Higher Education Institution – €25,000 Fine (Finland, 2021)

The Finnish DPA imposed a fine of EUR 25,000 on a higher education institution for data protection violations in the processing of employee location data. The controller had introduced a mobile application that allowed teleworkers to clock in and out. The use of the application on a mobile device also required authorization for location data collection. The collection of location data at the time of clocking in was a feature of the app, without which it was not possible to clock in working hours using the app. According to the information received from the controller, the controller did not actively use or exploit the location data in any situation, but only processed the location data at the time of clocking in for technical reasons. However, the mere fact that time clocking is not possible in the application without processing the location data does not make it necessary to process them. The DPA therefore considered this to be a violation of the lawfulness of the data collection and of the principle of data minimization, since the processing of location data was not necessary for the purpose of the processing - i.e., the mere recording of working hours.