City of Oulu – Violation Found (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish DPA found that the City of Oulu's social and health authority improperly required foster parent applicants to provide personal data from the police. This violated GDPR rules because public authorities can't demand such information through access requests. The decision highlights the importance of lawful data processing by public entities.
What happened
The City of Oulu required foster parent applicants to provide personal data from the police, violating GDPR rules.
Who was affected
Applicants wishing to become foster parents in the City of Oulu were affected by this requirement.
What the authority found
The Finnish DPA ruled that the City of Oulu violated GDPR by improperly using access requests to obtain personal data from applicants.
Why this matters
This case emphasizes that public authorities must respect individuals' rights under GDPR and cannot misuse access requests to gather personal data. It serves as a reminder for public entities to ensure their data processing practices comply with legal standards.
GDPR Articles Cited
The Finnish DPA was notified that the social and health authority of the city of Oulu (the controller) had required persons applying to become foster parents to request access to their personal data processed by the police and to provide this information to the controller. The DPA had asked the controller to explain for what purpose it processed the personal data and why it required the data subjects to provide this information. In response to the request, the controller clarified that the information received from the police was required in the process of approving applicants as foster parents. The controller had to ensure that the conditions at the foster home were safe and stable and that the children placed in foster care received better care than at home. The controller claimed that the information about, among other things, domestic violence and disruptive behaviour was necessary because it hindered working as a foster parent. The controller stated that the police did not disclose the information based solely on the consent of the data subject. For this reason, it had become a practice to request the information directly from persons applying to become foster parents. On the basis of the information provided by the controller, the DPA considered that the processing of personal data in accordance with Article 4(2) GDPR also covers situations where the controller requires the data subject to disclose documents containing personal data and where the controller reviews them. The DPA stated that the objective of the right of access is the opportunity of the data subject to stay informed about the lawfulness of the processing and to confirm it. The DPA emphasised that public authorities may not require the data subject to provide them with information based on the data subject's access request, and thus may not use the right of access as a means of obtaining information. On the basis of the information gathered, the DPA held that the controller had violated Articl
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for City of Oulu in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. City of Oulu - Finland (2022). Retrieved from cookiefines.eu
Last updated: