City of Helsinki – Violation Found (Finland, 2022)

The cities of Helsinki, Espoo, Vantaa and Kauniainen (the controllers) used Google Analytics and Google Tag Manager, with servers located in the US, as a tracking technology tool on their online system (https://helmet.fi) of public libraries to monitor visitors and improve the service. The controllers installed cookie tracking technologies on the data subjects' terminal devices as soon as the website was accessed, even before a cookie banner would be shown to them. Information about processing of personal data was available on the library website under the "About the website" link. However, this general privacy note would not inform data subjects about data transfers to the US, but only mention that "some service providers are located outside of the EU/EEA" without specific information on the recipients in third countries. Information about the tracking technologies was also provided under the heading "Cookies". In light of the CJEU Schrems II judgement, the Finnish DPA started an ex officio investigation into the controllers' data transfers to third countries. The DPA considered four main issues: legal basis for processing of personal data collected through tracking technology tools, information given to data subjects related to the use of tracking technologies, implementation of technical and organisational measures for sharing data on search results with third parties, legal basis for data transfers to third countries. First, with regards to the legal basis for processing personal data collected through the tracking technology, specifically Google Analytics and Google Tag Manager, the DPA noted that certain cookies were set on the website before an interaction with the cookie banner. Such cookies were not strictly necessary and therefore required valid consent of the data subject. The DPA held that the controllers violated Articles 5(1)(a) and 6(1) GDPR, which require a valid legal basis for the processing of personal data. Moreover, the DPA found a violation