Ilmatieteenlaitos – Violation Found (Finland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish Meteorological Institute was found to have used Google services that sent personal data to the U.S. without proper safeguards. This matters because it shows the risks of transferring data internationally without ensuring its protection. Companies should be cautious when using foreign service providers.
What happened
The Finnish Meteorological Institute used Google Analytics and reCAPTCHA, transmitting personal data to the U.S. without lawful basis.
Who was affected
Visitors to the Finnish Meteorological Institute's website whose data was sent to the U.S.
What the authority found
The authority ruled that the Institute violated GDPR by not having a legal basis for transferring personal data to a third country.
Why this matters
This ruling underscores the need for businesses to understand international data transfer rules. Companies should ensure compliance when using foreign services to protect user data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Finnish Meteorological Institute (the controller) used Google Analytics and reCAPTCHA services including cookies on its website. Because Google is a US-based service provider, personal data of the controller’s website visitors, such as IP address and other information that could be used to identify a data subject, were transmitted to the United States through the use of the Google services in question. Following a website user first contacting the controller on the issue, the controller filed a data breach notification with the Finnish DPA in September 2022. According to the controller, the data breach started on 1 January 2010, and the number of data subjects affected was estimated to be 330 000. As a result, the controller disabled the Google services in question from it’s website in September 2022. Pursuant to Article 44 GDPR, transfers of personal data to a third country can only take place if the controller and processor comply with the conditions set out in Chapter V GDPR. The DPA cited the “Schrems II” decision ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=16647738 C-311/18]) and held that the controller had infringed Articles 44 and 46 GDPR because 1) the controller had not established a lawful basis for the transfers in accordance with Chapter V GDPR and 2) nor had the controller put in place appropriate safeguards for the transfers. Therefore, the controller had unlawfully transferred personal data of its website visitors to the United States by using Google Analytics and reCAPTCHA services. As a result, the DPA 1) issued a reprimand to the controller and 2) ordered the controller to delete all personal data that were transferred to the United States without a lawful basis. Because the controller had already disabled the Google services from its website, the DPA did not deem necessary to order the controller to do the same and to bring the processing into compliance
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Ilmatieteenlaitos in FI
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Ilmatieteenlaitos - Finland (2023). Retrieved from cookiefines.eu
Last updated: