Posti is the Finnish mail and package delivery service. The Finnish State exercises the shareholder’s decision-making power over it. On December 6, the European Data Protection Board announced a decision by the Finnish Supervisory Authority that imposed a monetary penalty of 2.4 million euros and a reprimand. As EDPB summarizes the case:
The Finnish Supervisory Authority (SA) investigated Posti’s processing of personal data related to the creation of an electronic mailbox. The Finnish SA had received complaints about the forwarding of letters to Posti’s online service without the customer’s consent.
Key Findings
The controller had automatically created an electronic mailbox for customers without a separate request. The electronic mailbox had been linked to a wider set of services. The investigation showed that the customer could not choose whether to use the electronic mailbox or not, as the different services were linked together in a single contract. The electronic mailbox could not be dispensed with without the other services also ceasing. The Finnish SA considers that the service requested by the customer could have been provided without the automatic creation of an electronic mailbox. The controller did also not inform its customers clearly about the activation of the electronic mailbox. There were also technical settings in the service that did not meet data protection requirements. These included an automatically activated selector function and a pre-ticked checkbox.
Decision
The Finnish SA imposed an administrative fine of 2,4 million euros on the controller for unlawful processing (Art. 5 and 6.1 GDPR). The controller was reprimanded for the shortcomings in informing the customers and was ordered to correct its unlawful practices (Art. 13 GDPR). In addition, the DPA instructed the controller to take into account that electronic services must be built from the outset so that only necessary personal data is processed (Art. 25 GDPR).
For further information:
National press release: Administrative fine imposed on Posti for data protection shortcomings in the OmaPosti service (English, Suomi, Svenska)