Rules Navigator

Finnish DPO fines Posti €2.4m for GDPR violations with electronic mailbox

elivery truck of the Posti group, the main Finnish postal service parked on the street in winter.
Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The company allegedly illegally processed customer data when creating a new electronic mailbox for two million customers that haven’t requested the service.

Posti Jakelu Oy (Posti) has been ordered to pay a €2.4m ($2.5m) fine by the Sanctions Board of the Finnish Data Protection Ombudsman (DPO) for breaching GDPR with its Omaposti (Posti’s app for parcels and letters) service.

According to the DPO (Tietosuojavaltuutetun toimisto) Posti created electronic mailboxes for about two million registered users without having proper grounds or receiving requests from them to do so. Nor did Posti inform its customers of the purposes of the use of their personal data when creating and activating the mailbox – a violation of EU GDPR when processing their data for other things that they had agreed to.

The users were also not told that they were getting a mailbox, and the new service also linked users to other services such as mail resending and the Oma Noutopiste service without allowing them to opt-out of it.

Data Protection Commissioner Anu Talus said that the mailbox could have come as a surprise for customers, especially if they requested other services, and that they could have received emails without knowing – which could have led to issues with invoices.

Not properly informing users

Customers were also found not to have a choice in whether to use the OmaPosti mailbox or not because the services were linked to each other in one contract. And the mailbox could not be closed down without also closing the other services.

The DPO believes that requested services could have been implemented without an automatic creation of a mailbox, and argued that personal data cannot be used for other purposes than what’s asked for.

“Posti considers the authority’s decision on the alleged procedure in violation of the EU data protection regulation to be unfounded.”

Posti

Posti was also found to be failing to properly inform its users about receiving the mailbox – which had letters and invoices immediately going into it. The users were also told that they could continue to receive letters by mail if they wished, which was found to be incorrect and not possible as an option to choose.

“A digital society only works if it is based on trust,” Talus said, and emphasized the importance of how the technical solutions are implemented.

The DPO’s investigation also discovered that the OmaPosti service had technical settings that did not meet data protection requirements, with one example having an automatically activated selection switch and a pre-ticked selection box.

Posti to appeal the decision

Besides the €2.4m fine, Posti was also given a warning about its shortcomings, and ordered to correct its practises.  

The company has said that it will correct the settings so that receiving mail only electronically is no longer pre-selected, and announced that users will be able to choose whether to receive electronic copies of paper letters in the OmaPosti box.

“A digital society only works if it is based on trust.”

Anu Talus, Data Protection Commissioner 

However, Posti has responded that “OmaPosti is safe to use”, and has announced that it will appeal the decision.

“Posti considers the authority’s decision on the alleged procedure in violation of the EU data protection regulation to be unfounded. Posti has complied with the law and will bring the matter to court for a decision,” the company declared.

, , , , , ,

You may also like