City of Espoo – Court Ruling (Finland, 2025)

The City of Espoo (controller) had implemented Google Workspace for Education in the primary schools under their remit. The controller relied on Article 6(1)(c) GDPR to do so, believing the measure necessary for compliance with their legal obligation to organise basic education. On 30th December 2021, the Finnish DPA held that Article 6(1)(c) GDPR did not provide a valid lawful basis for the processing in question, and the use of the e-learning platform was not in compliance with the GDPR. The DPA noted that processing based on the ground of legal obligation must explicitly refer to the nature and purpose of the processing. The DPA commented that the Basic Education Act does not refer to the nature of the processing or require the implementation of an e-learning platform, thus leaving the controller with significant discretion in fulfilling their obligation and rendering the use of this provision as a legal obligation inappropriate. During the investigation, the DPA also highlighted the fact that this processing operation involved the collection of large amounts of data (including sensitive data) of children who are vulnerable data subjects, both while they are at home and at school. Also, the amount of data processed was far higher than that which would be processed under a traditional pre-school education arrangement. Additionally, the controller had to accept Google’s standard terms and conditions which limited their ability to control the processing taking place. The DPA therefore concluded that the use of such an e-learning platform cannot be automatically considered necessary and proportionate to allow the controller to justify the processing without having performed a case-by-case assessment in light of their obligation to organise basic education. On 30th June 2023, the Administrative Court rejected the controller’s appeal against the decision. The Court reasoned that the Basic Education Act does not define the means of processing and thus leaves the cont