Machine translations by Deepl

Finnish privacy authority confirms residents' right to privacy at the front door

Residents of flats in a block of flats have, in principle, the right to enter their own homes unprotected. This was confirmed by the Finnish privacy authority on 29 July 2020 in a case brought by Arnhem-based privacy activist Michiel Jonker.

The installation of an electronic system that monitors with which address-linked and chipped key which door is opened at what time violates the AVG, according to Finnish privacy watchdog Tietosuojavaltuutettu (Finnish Data Protection Ombudsman).

This is a Finnish building with small flats in which both tenants and owners live. In 2018, the Owners' Association (CoE) had decided to install the electronic surveillance system on all external entrances to the building. The intention was to also connect all individual flats to the system. The system is managed by a hired company and would only be accessed on the instructions of the police, whether or not at the request of the VvE board.

This was prompted by some incidents which, according to the board, revealed that former residents had been in the basement of the building and had left traces there. It was suspected that they had used keys that had not been delivered. According to the VvE board, no personal data were processed, as the new, electronic keys, although address-related, were not personal.

Jonker objected to the system, arguing that the need for such monitoring had not been demonstrated. The association had not given a legal basis for the data processing. Tenants had also not been consulted, meaning a large group of residents had not given their consent. Jonker did consider the processed data traceable to individuals, especially in the case of single-person households.

The Finnish privacy authority ruled in Jonker's favour on all these points, pointing out that the Finnish legislation relating to the decision-making of CoEs does not constitute a free pass for decisions in violation of the AVG. The authority also pointed out that a landlord cannot consent to the processing of personal data on behalf of a tenant. Furthermore, the authority pointed out that a consent to the processing of personal data can be withdrawn by any data subject (whether a tenant or an owner) at any time, in accordance with the AVG.

The authority stressed that the interest of a third party (e.g. the police) could not justify data processing under the responsibility of the association. Finally, the authority pointed out that the VvE had erroneously failed to examine alternatives that would not be an invasion of privacy or would be less invasive, including replacing analogue keys with new analogue keys.

The privacy authority ordered the VvE to bring its handling of personal data in line with the AVG.

Jonker: "It was a strange, new experience for me to be vindicated by a privacy authority without the intervention of a judge. In the Netherlands, I have never experienced that with the Personal Data Authority. Nor was it without a fight in Finland, by the way. After waiting two years for my case to be heard, I filed a complaint there with the so-called Parliamentary Ombudsman. A few days later, the Finnish privacy authority started working on it after all, and took a decision two months later. There is also a shortage of staff capacity at the privacy regulator in Finland, which means that the decision deadlines of the AVG are structurally not met. But I am satisfied with the substance of this decision. Of course, the key now is for the CoE to actually implement the privacy authority's order."

Contact requests for Mr Jonker can be made through Privacy First Foundation. Click here for the full verdict From the Finnish privacy authority (in Finnish).