Hello, privacy pros.

Greetings from the Nordics! You know that summer is coming when the nights become lighter. Soon the sun won’t go down at all.

I have been working from home since mid-March, and all of us have needed to adjust to new circumstances — a new normal. Everything works well except meetings. I have learned how much I miss my colleagues at the office, other colleagues in town and privacy pros all over the globe. My plan was to meet many of you this spring at the IAPP conferences, but COVID-19 decided otherwise.

Luckily, we had a wonderful "Nordic tour" with IAPP President and CEO J. Trevor Hughes just before everything closed down. In February and March, we had a chance to meet several privacy pros and all the Nordic regulators, as well as many professors and other local professionals in the Nordic countries. Thank you all for the great talks and wonderful meetings. A huge thanks also to all chapter chairs for organizing KnowledgeNet meetings while we were in town.

During our tour, we had interesting talks with the regulators in Denmark, Sweden, Finland and Norway. We learned they have been very busy in recent years, not only with reorganizing their operations, but also with building new internal processes to handle cases, as well as learning about international cooperation with other regulators. Thank you all for your time, insights and interesting discussions!

The Finnish DPA has been one of the last regulators to not have imposed any monetary fines under the GDPR. Last week — just before the second anniversary of the GDPR — it finally imposed its first fines. Not just one, but three at the time. This is a historic moment for the Finnish regulator and local data protection community. Interestingly, two out of three decisions dealt with employee workplace privacy.

One of the cases concerned job applications whereby an employer was collecting unnecessary personal data of applicants. The employer had also failed to draft proper documentation under Article 30. The other case involved processing location data through a car’s trip computer, without first conducting a proper DPIA under Article 35. What is interesting in both cases is that the amount of the fine was about 0.08% of their annual global revenue. In both decisions, the DPA also highlighted that "not knowing" or "not properly understanding" the GDPR’s requirements was no excuse and had no impact on assessing the amount of the fine. Also, there has been enough time (almost two years) to make sure that organizations comply with the GDPR.

I think this is a strong message for everyone out there — there has been enough time to prepare and DPAs are expecting that you understand what is required!

The third case concerned providing proper information under Article 13. The Finnish DPA received several complaints during the past three years about the same matter and eventually imposed a fine of about 0.16% of its annual global revenue on the data.

It is important to note that none of the decisions are final and at least one of the organizations has already publicly stated that they are going to appeal.

This is a great example of regulators working hard despite the circumstances. It is also very good that the case law will start building — case-by-case. The Finnish DPA has publicly stated that there are more decisions coming out this week while I am writing these notes but unfortunately not on time for my deadline. So, keep an eye on Finland and other Nordic countries, as well!

Let’s stay safe, and let’s stay in touch! I am looking forward to seeing many of you once we are done with COVID-19 ... so long until then!