Pohjois-Savon sairaanhoitopiiri – Violation Found (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Finnish hospital district was found to have violated privacy rules by having location tracking enabled on employee laptops without necessity. Although the data wasn't used, the setting was against privacy principles. This case shows the importance of ensuring that unnecessary data collection features are disabled by default.
What happened
The Northern Savonia Hospital District had location tracking enabled on employee laptops without a valid need.
Who was affected
Employees of the Northern Savonia Hospital District whose work laptops had location tracking enabled.
What the authority found
The Finnish DPA determined that the hospital district violated privacy rules by not disabling unnecessary location tracking on laptops.
Why this matters
This case highlights the principle of 'data protection by default', reminding organizations to disable unnecessary data collection features in software used by employees.
GDPR Articles Cited
National Law Articles
On 19 August 2021, the Northern Savonia Hospital District (controller) notified the Finnish Office of the Data Protection Ombudsman (DPA) about a security breach. The notification stated that the "allow location data on this device" function on employees' portable computers using Windows 10 was automatically enabled, and the employees couldn't change this setting. The controller did not use this location data for any purpose and, after an internal investigation, considered that no personal information was sent to Microsoft. Finally, on 14 March 2022, the controller confirmed to the DPA that it disabled the location data function on the workstations. The DPA assessed whether the Windows 10's location function on employees' laptops complied with the "necessity" requirement under [https://www.finlex.fi/fi/laki/ajantasa/2004/20040759#L2P3 section 3 of the Finnish Act on the Protection of Privacy in Working Life]. Additionally, it checked whether this function followed the "data protection by default" principle under Article 25(2) GDPR. The DPA held that because the controller collected the location data unintentionally and did not use it for any purposes, the processing was unnecessary and violated [https://www.finlex.fi/fi/laki/ajantasa/2004/20040759#L2P3 section 3 of the Finnish Act on the Protection of Privacy in Working Life] which imposes even stricter conditions than the principle of data minimisation under Article 5(1)(c) GDPR. Moreover, since the processing of location data was unnecessary, having Windows 10's location setting enabled and locked by the administrator violated the "data protection by default" requirement under Article 25(2) GDPR. The DPA noted that the principle of "data protection by default" also requires that the controller, when using third-party software or firmware, ensures that functions for which there is no legal justification or that do not correspond to the intended purposes of the processing are disabled. Therefore, the DPA ordered
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Pohjois-Savon sairaanhoitopiiri in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Pohjois-Savon sairaanhoitopiiri - Finland (2022). Retrieved from cookiefines.eu
Last updated: