Enforcement

€865,000 fine - Deputy Data Protection Ombudsman

The Finish DPA has imposed a fine of EUR 865,000 on Aktia Pankki Oyj. The controller changed its strong authentication process in such a way that it no longer guaranteed adequate data security, resulting in a data breach.

865.000 euro boete - Waarnemend ombudsman gegevensbescherming.

De Finse toezichthouder DPA heeft Aktia Pankki Oyj een boete van 865.000 euro opgelegd. Het bedrijf heeft een wijziging doorgevoerd in zijn proces voor sterke authenticatie, waardoor de adequate gegevensbeveiliging niet langer werd gegarandeerd, wat resulteerde in een datalek.

€1,800,000 fine - Deputy Data Protection Ombudsman

The Finish DPA has imposed a fine of EUR 1,800,000 on S-Pankki Oyj. Due to a software error, customers of the controller were able to log in to the bank accounts of other customers, resulting in financial losses.

1.800.000 euro boete - Waarnemend ombudsman gegevensbescherming.

De Finse toezichthouder DPA heeft S-Pankki Oyj een boete van 1.800.000 euro opgelegd. Door een softwarefout konden klanten van de betreffende instantie inloggen op de bankrekeningen van andere klanten, wat tot financiële verliezen heeft geleid.

€1,100,000 fine - Deputy Data Protection Ombudsman

The Finish DPA has imposed a fine of EUR 1,100,000 on Yliopiston Apteekin. The controller, who runs an online pharmacy, used various web analytics and monitoring tools. These tools were implemented in a way that allowed the providers, who are based outside the EU, to access personal data. The controller also failed to ensure that the tools complied with the principle of data minimization.

1.100.000 euro boete - Waarnemend ombudsman gegevensbescherming.

De Finse beschermingsautoriteit (DPA) heeft Yliopiston Apteekin een boete van 1.100.000 euro opgelegd. De verantwoordelijke, die een online apotheek runt, gebruikte verschillende webanalyse- en monitoringtools. Deze tools werden op een manier geïmplementeerd waardoor aanbieders, die gevestigd zijn buiten de EU, toegang kregen tot persoonlijke gegevens. De verantwoordelijke heeft er ook niet voor gezorgd dat de tools voldeden aan het principe van dataminimalisatie.

€950,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 950,000 on Sambla Group Oy. Security vulnerabilities in two of its comparison portals allowed unauthorized persons to access personal data, such as income, housing costs, and marital status of credit applicants, via unsecured links.

€2,400,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA imposed a fine of EUR 2.4 million on Posti Jakelu Oy following an investigation. It was found that Posti had automatically set up an electronic mailbox for customers without their explicit consent. This mailbox was connected to other services, and customers were unable to choose whether to use it, as the services were bundled together in a single contract. Canceling the mailbox would also have resulted in the termination of the other services. The DPA determined that the requeste

€856,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 856,000 on Verkkokauppa.com Plc for not specifying the retention period of customer account data of e-commerce customers. The DPA also found that in order to make an online purchase, customers were required to create a customer account or register.

€23,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined Suomen Yritysrekisteri EUR 23,000. The controller had not sufficiently complied with data subjects' requests for access to their personal data. The Eastern Finland Administrative Court rejected the appeal filed by Suomen Yritysrekisteri.

€1,600 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 1,600 on a company providing psychotherapy services. A customer had submitted a request for access to their stored personal data. However, the company had not informed the customer of the reason why the records of the psychotherapy sessions could not be provided.

€440,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 440,000 on Suomen Asiakastieto Oy for failing to comply with an order issued by the DPA. During an investigation, the DPA found that the company had unlawfully stored financial data of data subjects. The DPA therefore ordered the company to remove the data, which the company did not comply with.

€122,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 122,000 on a company with products that process health data, such as heart rate, etc. The DPA had received several complaints regarding the processing of health data from data subjects. During its investigation, the DPA found that the company did not have a sufficient legal basis to process various types of health data. While the company had informed users of the products about the processing of personal health data in general, it had failed to provide i

€750,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined the debt collection company Alektum Oy EUR 750 000. The DPA opened an investigation against the controller after three people filed complaints against them. During its investigation, the DPA found that the controller had failed to respond at all or sufficiently to requests from data subjects regarding their data protection rights. The DPA also found that the controller had not sufficiently cooperated with the DPA.

€230,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 230,000 on Viking Line Oy Abp. A former employee had filed a complaint with the DPA. During its investigation, the DPA found that the controller had not complied with the data subject's request for access to their health data and that some of the medical data had been stored incorrectly. The DPA also found that the medical data was stored with other personal data, although such storage is unlawful. Furthermore, the DPA found that the controller had not p

€85,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 85,000 on Otavamedia Oy. The DPA had received eleven complaints regarding Otavamedia between 2018 and 2021. Namely, the complaints primarily concerned the lack of response to inquiries from data subjects. Otavamedia explained that some of the privacy requests had not been fulfilled due to a technical problem with email management. During the incident, messages received in the privacy inquiry email box were not forwarded to customer service representative

€8,300 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 8,300 on a telemarketing company for non-compliance with a DPA order. A customer of the company had requested access to the recording of a sales call. However, the company did not comply with the request and therefore the DPA ordered the company to grant the customer access to the recordings. Later, the customer reported that despite the DPA's order, they still had not received the recording of the call.

€5,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined a medical clinic EUR 5,000. A customer of the clinic had complained to the DPA that he had not received access to his medical records from the clinic following a request for information. In addition, the clinic failed to adequately inform its clients about the processing of personal data. Specifically, the DPA points out that the clinic did not inform its clients about the extent to which it was acting as a data controller for patient data generated by its activities.

€6,500 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 6,500 on a travel agency. A customer of the travel agency informed the DPA to suspect that the company might not process the data of its customers in a data protection compliant manner. During its investigation, the DPA found that the travel agency had not ensured secure processing of personal data. For example, visa application forms filled out by customers were publicly accessible on the travel agency's web server. The form contained, among other thing

€52,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined a motor insurance center EUR 52,000. The controller had excessively requested patient data from within the healthcare system for the purpose of processing claims. However, much of the data was not necessary to process the claims. For example, the DPA found that the motor vehicle insurance center had also collected patient visit notes to determine whether the health care provider had billed for visits that were not related to the examination or treatment of injuries caus

€608,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker cou

€25,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA imposed a fine of EUR 25,000 on a higher education institution for data protection violations in the processing of employee location data. The controller had introduced a mobile application that allowed teleworkers to clock in and out. The use of the application on a mobile device also required authorization for location data collection. The collection of location data at the time of clocking in was a feature of the app, without which it was not possible to clock in working hours

€8,500 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 8,500 on a magazine publisher. The DPA received four complaints against the magazine publisher for unsolicited telephone advertising.The controller had carried out direct marketing using an automated calling system, without valid consent from the recipients of the calls. Specifically, the controller had obtained the apparent consent for direct marketing when a customer subscribed to a magazine on its website, for example. The subscriber to the magazine w

€75,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 75,000 on ParkkiPate Oy. A number of people had been issued parking tickets by the controller and had thereupon requested information about which personal data was being processed and, in some cases, requested the deletion of their data. However, in order to process the requests, the controller stated that it needed the ID card number and address of the data subjects for identification purposes, as their name with the parking ticket number was not suffic

€7,000 fine - Deputy Data Protection Ombudsman

Unsolicited marketing SMS without prior consent

€72,000 fine - Deputy Data Protection Ombudsman

Among other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line

€12,500 fine - Deputy Data Protection Ombudsman

Processing of employee data without sufficient legal basis.

€100,000 fine - Deputy Data Protection Ombudsman

The decision relates to complaints alleging that data subjects received direct marketing from the company although they had requested that their postal data be deleted. Investigations also revealed that the data protection information provided by the company was not transparent enough.

€16,000 fine - Deputy Data Protection Ombudsman

Fine for failure to carry out a data protection impact assessment ('DPIA') for the processing of location data of employees with a vehicle information system