City of Helsinki – Violation Found (Finland, 2023)

The Finnish DPA was notified that the City of Helsinki (the controller) had not concluded a data processing agreement with the company that maintained an online pupil welfare service that allowed pupils to contact a school counsellor or school psychologist. The DPA then asked the controller to explain who was responsible for maintaining the service. In response to the request, the controller clarified that it had no contractual documentation with the company maintaining the service regarding roles or data protection. The controller also stated that it no longer used the company to operate the service and that the service was now maintained by the controller. On the basis of the information provided by the controller, the DPA considered that another company had carried out the regular maintenance of the online service on behalf of the controller and had thus acted as a processor of personal data. The DPA found that, in the absence of a data processing agreement between the parties, the company maintaining the service was not contractually bound, for example, to ensure security of processing or confidentiality. On the basis of the information gathered, the DPA held that the controller had violated Article 28(3) GDPR by failing to comply with its obligation as controller to enter into a data processing agreement with the processor. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.