ParkkiPate Oy – €75,000 Fine (Finland, 2021)

The Finnish DPA has imposed a fine of EUR 75,000 on ParkkiPate Oy. A number of people had been issued parking tickets by the controller and had thereupon requested information about which personal data was being processed and, in some cases, requested the deletion of their data. However, in order to process the requests, the controller stated that it needed the ID card number and address of the data subjects for identification purposes, as their name with the parking ticket number was not sufficient to verify their identity. According to the DPA, the controller has not only violated its duty to inform the data subjects and the right to delete their data, but has also violated the principle of data minimization. The DPA stressed that it is permitted to request further proof of identification if there are reasonable doubts about the identity of the data subject. However, in the cases in question, no such doubts had existed. Furthermore, the DPA found a violation of the principle of storage limitation. The controller had stored photos of incorrectly parked cars and copies of parking tickets for possible future disputes in court without having defined a deadline for the deletion of the data.