Ilmatieteenlaitos – Violation Found (Finland, 2023)

The Finnish Meteorological Institute (the controller) used Google Analytics and reCAPTCHA services including cookies on its website. Because Google is a US-based service provider, personal data of the controller’s website visitors, such as IP address and other information that could be used to identify a data subject, were transmitted to the United States through the use of the Google services in question. Following a website user first contacting the controller on the issue, the controller filed a data breach notification with the Finnish DPA in September 2022. According to the controller, the data breach started on 1 January 2010, and the number of data subjects affected was estimated to be 330 000. As a result, the controller disabled the Google services in question from it’s website in September 2022. Pursuant to Article 44 GDPR, transfers of personal data to a third country can only take place if the controller and processor comply with the conditions set out in Chapter V GDPR. The DPA cited the “Schrems II” decision ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=16647738 C-311/18]) and held that the controller had infringed Articles 44 and 46 GDPR because 1) the controller had not established a lawful basis for the transfers in accordance with Chapter V GDPR and 2) nor had the controller put in place appropriate safeguards for the transfers. Therefore, the controller had unlawfully transferred personal data of its website visitors to the United States by using Google Analytics and reCAPTCHA services. As a result, the DPA 1) issued a reprimand to the controller and 2) ordered the controller to delete all personal data that were transferred to the United States without a lawful basis. Because the controller had already disabled the Google services from its website, the DPA did not deem necessary to order the controller to do the same and to bring the processing into compliance