Taksi Helsinki – €72,000 Fine (Finland, 2020)

Following the investigations carried out in November 2019 on Taksi Helsinki’s processing, the Tietosuojavaltuutetun toimisto found several serious GDPR violations regarding the processing of customers’ audio and video personal data. The Tietosuojavaltuutetun toimisto raised six data protection law issues regarding the processing of both audio and video data which can be summed up as below: - Does the controller process audio and video data for security purposes in accordance with Article 6(1)(f) GDPR? - Does the controller process audio and video data in accordance with 5(1)(c) GDPR? - Does the information provided to data subjects regarding the security camera and the automated decision making process comply with Article 12 GDPR? - Did the controller identify the actors playing a role in the processing, with respect to Articles 4(7), (8) and Articles 26, 28 GDPR (processor, controller, joint controllership)? - Did the controller maintain a record of processing activities according to Article 30 GDPR? - Did the controller perform a data protection impact assessment prior to the implementation for the security camera system, as prescribed under Article 35 GDPR? First, the Tietosuojavaltuutetun toimisto decided that the controller was not able to demonstrate that the processing of video and audio data for security purposes complies with Article 5 (1) (a) and Article 6 (1) (f) GDPR. Thus, the controller failed to comply with the accountability principle under Article 5 (2) GDPR. Second, the data protection authority pointed out that the recording of images and sound in all of the company’s cars did not comply with the principle of data minimisation under Article 5(1)(c) GDPR. The recording of the image would have fit the purposes of safety and the investigation of criminal offences and damages which might have occurred, as claimed by the controller. Regarding the information to be provided to the data subjects, the data protection authority ruled that sever