City of Helsinki – Violation Found (Finland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The City of Helsinki allowed user profiles to be publicly searchable, exposing the names of 124,000 residents. This failure to protect personal data violated privacy rules. It highlights the importance of securing user information on online platforms.
What happened
The City of Helsinki made user profiles searchable and viewable by anyone without proper security measures.
Who was affected
Residents of Helsinki who registered on the participatory budgeting platform were affected.
What the authority found
The Finnish DPA found that the City of Helsinki violated GDPR by not implementing necessary security measures to protect personal data.
Why this matters
This case emphasizes that organizations must ensure user data is secure and not publicly accessible. It serves as a warning for other online services to strengthen their data protection practices.
GDPR Articles Cited
The Finnish DPA was notified that through the search function of an online service operated by the City of Helsinki (the controller), it was possible to see the names of all persons registered with the service. The DPA then asked the controller to explain how it had implemented appropriate technical and organisational measures to ensure the security of the processing. In response to the request, the controller clarified that the service in question was a participatory budgeting platform where city residents could discuss the development of the city and suggest things they would like to see in their own residential area. Following the DPA's request, the controller had discovered a data breach in relation to the platform. The controller stated that the user profiles of all 124,000 people registered on the platform had been publicly searchable and viewable by default through the platform's own search function. The profiles had also been viewable through Google Search and had displayed at least the first and last name of the users. The controller also noted that all profiles had been deleted and the possibility to register on the service had been closed. In addition, the controller had disabled the search function of the service and requested Google to remove the search results from Google Search. On the basis of the information provided by the controller, the DPA considered that, given the nature of the service, it could not be considered necessary that the user profiles had been publicly searchable and visible to all through the platform's own search function. The DPA found that the controller had not implemented any technical or organisational measures to prevent third parties from accessing data to which they should not have access. On the basis of the information gathered, the DPA held that the controller violated Article 25(2) GDPR and Article 32(1) GDPR by making the user profiles and related personal data to be searchable and viewable by anyone. As a result, t
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Violations (3)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for City of Helsinki in FI
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. City of Helsinki - Finland (2023). Retrieved from cookiefines.eu
Last updated: