GDPR fine 100.000 euro to Finland Posti Group Oyj from for data protection violations
The Office of the Data Protection Ombudsman’s sanctions board imposed administrative GDPR fine 100.000 euro to Finland Posti Group Oyj for data violations of data protection legislation on 18 May. These data violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.
GDPR fine for Data Violations
The individuals who filed a complaint with the Data Protection Ombudsman had received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy, which is the leading postal service operator in Finland. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti had not informed the data subjects of their rights, including the right to object the disclosure of data, in connection with making change-of-address notifications.
The company should have informed its customers clearly about their right to object to the processing of their personal data. Posti had submitted such notifications only to customers who bought additional services in addition to making the change-of-address notification.
Posti had notified the Data Protection Ombudsman that it would look into possibilities for improving the transparency of personal data processing already in 2017.
The company finally improved its practices for informing customers in 2020 for the data violations, after the Office of the Data Protection Ombudsman had contacted Posti again. The violations affected 161,000 customers in 2019 alone.
The sanctions board imposed an administrative GDPR fine 100.000 euro to Finland Posti Group Oyj.