hearing procedure and administrative fine imposed for GDPR violation were appropriate
The Administrative Court of Eastern Finland has rejected a controller’s demand for overturning decisions made by the Data Protection Ombudsman and the sanctions board. The Administrative Court found that the administrative fine was imposed appropriately and was effective, proportionate and cautionary in amount. This is the first Administrative Court decision issued on administrative fines imposed by the Office of the Data Protection Ombudsman.
The Office of the Data Protection Ombudsman's sanctions board imposed a 16,000 euro administrative fine for the processing of personal data in violation of the General Data Protection Regulation in May 2020. The violations consisted of neglecting to carry out an impact assessment in connection with processing the location data of employees.
The controller appealed the decision to the Administrative Court, which issued a decision on the matter in May 2021, rejecting the appellant's claims. In its decision, the Administrative Court notes that the Office of the Data Protection Ombudsman’s process for imposing the fine was compliant with the Administrative Procedure Act’s provisions for hearing the interested parties.
The Administrative Court also considered the administrative fine to have been effective, proportionate and cautionary in amount. The decision notes that the fine of at most 1,500 euro proposed by the appellant in its appeal would be too minor to have such effects.
The purpose of a data protection impact assessment is to help identify and manage risks related to the processing of personal data. According to Article 35 of the GDPR, a data protection impact assessment must be carried out before the start of processing if the planned processing is likely to result in a high risk to the rights and freedoms of natural persons. The nature, scope, context and purposes of the processing must be taken into account in the assessment.
Our website has information on situations that require an impact assessment based on the processing of location data:
List of processing operations which require a data protection impact assessment (DPIA)
The decision is not yet final.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766