Annual report 2021
The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data
The Office of the Data Protection Ombudsman is an autonomous and independent authority that supervises compliance with data protection legislation and other laws governing the processing of personal data.
In 2021, the Data Protection Ombudsman was Anu Talus. Jari Råman and Heljä-Tuulia Pihamaa served as Deputy Data Protection Ombudsmen. Master of Laws Pihamaa was appointed Deputy Data Protection Ombudsman in January 2021 and start work in March.
Read the annual report here:
Annual report of the Office of the Data Protection Ombudsman 2021 (pdf)
Data Protection Ombudsman Anu Talus: Review of 2021
In January, the Government appointed the second Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, to her position, and Pihamaa started work in March 2021.
The numbers of cases instituted had been growing for several years running, but this growth stopped in 2021. Just under 11,000 cases were instituted in 2021, as was the case in 2020. The Office continued the systematic backlog-clearing project initiated in 2020, which has successfully addressed the backlog in case processing.
The Office of the Data Protection Ombudsman issued a number of decisions and statements and was heard by various parliamentary committees. Questions involving the rights of the data subject, especially the right of access, were a recurring theme in complaints. Several decisions also gave precedents on data minimisation and privacy by design. The rights of the data subject are implemented best when data protection is included in the design of new technologies, platforms and applications from the ground up. We will continue to draw attention to this obligation laid down in the GDPR going forward as well. The connections between data protection and data security, the secure processing of data, and neglect were also emphasised in the Ombudsman's decision-making practice.
The strategy update of the Office of the Data Protection Ombudsman started with a survey for stakeholders and citizens, which was completed in May. Its results showed that the Office's expertise and reliability is appreciated, but its operations could be more customer-oriented.
To support controllers, we published a guideline for impact assessments in December. Implementation of the Commission-funded GDPR2DSM project, launched in the autumn of 2020 and aimed at SMEs and implemented in cooperation with TIEKE Finnish Information Society Development Centre, also continued in 2021. To provide base data for the project, we charted the data protection challenges and needs of SMEs in the spring. Tool development workshops began in the summer, and the project's webinar series were kicked off in the autumn.
The routines of Sanctions Board proceedings became further established in 2021. In proceedings involving the hearing of the controller, the controller is reserved an opportunity to be heard before the matter is discussed by the Sanctions Board. During the hearing, the facts of the matter and the referendary's preliminary assessment are presented to the controller. In 2021, the Administrative Court issued its first judgments stating that this procedure is in compliance with the Administrative Procedure Act.
The Sanctions Board imposed administrative fines on a total of seven controllers during the year. Administrative fines were imposed on a controller that had made robot calls without the appropriate consent as well as on a private parking control company that had processed personal data illegally, among others. The matter involving Psykoterapiakeskus Vastaamo was brought to a conclusion at the Office of the Data Protection Ombudsman in a Sanctions Board hearing that imposed an administrative fine on Vastaamo. Administrative fines were also imposed on a university of applied sciences for the unnecessary processing of employee location data and on the Finnish Motor Insurers' Centre for the unnecessarily extensive collection of patient records.
Other significant decisions made in 2021 included a reprimand issued to the police for the use of Clearview AI facial recognition technology, as well as a decision finding that the tax lists published by the media constitute the processing of personal data for journalistic purposes. A reprimand was issued to a company that relayed its customers' personal data to the personal phones of employees via WhatsApp.
The European Data Protection Board (EDPB) also continued working on a remote basis. Significant decisions made by the EDPB in 2021 included a binding decision issued in a dispute resolution procedure in a matter concerning WhatsApp and the first decision issued through the urgency procedure. For its part, the Office of the Data Protection Ombudsman issued its first decision as the lead supervisory authority in a cross-border procedure.
International transfers of data remained a significant topic in international data protection forums in 2021 as well. The European Commission issued two separate decisions on the adequacy of data protection in Britain. One of the decisions was the first of its kind to be issued under the Data Protection Law Enforcement Directive. Transfers of data to third countries will remain a relevant topic in future as well as frameworks and guidelines are being updated.
Anu Talus
Data Protection Ombudsman
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa: Guidance during the pandemic and data protection issues in an increasingly digital society
Like the year before, 2021 was still defined by the coronavirus pandemic. We issued expert statements on legislative bills and responded to inquiries and complaints involving the coronavirus.
A number of expert statements on legislation projects related to the health and social services reform were issued. As in previous years, social welfare and health care matters were quantitatively the largest category of matters instituted with the Office of the Data Protection Ombudsman. Nearly 30 per cent of all matters instituted in 2021 involved social welfare and health care, and personal data breach notifications constituted a significant portion of these matters. The conditions for notifying the authorities are met often in sectors processing special categories of personal data, which partly explains the large number of notifications from the social welfare and health care sector in comparison to other sectors.
A data protection survey conducted in cooperation with the Social Insurance Institution of Finland (Kela) and the National Institute for Health and Welfare showed that there is a need for concrete instructions on personal data breach notification procedures in the social welfare and health care sector. To respond to this need, we issued guidelines on the personal data breach notification duty, especially tailored for social welfare and health care operators, in late 2021. We hope that the guidelines will also be of help in other sectors. It is evident that guidance in the area of personal data breach notifications will be required going forward as well, so the guidelines will be updated in 2022.
Like society in general, the education sector is increasingly digitalised, and the phenomenon applies to all education providers and educational institutions.
It can be said that the education sector took a 'digital leap' during the coronavirus pandemic, and teaching quickly moved to digital environments. These developments were also reflected in the education sector issues instituted with the Office of the Data Protection Ombudsman, many of which concerned data protection questions related to applications used in teaching. Those adopting digital services for educational use need to be able to take other regulations concerning teaching into account in addition to personal data processing legislation. For this reason, we proposed that the National Board of Education draw up guidelines for the adoption of teaching applications in the education sector. It is our hope and objective that this work, which requires cooperation, will progress in 2022 and questions involving the processing of students' personal data will be properly addressed in the use of teaching applications.
We sought to ensure compliance with data protection legislation in Finnish working life through cooperation with stakeholders, such as the occupational safety and health authorities, as well as by issuing statements on legislative projects and central government guidelines. During the coronavirus pandemic, the question "Are employers allowed to process data on their employees' coronavirus vaccinations?" was momentarily one of the questions most frequently asked from the Office. We sought to meet the need for information during the pandemic by publishing general guidelines on the Office website.
The Office also participated in the tripartite preparations for the required amendments to the Act on the Protection of Privacy in Working Life, which are aimed at mitigating the challenges that have arisen in the application of the law, among other things. The work will continue in 2022.
Heljä-Tuulia Pihamaa
Deputy Data Protection Ombudsman
Focus areas of data protection activities
Sanctions for violations of data protection legislation
The Sanctions Board of the Office of the Data Protection Ombudsman is tasked with imposing administrative fines under the GDPR on controllers or processors. The Sanctions Board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. The Board is chaired by the Data Protection Ombudsman. The Board started operations in the autumn of 2019 and imposed its first administrative fines in May 2020.
Administrative fines are one of the corrective powers available to the Office of the Data Protection Ombudsman. An administrative fine can be imposed in addition or instead of other corrective measures and is limited to a maximum of 4% of the company's turnover or EUR 20 million. Administrative fines cannot be imposed on public organisations, such as the central government and state-owned companies, municipalities or parishes.
An administrative fine must be dissuasive, effective and proportionate. The Sanctions Board made one decision in 2021 in which an administrative fine was waived. This decision concerned a subcontractor that implemented direct marketing calls on behalf of a controller in the role of personal data processor. Imposing a fine would have been effective and dissuasive, but not proportionate in view of the seriousness of the violation. In its assessment, the Board took into account matters such as the company's turnover and pending bankruptcy filing.
In 2021, the Sanctions Board imposed administrative fines on seven organisations for violations of data protection legislation.
- ParkkiPate Oy was ordered to pay an administrative fine of EUR 75,000 for data protection violations . These violations involved, among other things, failure to fulfil the rights of the data subject and shortcomings in the limitation of data storage periods. The company also regularly processed personal data more extensively than necessary for identification purposes.
- A magazine publisher was ordered to pay an administrative fine of EUR 8,500 for direct marketing without consent. The robot calls had not been designed to ensure that data subjects were able to exercise their data protection rights. Neither had the controller or the subcontractor performing the direct marketing calls on its behalf drawn up a processing agreement for the implementation of the direct marketing.
- An administrative fine of EUR 25,000 was imposed on a higher education institution for data protection violations connected to processing of location data. The employer processed its employees' location data unnecessarily and without legal grounds, using a mobile application intended for recording working hours.
- In December 2021, the Sanctions Board imposed an administrative fine of EUR 608,000 for data protection violations on Psykoterapiakeskus Vastaamo Oy. Vastaamo had neglected basic procedures of secure processing and duties related to the reporting of personal data breaches. Vastaamo should have notified both the Data Protection Ombudsman and its customers of the personal data breach without delay since it caused a high risk to those affected by the data breach. Shortcomings were also found in the documentation required to demonstrate accountability.
- The Sanctions Board imposed an administrative fine of EUR 5,000 on a medical clinic for neglecting the rights of the data subject. The clinic had not fulfilled a customer's right to access their patient records appropriately and its practices for implementing the rights of the data subject were insufficient. Neither had the clinic clearly indicated for which data it was serving as a controller.
- A travel agency was ordered to pay an administrative fine of EUR 6,500 for shortcomings in the security of processing and implementation of the rights of the data subject. The travel agency had used an unencrypted network connection for visa applications and stored forms containing personal data on an open net server.
- The Finnish Motor Insurers' Centre was ordered to pay an administrative fine of EUR 52,000 for the unnecessary extensive collection of patient records. The Office of the Data Protection Ombudsman investigated the Finnish Motor Insurers' Centre's practices for requesting patient records from health care units for the processing of claims. The controller had systematically requested the full patient records of claimants instead of restricting their requests to necessary data.
Backlog clearing and new processes
The number of cases processed by the Office of the Data Protection Ombudsman has grown each year since the entry into force of the GDPR. In 2021, the number of cases instituted with the Office stabilised at the level of 2020 with 10,816 cases. The Office resolved 519 cases more than were instituted in 2021, in total 11,380. The Office has been systematically clearing its backlog of cases since 2020, and this project also progressed in 2021.
The Office developed internal procedures for improving the efficiency of case processing. A new procedure for the prioritisation and screening of instituted cases (PRISE) was adopted in the summer with the objective of harmonising case-processing practices and ensuring the equal treatment of customers. The new procedure facilitates employee time management and the systematic allocation of resources.
Reports of personal data breaches make up 40 per cent of all cases instituted with the Office of the Data Protection Ombudsman. In the autumn, the Office adopted a new screening process for personal data breach notifications, with the objective of improving the efficiency of processing and facilitating follow-up action. This internal screening procedure complements the EDPB's guidelines on the processing of personal data breach notifications.
Processing cross-border matters
Cross-border processing refers to the processing of personal data performed in offices located in more than one Member State or by a controller or processor established in more than one Member State, or performed in the EU in the controller's or processor's only office, but the processing has a significant impact on data subjects in more than one Member State.
When the processing of personal data crosses borders, the European data protection authorities monitor the processing of personal data in cooperation. A supervisory authority with overall responsibility for the processing is appointed and works together with the supervisory authorities participating in the processing of the matter. The purpose of the cooperation procedure is to achieve a binding common decision by the leading and participating authorities, as well as to ensure the consistent application of the GDPR across Member States.
The Office of the Data Protection Ombudsman issued its first decision as the lead supervisory authority in a cross-border case in 2021.
In July, the EDPB issued a decision concerning WhatsApp Ireland Limited in a dispute resolution proceeding. The decision concerned an investigation by the Irish supervisory authority into whether WhatsApp was informing its users of the processing of their personal data in a transparent manner. In addition, the EDPB issued its first decision under the urgency procedure. The decision concerned the request of Hamburg's supervisory authority for adopting urgent measures against Facebook Ireland Limited because of changes to the terms of service of the WhatsApp instant messaging service.
The Office of the Data Protection Ombudsman also developed its own practices in the processing of cross-border cases during the year.
The powers and procedures of the Office of the Data Protection Ombudsman
Three Administrative Court decisions on appeals against administrative fines were given during the year. According to the Administrative Court, the process leading to the imposition of an administrative fine fulfilled the conditions of the Administrative Procedure Act in the cases in question.
Administrative Court decisions issued in the spring of 2021 clarified the interpretation of consent to the use of cookies and powers in supervisory matters involving cookies. The Administrative Court overturned two decisions by the Finnish Transport and Communications Agency (Traficom) concerning ways to ask for users' consent to the use of cookies on websites. At the same time, the Court found that Traficom is the competent authority with regard to the supervision of consent for the use of cookies. Following these Administrative Court decisions, the Office of the Data Protection Ombudsman transferred complaints concerning consent for the use of cookies to Traficom.
The Deputy Chancellor of Justice started an investigation into the case-processing practices of the Office of the Data Protection Ombudsman in 2020 and gave his decision at the end of 2021. The Office of the Data Protection Ombudsman issued a report to the Deputy Chancellor of Justice on matters such as case processing times, the processing stages of old pending cases and the impact of measures adopted. The Deputy Chancellor of Justice also conducted a legality audit of the Office.
According to the Deputy Chancellor of Justice, the Office of the Data Protection Ombudsman's development measures look promising and the case backlog has almost been cleared. However, the improved case processing situation is at risk of taking a turn for the worse if the Office does not have access to sufficient human resources.
Growth in personal data breaches continued
Personal data breach notifications constitute the largest single category of cases instituted with the Office of the Data Protection Ombudsman. A total of 4,785 data breach notifications were filed with the Office during the year, representing an increase of more than 500 from the previous year. The numbers of reported data breaches have increased annually and have risen to 44% of cases instituted. The most notifications are received from regulated sectors, such as social welfare and health care, the financial sector and the telecommunications sector.
If a personal data breach can cause a risk to the people affected by it, the Office of the Data Protection Ombudsman must be notified. Organisations have been subject to this duty to notify since May 2018.
The Office has noted that there are differences in the identification and processing of data breaches between sectors. A need for clarifying instructions on reporting personal data breaches has been identified in the social welfare and health care sector in particular. In order to respond to this need, the Deputy Data Protection Ombudsman sent social welfare and health care operators a guidance letter clarifying the duty to notify.
In November, the Office supplemented its instructions with regard to the retention of log data from the duration of a personal data breach committed against the information system. Log data are also included in the documentation obligation concerning personal data breaches.
International transfers of data
The level of protection of personal data guaranteed by the GDPR can decrease when personal data is transferred out of the European Economic Area or to an international organisation. For this reason, a number of bases for transferring personal data have been specified in the GDPR, which can be used to transfer personal data while guaranteeing a level of data protection corresponding to EU requirements.
The instructions concerning the transfer of personal data were clarified and updated during the year. In particular, the 'Schrems II' judgment issued by the Court of Justice of the European Union in July 2020 (C-311/18) clarified the requirements for the legal transfer of personal data from EU and EEA Member States to third countries or international organisations.
Significant updates were made to the bases for transfer during the year. In June, the European Commission adopted the updated standard contractual clauses (SCCs) for the transfer of data to third countries. In addition, the European Commission made two decisions in June regarding the adequacy of data protection in the UK. In June, the EDPB published the final version of its recommendations for supplementary measures, which help assess the need for additional safeguards and choose the safeguards appropriate to the circumstances.
The guidelines issued to authorities were also clarified in the wake of the Schrems II judgment, and the data protection authorities' responsibility for the supervision of international transfers of data was emphasised. The Office of the Data Protection Ombudsman announced in the autumn that it would enhance the supervision of transfers of personal data.
Supporting controllers in ensuring data protection
The Office of the Data Protection Ombudsman and TIEKE Finnish Information Society Development Centre were granted 2020 EU funding for the GDPR2DSM project aiming to develop an easy-to-use data protection tool for SMEs in cooperation with the companies. Co-development of the tool with the companies started with a workshop for 30 participants held in June. The first version of the tool was published in October.
As part of the project, the Office of the Data Protection Ombudsman and TIEKE held free webinars on data protection for SMEs in cooperation with partners. We organised a total of fourteen webinars on themes requested by the companies during the year. Development of the data protection tool and events around the project will continue in 2022. The project is funded by the Citizens, Equality, Rights and Values EU programme.
Tietosuojavaltuutetun toimisto laati keväällä tietosuojan vaikutustenarviointia koskevan ohjeen rekisterinpitäjien tueksi. Ohjeen rinnalle laadittiin myös yksinkertainen Excel-kirjaamistyökalu, jota rekisterinpitäjät voivat halutessaan hyödyntää vaikutustenarvioinnin tekemisessä. Ohjetta voi soveltuvin osin käyttää myös rikosasioiden tietosuojalain mukaiseen vaikutustenarviointiin. Tietosuojan vaikutustenarvioinnin tarkoituksena on tunnistaa ja vähentää henkilötietojen käsittelyyn liittyviä riskejä sekä tuottaa aineistoa, jolla tietosuojasääntelyn noudattaminen voidaan osoittaa.
Personnel and finances
The number of personnel employed by the Office of the Data Protection Ombudsman increased in 2021. A total of 55 people were employed by the Office of the Data Protection Ombudsman at the end of 2021.
Three customer service teams operate in the Office of the Data Protection Ombudsman. As a rule, one of them focuses on the private sector and cross-border matters, the second on the public sector and international matters and the third on matters related to the Data Protection Law Enforcement Directive and the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security. The Office's administrative, advisory and registry services have been centralised in the Administrative Unit. The Joint Functions team includes the IT senior specialists, communications and the Data Protection Officer. In addition, separate development teams coordinate practices and projects related to certain themes, such as personal data breaches, the rights of the data subject and impact assessments.
Master of Laws Heljä-Tuulia Pihamaa was appointed Deputy Data Protection Ombudsman and started work in March 2021. As Deputy Data Protection Ombudsman, Pihamaa leads the customer service team focusing on the public sector and national cases.
With the persistence of COVID-19 restrictions and the remote work order, remote work practices and digital ways of working became established in the day-to-day operations of the Office.
The backlog-clearance project initiated at the beginning of 2020 was still reflected in the personnel of the Office. The contribution of fixed-term 'backlog clearers' has been increasingly allocated to the processing of pending cases since 2020.