Sensitive employee data made public in Finland

Okay, there were only 7 employees, and this personal data breach which was investigated by the Finnish DPA was concerning a single employee who was on sick-leave.

What is super interesting about this case is that the employer (a family business) put the fact that the employee was on sick leave on the company website. It seems that because the employee was sending an automated response to emails that he/she was on sick leave, gave the idea that this data was now public data.

It then digs into the employment act and secrecy concerning employee data, and the decision was that sanctions would be placed on this business, i.e. it was a personal data breach which has an impact on ‘rights and freedoms’.

Clearly I’ve cut out a load of details here… but what is important is that even the small family businesses are not immune to GDPR sanctions.

Finnish business fined for tracking employees

In Finland one of the first fines handed out to a water supply management company which used location data in the vehicles used by employees which is considered systematic monitoring. A DPIA should be conducted.

Taken from DLA Piper blog
Followed from a complaint made by an individual. Kymen Vesi processed location data of its employees by locating their vehicles. This location data was used to monitor the employees’ working hours.
The Data Protection Ombudsman stressed in its decision that a data controller must carry out a DPIA when the processing likely results in high risk to the rights and freedoms of data subjects. Kymen Vesi should have carried out a DPIA since the processing of location data concerned data subjects in a vulnerable position (employees) and the data was used for systematic monitoring. In reference to the criteria list set in WP29 guidelines on DPIA and determining whether processing is likely to result in high risk, the processing conducted by Kymen Vesi satisfied three of the criteria (processing of location data, data subjects in vulnerable position and systematic monitoring of data subjects) when usually a DPIA is already required when two of the criteria are satisfied.

Read the rest of the blogpost from DLA Piper blog.

Knock knock … join our religion -and btw GDPR doesn’t apply to us!

I just loved this case decision in Finland whereby Jehovah’s Witnesses must comply with GDPR, determined by EU court.  In 2013 Finland’s Data Protection Supervisor prohibited the Jehovah’s Witnesses religious community from collecting or processing personal data in the course of door-to-door preaching by its members unless Finnish data protection legislation was observed.

Jehovah’s Witnesses created maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them. In essence they are collecting and processing personal data.

In its judgment, the European Court of Justice considered that the Jehovah’s Witnesses’ door-to-door preaching is not covered by the exceptions laid down by EU Law on the protection of personal data.

  1. There is the fact that the door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union; but this does not,
  2. Confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.

For those newbies here, this is about something called ‘material scope’ in the GDPR. You can liken ‘material scope’ (and there is also ‘territorial scope’) as scoping parameters for the GDPR.

Think about it as a project scope … and it is almost cool to know that even legal documents have a scope just as any project you may have driven or been a part of. What this means is that all the legal text in the GDPR is only relevant if personal data falls within the scope defined in Articles 2 and 3.

Material scope (Article 2)

The GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system.

Now back to the case.

  1. The Jehovah’s Witnesses used ‘household exception’, hence exempt from GDPR. This was overruled, stating that the JW organisation and those knocking on doors collecting personal data were joint controllers.
  2. What material scope also states is that data needs to be part of a ‘filing system’ of some kind, and it was stated that even though data was collected manually, just the ordering, e.g. by address during collection, which made retrieval easier, placed it in scope.

So there you have it… lovely example for the classroom IMHO 🙂

Dilemmas – increased Internet surveillance in wake of Oslo tragedy

This is the dilemma, to increase surveillance in the name of personal safety or to not do this as it violates our right to personal privacy?

Remember what happened after the terror attacks on the twin towers in New York? A whole host of privacy invading legislation was passed in the U.S., that now requires visitors to go through the inconvenience and indignity of being fingerprinted like criminals and having our faces scanned. And there is no road back, it is a one-way street. Once a practice starts it becomes accepted over time as the norm.

The UK has dragged through legislation on the mandatory issue of ID cards. Although they have not succeeded in getting this through for all UK citizens, they will… they have started with all UK immigrants who today have no choice. Most youngsters need ID in order to get accepted in most bars, so it has become a norm among this age group. All in the name of personal safety, trying to control, and control something that is not controllable.

So now officials from Finland, Estonia and Germany have called for expanded monitoring powers on the Internet in wake of the Oslo tragedy. Apparently the guilty party for this attack published a Twitter message, a YouTube video and a 1,500 manifesto linking to the buildup to these terrible crimes. Read more here.

And we are back to the dilemma thing. As a mother I am screaming out for these “expanded monitoring powers”, but as a privacy advocate I am terrified by these developments as it gives justifications for increased invasions to our private space, that is getting smaller and smaller…..