(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Comunicate
/
Administrative fine of €2,4 million imposed by Finnish Data Protection Authority on Posti for unlawful processing of personal data

Administrative fine of €2,4 million imposed by Finnish Data Protection Authority on Posti for unlawful processing of personal data

img 386 Views

The National Center for the Protection of Personal Data (NCPDP), for information and enforcement purposes, communicates about the administrative fine of 2,4 million euro imposed by the Finnish Data Protection Authority (SA) on Posti for violation of Article 6 (Lawfulness of processing), Article 13 (Information to be provided where personal data are collected from the data subject), Article 5 (Principles relating to processing of personal data) and Article 25 (Data protection by design and by default) of the GDPR.

The Finnish Supervisory Authority (SA) investigated the processing of personal data of Posti related to the creation of an electronic mailbox. The Finnish SA had received complaints about the forwarding of letters to Posti‘s online service without the customer’s consent. The controller had automatically created an electronic mailbox for customers without a separate request. The electronic mailbox had been linked to a wider set of services. The investigation showed that the customer could not choose whether to use it or not, as the different services were linked together in a single contract. 

Following the investigation, the Finnish SA found out that the service requested by the customer could have been provided without the automatic creation of an electronic mailbox. Also, the controller did also not inform its customers clearly about the activation of the electronic mailbox. There were also technical settings in the service that did not meet data protection requirements. These included an automatically activated selector function and a pre-ticked checkbox.

In this context, the Finnish SA imposed an administrative fine of €2,4 million on the controller for unlawful processing of personal data. At the same time, the controller was reprimanded for the shortcomings in informing the customers and was ordered to correct its unlawful practices and to take into account that electronic services must be built from the outset so that only necessary personal data is processed.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

img
Protocol amending Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, published in the Official Gazette

       The National Center for Personal Data Protection (NCPDP), for information purposes, communicates about the ratification, by Law 36/20.03.2026 and the publication in the Official Gazette of the Republic of Moldova, of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.       […]

img 23 Views
img
Representatives of the National Center for Sustainable Energy trained in the field of personal data protection

       On April 10, 2026, the National Center for Personal Data Protection (NCPDP) organized a training course in the field of personal data protection for representatives of the National Center for Sustainable Energy (NCSE), at their request.        The objective of the training was to strengthen the theoretical knowledge and develop […]

img 25 Views
img Video gallery
img Information