Finnish SA: Administrative fine imposed on Posti for unlawful processing of personal data

6 December 2024

Background information

  • Date of final decision: 13 November 2024
  • National case
  • Legal Reference (s): Article 6 (Lawfulness of processing), Article 13 (Information to be provided where personal data are collected from the data subject) Article 5 (Principles relating to processing of personal data) Article 25 (Data protection by design and by default)
  • Decision: Administrative fine, Compliance order,  Reprimand
  • Key words: Administrative fine,  Lawfulness of processing, Right to be informed

Summary of the Decision
 

Origin of the case  

The Finnish Supervisory Authority (SA) investigated the processing of personal data of Posti related to the creation of an electronic mailbox. The Finnish SA had received complaints about the forwarding of letters to Posti's online service without the customer's consent. 


Key Findings 

The controller had automatically created an electronic mailbox for customers without a separate request. The electronic mailbox had been linked to a wider set of services. The investigation showed that the customer could not choose whether to use the electronic mailbox or not, as the different services were linked together in a single contract. The electronic mailbox could not be dispensed with without the other services also ceasing. The Finnish SA considers that the service requested by the customer could have been provided without the automatic creation of an electronic mailbox. The controller did also not inform its customers clearly about the activation of the electronic mailbox. There were also technical settings in the service that did not meet data protection requirements. These included an automatically activated selector function and a pre-ticked checkbox.

 

Decision 

The Finnish SA imposed an administrative fine of 2,4 million euros on the controller for unlawful processing (Art. 5 and 6.1 GDPR). The controller was reprimanded for the shortcomings in informing the customers and was ordered to correct its unlawful practices (Art. 13 GDPR). In addition, the DPA instructed the controller to take into account that electronic services must be built from the outset so that only necessary personal data is processed (Art. 25 GDPR). 

For further information: 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.