Social and Health Services in Kymenlaakso (Kymsote) – Violation Found (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In Finland, the DPA found that Kymsote's method of checking foster parents' criminal records was not properly aligned with GDPR rules. Although they acted in public interest, the process didn't follow specific national laws. This matters because it shows that even public authorities must adhere to detailed legal procedures.
What happened
Kymsote required potential foster parents to obtain and present their own criminal records, which the DPA found inappropriate under GDPR.
Who was affected
Potential foster parents in Kymenlaakso whose criminal records were checked inappropriately.
What the authority found
The Finnish DPA concluded that Kymsote's process for checking criminal records did not comply with GDPR, as it bypassed specific national legal procedures.
Why this matters
This finding emphasizes that organizations, including public bodies, must ensure their data processing methods comply with both GDPR and national laws. It underscores the need for clear procedures when handling sensitive data.
GDPR Articles Cited
National Law Articles
The DPA carried out an investigation into the controller’s processing on its own behalf, after receiving information from the police. The controller is the Kymenlaakso Joint Municipal Authority for Health and Social Services Kymsote. It assesses families that plan to be foster parents for their eligibility. During this procedure, the controller requires parents to file an access request to the police pursuant to Section 23 of the (Finnish) Criminal Data Protection Act, to see if there is a criminal record or status report on (one of) the parents. Such a report would contain valuable information for the controller’s assessment, for example whether someone has been arrested for drunk driving. Then, in the presence of the parents, the controller’s coaches would check the reports for any absolute obstacles to becoming a foster parent. The controller claimed that this information is absolutely necessary for the assessment. The DPA assessed whether the controller’s processing was in accordance with the GDPR. First, the DPA considered that the reports contain personal data relating to criminal convictions and offences, and therefore Article 10 GDPR applies. Moreover, it noted that the controller carries out a task in the public interest, and the controller can, in principle, rely on Article 6(1)(e) GDPR. However, the DPA also considered that pursuant to Article 6(2) GDPR, Finnish legislation contains a more detailed provision that regulates the processing of personal data pursuant to Article 10 GDPR, in Section 2(1)(3) of the Act (504/2002) on Criminal Background Check of Persons Working with Children. Moreover, it found that this legislation creates a proportionate and appropriate procedure for checking the criminal background of persons working with children. Second, the DPA considered that the purpose of a data subject's access request is not to provide a public authority with information that the data subject obtained from it. As stated, there was a proportionate and
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Social and Health Services in Kymenlaakso (Kymsote) in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Social and Health Services in Kymenlaakso (Kymsote) - Finland (2022). Retrieved from cookiefines.eu
Last updated: