City X (Board for Growth and Learning) – Complaint Upheld (Finland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish data protection authority upheld a complaint against City X for making students' personal data too visible in their email system. The authority found this violated several GDPR principles. This case stresses the importance of limiting access to minors' data in educational settings.
What happened
City X made pupils' personal data widely visible in the MS Office 365 email system used in schools.
Who was affected
Pupils in primary and secondary schools whose personal data were visible to all users in the city.
What the authority found
The Finnish DPA decided that the city violated GDPR by not adequately protecting students' personal data and making it unnecessarily visible.
Why this matters
This decision highlights the need for educational institutions to carefully manage and restrict access to students' personal information. It serves as a reminder to review data protection measures in digital tools used in schools.
GDPR Articles Cited
A guardian complained to the DPA about the widespread visibility of pupils' personal data through the address book of MS Office 356 e-mail system that was used in primary education organised by the city. The personal data in question were a pupil’s 1) name, 2) role, 3) email address, 4) school and 5) grade level. The guardian argued that the personal data of pupils were visible to an unnecessarily large group for the purposes of organising education. The personal data of the pupils were visible in all primary and secondary schools in the city. The controller, which was the city organising the education, stated that it has a legal obligation to provide primary education. The controller argued that the implementation of MS Office 365 service is essential for organising primary education and to teach digital skills in schools in line with the national curriculum for primary education. Additionally, the controller argued, for example, that the visibility of the data in question is necessary, as identification of the right recipient before sending a message ensures data protection, integrity and confidentiality of the communication. The controller considered the risk of a messages going to the wrong person, when sending emails, to be greater than the risk of the information being visible to others. The controller also presented that messaging between pupils in different schools may occur for organising elective subjects, hobby and skills groups, and interdisciplinary learning units required by the curriculum. The guardian stated in their response to the controller, inter alia, that they are not opposed to the use of digital tools in education, but that the city had not justified why the personal data of minors should be visible to all users in all schools in the city. The DPA decided that the controller had violated Articles 5(1)(a), 5(1)(c), 5(1)(f) GDPR, and Article 25(2) GDPR when it made the personal data of pupils available in the address book of the e-mail syste
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for City X (Board for Growth and Learning) in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. City X (Board for Growth and Learning) - Finland (2023). Retrieved from cookiefines.eu
Last updated: