Annual report 2020

The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data

The Office of the Data Protection Ombudsman is an autonomous and independent authority that supervises compliance with data protection legislation and other laws governing the processing of personal data.

The Office of the Data Protection Ombudsman promotes awareness of the rights and obligations related to the processing of personal data, imposes administrative sanctions for violations of the General Data Protection Regulation of the EU if necessary, carries out investigations and inspections and issues statements on legislative and administrative reforms. The Data Protection Ombudsman cooperates with the supervisory authorities of other countries and represents Finland on the European Data Protection Board.

Reijo Aarnio was the Data Protection Ombudsman until the end of October 2020. Anu Talus was appointed as the Data Protection Ombudsman as of the beginning of November when Aarnio retired after a long service in the office. Before her appointment as Data Protection Ombudsman, Talus acted as the Deputy Data Protection Ombudsman. Jari Råman is the second Deputy Data Protection Ombudsman. The Data Protection Ombudsman and Deputy Ombudsmen are appointed by the government for terms of five years.

Read the annual report here: Annual Report of the Data Protection Ombudsman 2020 (pdf)

Data Protection Ombudsman Anu Talus: 2020, a year of reforms

Dat a Protection Day was celebrated for the first time in January 2020, in an event co-hosted by Alma Talent. The event proved to be a success, and the goal is to establish the Data Protection Day as an annual event.

The Data Protection Day later proved to be one of the last opportunities to meet international colleagues. The year was marked by the COVID-19 pandemic both in Finland and internationally. The Office of the Data Protection Ombudsman provided guidance on several questions related to COVID-19 on its homepage. The office relocated to new facilities during the spring of the first year of the pandemic in 2020, which came with its challenges.

Although the pandemic has tested the society in many ways, it has been delightful to perceive how data protection questions were kept a priority in Finland’s measures against COVID-19. It has been said that the Finnish COVID-19 debate has been dominated by judicialisation, but from the data protection perspective, this is only positive. The Koronavilkku application, intended to monitor exposure to the virus, was also developed in the framework of data protection policy.

The number of matters instituted with the Office of the Data Protection Ombudsman continued to increase. With the entry into force of the EU General Data Protection Regulation in 2018, the number of matters instituted multiplied, and the processing became congested. In early 2020, the Office started a systematic clearance of this backlog. This project has progressed as scheduled, but at the same time, the number of instituted matters continued to increase. In 2020, a total of 937 more matters were instituted than in the previous year. Notifications of data breaches accounted for more than one third of all instituted cases in 2020. An initiative to increase and boost the efficiency of the processing of data breach notifications was also launched in 2020.

The European Commission submitted an evaluation and review of the General Data Protection Regulation in May 2020, two years after its entry into force. The Commission report was drafted during Finland’s Presidency of the Council of the European Union. The report states that most of the goals of the legal reform have been achieved, and that new legislation has improved citizens’ rights. However, the report suggests that the need to make the harmonisation of the application of legislation more efficient continues to exist.

Last year was also a time for major decisions. The Sanctions Board of the Office of the Data Protection Ombudsman imposed its first administrative fines for breaches of dataprotection legislation. A total of five rulings on administrative fines were issued. Four of these were appealed in the Administrative Court. The largest fine imposed by the Sanctions Board was 100,000 euros.

The Court of Justice of the European Union issued some significant rulings on personal data protection during the year. In July, the Court of Justice of the European Union gave a decision in the case known as Schrems II (C-311/18). The judgment invalidated the Privacy Shield system and remodified the framework of data transfer into third countries. The European Data Protection Board gave its first conclusive dispute resolution decision in a case against Twitter. The Irish data protection authority announced its decision based on the dispute resolution decision in December and imposed a fine of 450,000 euros on the company.

The surge of activity in the field of data protection continued in the autumn. The Office of the Data Protection Ombudsman and TIEKE, the Finnish Information Society Development Centre, received Commission funding for the development of a tool for SMEs to reach a data protection standard set by the GDPR. The project was launched in the latter part of the year and will last approximately two years.

The retirement of Reijo Aarnio, who served in the post of Data Protection Ombudsman for a long time, was celebrated in the autumn.

At the time of Reijo Aarnio’s retirement, the most extensive breach of data protection of all time was revealed in Finland. The Psychotherapy Centre Vastaamo filed a notification of a data breach with the Office of the Data Protection Ombudsman on 21 October 2020. In this context, other questions relevant to the protection of personal data, such as the preconditions of processing the personal identity code, were highlighted in discussion.

When looking at the most important events of last year, I cannot help but conclude that the year was full of major changes, great achievements in development, data protection actions, and even surprises. This will also be true for the year to follow.

Deputy Data Protection Ombudsman Jari Råman: Audits in the time of COVID-19 and questions of facial recognition technology in the field of internal security

In 2020, data pr ocessing by the authorities competent by virtue of the Act on the Processing of Personal Data in Criminal Matters was, for the first time, supervised in accordance with a new audit plan. The supervision measures were particularly characterized by the extended use of facial recognition technology. In addition to the Finnish Defence Forces and the police, which are the government controllers with the largest number of personnel, this area of responsibility of internal security also includes the Finnish Customs, the Finnish Border Guard, rescue services, activities of the Emergency Response Centres, immigration administration as well as courts of law, the National Prosecution Authority as well as the Criminal Sanctions Agency.

Audits are one means of completing the Office of the Data Protection Ombudsman’s supervisory tasks. With the implementation of the first audit plan of the new form, it was detected that the audits clearly provide added value, even though the measures take up a lot of resources from other tasks of the Office of the Data Protection Ombudsman and effort by the subject of the audit is also required. Great observations were made during the audits on how to develop the guidelines and training on the processing of personal data as a part of the accountability principle and in order to promote internal supervision of legality.

The audits did not indicate any need for the use of specific powers. The observations made in the audit reports have been taken seriously and the completion of corrective actions indicates that the competent authorities have understood the impact of developing data protection activities in contributing to both the legality of their actions and their effectiveness. The audits were particularly effective in developing the processing of personal data in connection to threat scenarios produced by the authorities.

Questions relating to the use of facial recognition technology remained a topical theme in the activities of security authorities. The police has extended its use of facial recognition technology to image materials captured in crime prevention, and during a prior consultation, the Office of the Data Protection Ombudsman helped to steer the activities of the police to ensure the methods used are legal. Valid legislation does not offer the opportunity of real-time online facial recognition in a flow of images.

The use of Clearview AI facial recognition technology was an additional cause of concern in Europe and quite legitimately so. In Finland, the issues related to said technology in the work of security authorities did not emerge until 2021, despite several supervisory measures, and the processing of this topic is ongoing while I am writing this. A relevant decision in Sweden is important in many respects. The controller remains responsible even if technology is used without consent – being aware of appropriate practices is the responsibility of the controller. A particularly conscientious approach is required to ensure and demonstrate the legality of measures when biometric data is involved.

In the development of legislation in the sector, automated decision-making continued to create controversy. The Act on processing personal data in immigration administration was adopted without provisions on automated decision-making primarily due to the lack of general administrative legislation in the field. The principles of personal data processing and the legislation concerning automated single decisions in particular can be similarly applied to the technology of automated decision-making in administration. The Ministry of Justice has drafted a memorandum and founded a committee to investigate legislative drafting of general legislation on automated decision-making in administrative matters. Hopefully, this work will proceed swiftly, and the development of automated decision-making in administration will proceed in a controlled manner.

Despite the challenges presented due to the COVID-19 pandemic, most of the scheduled audits were completed, even though some special arrangements were needed. The experiences gained from virtual audits were mostly positive and it is likely that they will continued after the special circumstances due to the pandemic have passed.

With positive experiences obtained, the Office of the Data Protection Ombudsman will continue to carry out audits of the internal security authorities in line with the new model.

Focus areas of data protection activities

The Office of the Data Protection Ombudsman imposed administrative fines for the first time

In May 2020, the Sanctions Board of the Office of the Data Protection Ombudsman imposed first administrative fines for breaches of data protection legislation. The task of the Sanctions Board is to impose administrative fines in line with the GDPR to the controller or processor of personal data. The Sanctions Board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. The Data Protection Ombudsman is the Chair of the Board.

Imposing administrative fines is one of the corrective powers of the Office of the Data Protection Ombudsman. Administrative fines can be imposed in addition to or in place of other corrective actions. A corrective action used must be efficient and proportionate. The maximum amount of the administrative fine is 4 per cent of the turnover of the company or 20 million euros. Administrative fines cannot be imposed on public organisations, such as the government or state-owned companies, municipalities and parishes.

In 2020, the Sanctions Board imposed administrative fines on a total of five companies for breaches of data protection laws

  • An administrative fine of 100,000 euros was imposed on the Posti Group due to shortcomings in informing persons who had submitted notices of change of address. The company should have informed their customers in an explicit manner that when submitting a notice of change of address, they are entitled to not to consent to the processing of their personal data and disclosing it for direct marketing purposes. The breach concerned 161,000 people in 2019 alone.
  • An administrative fine of 16,000 euros was imposed on Kymen Vesi Ltd for the failure to complete an impact assessment on the processing of their employees’ location data. The impact assessment should have been completed prior to the company’s processing of location data which was collected by geographic location of the vehicles using vehicle on-board systems.
  • An administrative fine of 12,500 euros was imposed on a company that collected employees’ data in an excessive manner. The company had requested for employment information that was not required for the employment contract, including information on their health and family relationships.
  • An administrative fine of 72,000 euros was imposed on Taksi Helsinki for several shortcomings in its processing of personal data. The company had not, inter alia, assessed the legality of personal data processing regarding its camera surveillance system or informed customers of voice recording in a manner set forth by the GDPR.
  • An administrative fee of 7,000 euros was imposed on ACC Consulting Varsinais-Suomi for sending electronic direct marketing messages without prior consent and for non-compliance of the rights of a data subject. The company had not responded to or implemented the requests concerning the rights of data subjects, and it was not able to prove that it had processed personal data legally.

Appointment of the Expert Board

For the first time, the Finnish Government appointed an Expert Board by virtue of the Data Protection Act. The Expert Board, operating in connection with the Office of the Data Protection Ombudsman, is tasked with issuing statements on significant questions related to the application of legislation pertaining to processing of personal data at the request of the Data Protection Ombudsman. The term of the Expert Board began on 1 October 2020 and will end on 30 September 2023.

The Board consists of a Chair, a Vice Chair and three Members, all of whom have a personal deputy member. The members of the Board are experts independent of the Office of the Data Protection Ombudsman. The Board may also consult other experts if necessary.

The Expert Board will convene as and if needed when summoned by the Chair. The Board has no formal decision-making authority.

Expert Board

  • Chair: Riikka Koulu, Assistant Professor
  • Deputy member of the Chair: Tobias Bräutigam, Adjunct Professor, Attorney
  • Vice Chair: Tanja Jaatinen, Senior Ministerial Adviser
  • Deputy member of the Vice Chair: Sami Kivivasara, Senior Ministerial Adviser, Head of Unit
  • Member: Riikka Rosendahl, Team Manager
  • Personal deputy member: Antti Poikola, Master of Science in Technology
  • Member: Kimmo Rousku, General Secretary, Senior Specialist
  • Personal deputy member: Leila Hanhela-Lappeteläinen, Data Protection Manager, Data Protection Officer
  • Member: Tommi Toivola, Manager
  • Personal deputy member: Eija Warma-Lehtinen, Lawyer, Partner

Measures to clear the backlog

In January 2020, the Office of the Data Protection Ombudsman launched a project to clear the backlog of unresolved cases instituted in 2014–2018. In early 2020, the number of these old, unresolved matters from 2014–2018 totalled 2,327.

In the end of 2020, the number of unresolved matters stood at a little over 400. Of these, 188 were cases that are processed in an international procedure and their processing depends on the actions of a supervisory authority of another country.

In addition to clearing the old cases, there were resolutions given for matters instituted in 2019 and 2020. In the end of 2020, the number of unresolved matters instituted from 2016 to 2019 totalled 1,550. The number of unresolved matters had been decreased by almost 800 from January 2020. The project of clearing the backlog continues at the Office of the Data Protection Ombudsman in 2021.

Processing cross-border matters

Cross-border processing means either

  • processing of personal data which takes place in establishments in more than one EU Member State where the controller or processor is established in more than one Member State; or
  • processing of personal data which takes place in a single establishment of a controller or processor in the EU but which substantially affects data subjects in more than one Member State.

When the processing of personal data crosses borders, the European data protection authorities monitor the processing of personal data in cooperation. For cases that are processed in a cooperation procedure, a lead supervisory authority is appointed. Their task is to cooperate with the supervisory authorities that are cooperating in the processing. The goal of the consistency and cooperative mechanism is to ensure that the application of GDPR is harmonised across the EU member states.

The number started to increase for cross-border matters that were processed in a consistency and cooperative mechanism of supervisory authorities in 2020. In June, the European Data Protection Board (EDPB) published a register of decisions by supervisory authorities in a cross-border processing of matters.

In November 2020, the EDPB adopted its first final dispute resolution decision in a matter that was processed in a cross-border cooperation. The dispute resolution decision concerned a matter in which the Irish supervisory authority was acting as the lead supervisory authority and had issued a draft decision in a matter concerning Twitter International Company. The matter in question included a breach of data protection that affected approximately 88,700 data subjects. Several concerned supervisory authorities gave their objections on the proposal for a decision by the Irish supervisory authority, after which the Irish supervisory authority transferred the matter to the dispute resolution mechanism of the EDPB. The Irish supervisory authority gave its final decision based on the decision of the Board.

The Office of the Data Protection Ombudsman, in cooperation with the Estonian supervisory authority, processed a matter in which a company organising dog trips in Estonia had updated a list on its homepage of people who owed money to the company. The company did not react when the Estonian supervisory authority first contacted it, but did remove the list after they were contacted again. The Estonian supervisory authority issued a notification to the company for a breach of data protection legislation.

Auditing activities

The Office of the Data Protection Ombudsman increased the effectiveness of systematic auditing activities of authorities of internal security during 2020. The Deputy Data Protection Ombudsman conducted a total of 11 audits of authorities of internal security during the year. Subjects of these audits included National Police Board, Finnish Security and Intelligence Service, Criminal Sanctions Agency and The Finnish Border Guard, Legal Register Centre and the Finnish Defence Forces.

The subjects of audits and the audited measures were prioritized on a basis of risk analysis and impacts. The objects reviewed have included instructions and training of personal data processing as a part of accountability and the practical realisation of internal legality control.

Various actions of personal data processing by authorities have also been audited, for example, the application of the Security Clearance Act and measures connected to risk assessments produced by authorities. Controllers have received many types of guidance as a result of the audits.

The number of personal data breaches continued to increase

Notifications of personal data breaches formed the largest individual group of matters instituted by the Office of the Data Protection Ombudsman. In 2020, a total of 4,276 notifications of personal data breaches were filed, with an increase of 437 from the previous year. If a personal data breach can cause risk to the rights and freedoms of natural persons, the Office of the Data Protection Ombudsman must be notified. The notification obligation started in May 2018.

The great majority of data breaches is due to working on several tasks at the same time and in a hurry. When personal data is processed, it is not a good idea to take up several things at the same time, because it increases the number of mistakes due to negligence. Data breaches can also be prevented by securing databases following the generally accepted practices, testing systems and by ensuring proper instructions.

The single most significant data protection incident in 2020 was the security breach of Psychotherapy Centre Vastaamo, which became public in October. In this case, the personal and patient information of tens of thousands of people was stolen and leaked to the web. The Office of the Data Protection Ombudsman ordered that the company must inform all the clients affected by the breach personally.

The Office of the Data Protection Ombudsman also initiated an investigation on the legality of the actions of Vastaamo. In the investigation, items reviewed will include the security of personal data processing activities by Vastaamo, informing of the data breach and the obligations of controller’s accountability and whether following measures have been appropriate. The Office of the Data Protection Ombudsman coordinates the investigative measures in cooperation with the National Bureau of Investigation and other authorities. The intention is to complete the review even though the company was declared bankrupt in 2021.

Staff and finances

– new organizational structure established, changes in the assembly of ombudsmen

During 2020, the number of personnel in the Office of the Data Protection Ombudsman increased to 48 people. The recruitment process of a second Deputy Data Protection Ombudsman began in the autumn of 2020, after Deputy Data Protection Ombudsman Anu Talus was appointed the new Data Protection Ombudsman. Heljä-Tuulia Pihamaa, Master of Laws, was appointed to the post of Deputy Data Protection Ombudsman and started in the post in March 2021.

Three customer service teams are established in the Office; as a rule, one of them focuses on private sector and cross-border matters, the second on public sector and nationally processed matters and the third on matters related to the Data Protection Law Enforcement Directive and the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security. Administration, advisory and registry services are centralised in the Administrative Unit of the office. The Joint Functions team includes the IT senior specialists, communications and the Data Protection Officer. The separate process groups also coordinate practices and projects on certain themes, such as data protection breaches, rights of data subjects and impact assessment.

In April 2020, the Office of the Data Protection Ombudsman relocated to new facilities in Lintulahti in Helsinki. Due to the orders and recommendations of virtual work as a consequence of the COVID-19 pandemic, the office introduced new kinds of digital working methods. In the new circumstances, the well-being of employees and occupational safety gained particular importance.

The project of clearing the backlog, which started at the beginning of the year, was apparent in the composition of the staff as new staff members were recruited. Four senior inspectors and two legal experts were working in the project to clear the congested situation.