The Finnish Deputy Data Protection Ombudsman recently published two decisions applying GDPR in Finland involving (1) information gathered by electronic locks on the front doors of buildings and (2) sharing otherwise public shareholder information via telephone services. In Finland, the Data Protection Ombudsman is the national Data Protection Authority (“DPA”) supervising compliance with data protection legislation.

Processing of personal data relating to electronic lock systems (29 July 2020)

A limited liability housing company concluded that the use of an electronic locking system and storing of information regarding opening of doors does not include the processing of personal data even though users of electronic keys could be identified when key’s identification code is combined with information concerning a specific apartment. The DPA disagreed with the housing company and ordered it to bring the processing operations into compliance with the General Data Protection Regulation (“GDPR”).

In this case, the residential building had electronic locks installed on the front doors of buildings. The end-user was not registered and the doors of individual apartment units in such buildings did not have this type of lock. The information regarding the use of the keys was not available to the housing company and the lock company managing the system would read the information only if requested by the police.

The DPA concluded that for data to be considered personal, it is not necessary that a natural person be directly identifiable based on it. When the key’s identification code is combined with information regarding a specific apartment, the resident using the key to open the door can be identified. This is especially true when only one occupant lives in the apartment who could be identified with certainty.

The DPA´s decision in this case (in Finnish) is here: https://finlex.fi/fi/viranomaiset/tsv/2020/20200661

This decision can be appealed to the administrative court.

Sharing shareholder information via telephone service (10 July 2020)

The Finnish DPA also ruled that the sharing of shareholder information through a telephone service was not in compliance with GDPR. The DPA concluded that the company, Euroclear Finland Oy (“Euroclear”), did not fulfil its obligations as a controller or make it possible for the data subject’s rights to be protected when sharing shareholder information for the purpose of direct marketing. The DPA issued Euroclear a reprimand and ordering it to bring its activities related to sharing of shareholder information into compliance with the GDPR.

Euroclear maintains public lists of shareholders as required by law. Through its telephone service the company offered information available on the lists related to limited liability companies and cooperatives. In its service the company considered the telephone service to be the same as public display of the same information at its office and did not consider itself to be the controller in such activities.

The DPA noted that determining the purpose and means of personal data processing is the responsibility of the controller. By providing the telephone service, Euroclear is a controller in respect of this processing and must comply with the requirements set forth, for example, in Art. 5 and 6 of the GDPR. The DPA noted flaws in fulfilling these requirements, for example, generally with respect to required fairness and transparency and more specifically in providing the data subject with necessary information. The Ombudsman further noted that Euroclear had broadened the manner of offering information on lists of shareholders provided by the Limited Liability Companies Act.

The DPA´s decision in this case (in Finnish) is here: https://finlex.fi/fi/viranomaiset/tsv/2020/20200641

This decision can be appealed to the administrative court.

Conclusion

These two decisions provide guidance on how the Finnish DPA currently applies the GDPR and are timely reminders about certain basic principles. More specifically, when considering what type of data GDPR applies to, it is important not only to consider data that can directly identify a person but also data that can do so indirectly in combination with other data. In addition, for a processor not to be considered a controller, who therefore must comply with the regulation set out for controllers, a processor should not determine the purposes of and means for the processing of personal data.