Finland: Data Protection Ombudsman fines Finnish Meteorological Institute for data transfer violations

The Office of the Data Protection Ombudsman has fined the Finnish Meteorological Institute (FMI) for violations of Articles 35, 44 and 46 of the GDPR. The decision was based on a data breach notification that FMI submitted to the Ombudsman.
The Ombudsman’s investigation began after a data breach resulting from a security incident at FMI involving the personal data of 330,000 people was reported. During the investigation, FMI was found to have used Google Analytics and reCAPTCHA on its website.
The Ombudsman found that by using Google Analytics and reCAPTCHA services, FMI transferred personal data to the US without a valid basis for transferring such data, in breach of Articles 44 and 46 of the GDPR. The Ombudsman found that, following the revocation of the EU-US Privacy Shield and in the absence of the implementation of sufficient additional measures to ensure adequate protection of personal data, FMI should have suspended the transfer of data to the US.
In addition, the Ombudsman found that FMI had not complied with its obligation to carry out a data protection impact assessment (DPIA) under Article 35 of the GDPR, in respect of its international data transfers involving the use of the aforementioned tracking technologies.