Järvenpää parish – Court Ruling (Finland, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Finnish court ruled that Järvenpää parish wrongly included information on the outside of envelopes that revealed a person's church membership. This decision matters because it highlights the importance of protecting sensitive personal information, even if it seems indirect. Companies should be careful about what they display on mail to avoid revealing private details about individuals.
What happened
Järvenpää parish sent envelopes that allowed others to infer a person's membership in the Evangelical Lutheran Church.
Who was affected
Individuals who received election-related letters from Järvenpää parish and whose church membership could be inferred from the envelope.
What the authority found
The court found that Järvenpää parish violated GDPR rules by including sensitive information on the outside of the envelopes, which was unnecessary for the communication.
Why this matters
This ruling emphasizes that organizations must be cautious about how they handle personal information, even indirectly. It serves as a reminder for all companies to review their mailing practices to protect user privacy.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject brought a complaint to the DPA concerning the Järvenpää parish (the controller, a religious institution). The controller sent them a letter about their right to vote in the upcoming controller's elections. According to the data subject, the printed text in the envelope allowed third parties to infer that the data subject was a member of the Evangelical Lutheran Church. The DPA dismissed the complaint, and stated that the controller had not processed personal data expressing religious or political beliefs (Article 9 GDPR). In addition, the controller had a legal basis to process the data subject’s personal data through letters. This is because the controller had the duty to ensure that information related to the right to vote reaches the data subject. Finally, the DPA stated that the postal company distributing the envelopes had a duty of confidentiality. The data subject appealed the decision to the Administrative Court, who overturned the decision of the DPA. According to the court, the envelope allowed individuals to infer that the data subject was a member of the church. This indirect information on religious beliefs fell under the scope of Article 9(1) GDPR. Therefore, the controller violated Articles 5 and 9(2)(d) GDPR, as it was not necessary to include this data on the outside of the envelope. According to the court, the controller could have fulfilled the purpose of informing data subjects after the envelope was opened. The controller appealed the decision to the Supreme Administrative Court. The controller argued that including information on the elections on the outside of the envelope does not violate the GDPR, as religious communities have a strong freedom of religious communication. In addition, the controller argued that it implemented appropriate safeguards in processing the data subject’s data. On the other hand, the data subject argued that the controller did not comply with the requirements of data minimisation (Article 5(1)(c) GDPR)
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Järvenpää parish in FI
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Järvenpää parish - Finland (2026). Retrieved from cookiefines.eu
Last updated: