On 13 November 2024, the Finnish Data Protection Authority (DPA) ruled against Posti, Finland’s postal service, for breaching data protection regulations. The authority imposed an administrative fine of 2.4 million euros, issued a reprimand, and ordered the company to revise its practices in line with the General Data Protection Regulation (GDPR). This case highlights the importance of ensuring transparency, consent, and data protection by design in electronic services.

The investigation into Posti’s practices began after the Finnish DPA received complaints regarding the unauthorized forwarding of customer correspondence to Posti’s electronic mailbox service. Customers reported that their letters were being transferred to this online platform without their explicit consent, prompting the DPA to examine the lawfulness of these actions under GDPR provisions. The Finnish SA uncovered multiple violations in Posti’s handling of personal data:

Automatic Creation of Electronic Mailboxes. Posti automatically generated electronic mailboxes for its customers without a separate request. It linked this service to a broad range of offerings without seeking explicit consent. Customers could not opt out of the electronic mailbox without discontinuing the other connected services, effectively denying them a choice.

Lack of Clear Information. The investigation found that Posti failed to clearly inform its customers about activating the electronic mailbox. The activation process lacked transparency, leaving customers unaware of how their data was being used.

Non-Compliant Technical Settings. The electronic mailbox service also included technical features that violated data protection principles. For instance, the service employed an automatically activated selector function and used pre-ticked checkboxes, which do not comply with GDPR’s active and informed consent requirements.

Failure to Incorporate Data Protection by Design. Posti did not adhere to the principle of data protection by design and by default. The DPA determined that the requested postal services could have been provided without the automatic creation of electronic mailboxes, demonstrating that the company processed unnecessary personal data.

Based on these findings, the DPA fined Posti 2.4 million euros for unlawful data processing, specifically breaching Articles 5 and 6.1 of the GDPR. The authority also issued a reprimand for Posti’s failure to adequately inform customers, in violation of Article 13 of the GDPR. Posti was directed to correct its practices and ensure that electronic services only process necessary personal data in accordance with Article 25 of the GDPR.

This decision underscores the importance of upholding GDPR principles when offering digital services. Organizations must ensure transparency, seek explicit consent, and incorporate data protection measures from the initial stages of service development. The case against Posti serves as a reminder for businesses across sectors to prioritize customer rights and privacy in all aspects of data handling.