Ilmatieteenlaitos – Violation Found (Finland, 2023)
The Finnish Meteorological Institute faced scrutiny for using Google services that transferred personal data of website visitors to the US without proper safeguards. This is important because it highlights the risks of using third-party services that may not comply with data protection laws.
What happened
Ilmatieteenlaitos used Google Analytics and reCAPTCHA services, transmitting personal data to the US without lawful basis.
Who was affected
Approximately 330,000 website visitors whose data was transmitted were affected by this breach.
What the authority found
The Finnish data protection authority found that the institute violated GDPR by not ensuring lawful data transfers to the US.
Why this matters
This case underscores the importance of understanding international data transfer regulations. Organizations using third-party services must ensure they comply with data protection laws to protect user privacy.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Finnish Meteorological Institute (the controller) used Google Analytics and reCAPTCHA services including cookies on its website. Because Google is a US-based service provider, personal data of the controller’s website visitors, such as IP address and other information that could be used to identify a data subject, were transmitted to the United States through the use of the Google services in question. Following a website user first contacting the controller on the issue, the controller filed a data breach notification with the Finnish DPA in September 2022. According to the controller, the data breach started on 1 January 2010, and the number of data subjects affected was estimated to be 330 000. As a result, the controller disabled the Google services in question from it’s website in September 2022. Pursuant to Article 44 GDPR, transfers of personal data to a third country can only take place if the controller and processor comply with the conditions set out in Chapter V GDPR. The DPA cited the “Schrems II” decision ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=16647738 C-311/18]) and held that the controller had infringed Articles 44 and 46 GDPR because 1) the controller had not established a lawful basis for the transfers in accordance with Chapter V GDPR and 2) nor had the controller put in place appropriate safeguards for the transfers. Therefore, the controller had unlawfully transferred personal data of its website visitors to the United States by using Google Analytics and reCAPTCHA services. As a result, the DPA 1) issued a reprimand to the controller and 2) ordered the controller to delete all personal data that were transferred to the United States without a lawful basis. Because the controller had already disabled the Google services from its website, the DPA did not deem necessary to order the controller to do the same and to bring the processing into compliance
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Ilmatieteenlaitos in FI
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Ilmatieteenlaitos - Finland (2023). Retrieved from cookiefines.eu
Last updated: