Jamk University of Applied Sciences – €25,000 Fine (Finland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Jamk University of Applied Sciences in Finland was fined €25,000 for requiring employees to share their location data to use a work app. This matters because collecting unnecessary data can breach privacy laws. The Finnish data protection authority found that the university's practice violated the principle of data minimization.
What happened
Jamk University of Applied Sciences required employees to enable location data on a work app without a valid necessity.
Who was affected
Employees using a mobile app to log their working hours were affected by the unnecessary collection of their location data.
What the authority found
The Finnish data protection authority concluded that the collection of location data was unnecessary for the app's purpose, violating GDPR's data minimization requirement.
Why this matters
This ruling highlights that consent alone is not enough if data collection is not necessary. Organizations should ensure their data practices align with privacy laws to avoid penalties.
GDPR Articles Cited
National Law Articles
The Finnish DPA was notified that Jamk University of Applied Sciences (the controller) unnecessarily processed the location data of its employees. The DPA then asked the controller to explain the purpose for which it processed the location data of its employees. In response to the request, the controller clarified that it used a third-party mobile application that allowed remote employees to record their working hours. The controller explained that the use of the app also required location data to be enabled by default. The controller emphasised that it did not actively use the location data, but only processed it for system technical reasons. The controller also stated that the use of the app was voluntary. If the employee had chosen to use the app, the processing was based on the data subject's consent. The controller noted that the use of the app was also in compliance with [https://www.finlex.fi/fi/laki/ajantasa/2004/20040759#L2P3 Section 3 of the Finnish Act on the Protection of Privacy in Working Life], according to which the employer may only process personal data that is directly necessary for the employee's employment relationship. On the basis of the information provided by the controller, the DPA considered that the mere fact that the app does not allow the recording of working hours without processing location data did not make the processing necessary. The DPA noted that it was possible to record working hours without processing location data. The DPA also emphasised that according to [https://www.finlex.fi/fi/laki/ajantasa/2004/20040759#L2P3 Section 3 of the Finnish Act on the Protection of Privacy in Working Life], no exceptions to the necessity requirement can be made, even with the consent of the employee. The DPA found that consent does not override the necessity requirement under the Finnish Act on the Protection of Privacy in Working Life. Therefore, the data subject's consent cannot serve as a legal basis for collecting unnecessary personal da
Related Enforcement Actions (0)
No other enforcement actions found for Jamk University of Applied Sciences in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Jamk University of Applied Sciences - Finland (2021). Retrieved from cookiefines.eu
Last updated: