Administrative fine imposed on Posti for data protection shortcomings in the OmaPosti service

The Sanctions Board of the Office of the Data Protection Ombudsman has imposed a fine of EUR 2.4 million on Posti for its practices in the OmaPosti service that violate data protection rules. Posti had automatically created an electronic OmaPosti mailbox for customers without a separate request. The Data Protection Ombudsman states that electronic services are an important part of the digital society and must be implemented according to the rules.

The Office of the Data Protection Ombudsman investigated the processing of personal data related to the creation of the electronic OmaPosti mailbox. The Data Protection Ombudsman received complaints about the forwarding of letters to Posti's online service without the customer's consent.

The electronic mailbox has been linked to a wider set of services, including mail redirection and a pickup point service. The study showed that the customer could not choose whether to use the electronic mailbox or not, as the different services were linked together in a single contract. The electronic mailbox could not be dispensed with without the other services also ceasing.

“It may have come as a surprise to the customer that an electronic mailbox was created for them, even though they requested another service. A person may have received mail in the electronic mailbox without knowing it, and this can lead to problems with, for example, invoices," says Data Protection Ombudsman Anu Talus.

Personal data may only be processed on the basis of a contract if it is necessary for the performance of the main purpose of the contract. The Data Protection Ombudsman considers that the service requested by the customer could have been provided without the automatic creation of an electronic mailbox. The receipt of a particular service cannot require that personal data be used for other purposes. An administrative fine was imposed on Posti for this incorrect practice. The size of the fine is affected by the company’s turnover.

Customers should have been more clearly informed about the service

The Data Protection Ombudsman also found that Posti did not inform its customers clearly about the activation of the electronic mailbox. The customer was not told that it would be activated as soon as the service was launched and that letters and invoices, for example, could start arriving immediately.

“It is essential that digital identity and mailboxes are developed as an integral part of the digitalising society. A digital society only works if it is based on trust. Because of this, the way in which technical solutions are implemented is of great importance. People need to know what services are being created for them,” says Talus.

In addition, customers had been incorrectly informed that, after the introduction of the OmaPosti service, they could continue to receive letters only by paper mail, if they wished. In reality, it was not possible to choose such an option. Posti says that it has corrected this misleading information.

Posti was reprimanded for the shortcomings and ordered to correct its unlawful practices.

Posti instructed to take data protection into account in the development of its services from the outset

There were also technical settings in the OmaPosti service that did not meet data protection requirements. These included an automatically activated selector function and a pre-ticked checkbox.

Posti has announced that it will correct the settings so that receiving mail only electronically is no longer selected by default. According to Posti, customers will be able to choose whether they want to receive electronic copies of their paper letters in the electronic mailbox.  

The Data Protection Ombudsman instructed Posti to take into account that electronic services must be built from the outset so that only necessary personal data is processed.

Decisions of the Data Protection Ombudsman and the Sanctions Board in Finlex (in Finnish)

​​​​​​​Further information:

Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.