Visit fondia.com
The content concerns Finnish legislation.
 

Processing of Identification Data in Events of Misuse

Before processing identification data, a corporate subscriber shall, in order to prevent and solve misconduct, fulfill the following preconditions set on processing before processing:

Duty of care: A corporate subscriber must see to the security of its communications network as well as the instruction of users. The use of a communications networks or a service connected to it must be sufficiently blocked for third parties, in order to prevent unauthorized use or access to trade secrets. In addition to this, a corporate subscriber must give written instructions, which contain sufficiently exact instructions on the restrictions set on the use of the communications network, to the users of communication networks or communication services.

Duty of planning and cooperation: a corporate subscriber shall name the people whose duties involve identification data processing or define the duties involved or the operational units. A corporate subscriber acting as an employer must also, in accordance with the procedures in cooperation legislation, negotiate with employee representatives about the grounds, procedures, goals, purpose and effects of the processing of identification data. If an employer does not fall within the scope of cooperation legislation, it shall provide an opportunity for employees or their representatives to be heard.

Prior notification to the Data Protection Ombudsman:

In the notification the corporate subscriber presents a one-time report on the grounds and procedures used in the processing of identification data. In the report the purpose of processing and the controllers or duties, to which the processing is related to, as well as the grounds on which the unauthorized use is viewed to cause significant harm or damage or on which the corporate subscriber considers a trade secret to be central for its business activities. In the report it is also established, how the information given on the processing of identification data is organized, i.e. by attaching the written instructions given at the workplace to the report.

Processing of identification data in order to discover unauthorized use

The provisions of the Act on the Protection of Privacy in Electronic Communications entitle the corporate subscriber to process identification data under certain conditions, when the matter concerns the unauthorized use of an information society service or communications network or communications service that is subject to a fee. Unauthorized use of an information society service can be, for example, when a service priced according to the size of a company's staff is unrightfully distributed to a third party. Unauthorized use of a communication network or communication service may include the installation of a device, program or service on the corporate subscriber's communication network, the opening of unauthorized access to a third party or other comparable procedure contrary to the corporate subscriber's written instructions.

However, even in the situations mentioned above, identification data may only be processed if the unauthorized use causes significant harm or damage to the corporate subscriber. Such significant harm or damage may include, among other things, the increased costs or such use of data transmission capacity, a security threat or other similar reason that jeopardizes or slows down the use of the communications network or services for their intended purpose.

If the above-mentioned prior obligations have been fulfilled and the criteria for detecting unauthorized use are met and the matter cannot be resolved other without the processing of identification data, the corporate subscriber has the right to process the identification data through the use of an automatic search function. Automatic search is a continuous operation in which the system automatically retrieves deviations from the communication network based on certain predefined criteria, such as message size, amount of traffic, type, or target address.

Identification data may be processed manually if there are reasonable grounds for suspecting that the communication network or service is being used in breach of the instructions given and if

  • an anomaly has been detected in the message using the automatic search function;

  • the costs of using a paid information society service have become unusually high;

  • a device, program or service, installed without authorization, on the communication network is detected, or

  • for any other comparable reason, there is reason to suspect that unauthorized use is occurring.

Manual processing also requires that the data is necessary in order to investigate the unauthorized use and those responsible for it, and to put an end to unauthorized use.

Measures after the processing of identification data

The Corporate subscriber shall prepare a report on the manual processing of identification data, which shall indicate the grounds for the processing, the reason for switching to manual processing and the time and duration of the processing, the names of the processors involved and the person who decided on the processing. The report shall be provided to the person being processed once it can be done as soon without jeopardizing the purpose of the processing.

In addition, a corporate subscriber in the position of employer must provide an annual report on the manual processing of identification data to the employee representative. The report shall indicate the number of processing operations during the year and the reasons for them. The Data Protection Ombudsman will also be notified annually of the number of and grounds for manual processing. If identification data has not been processed manually during the past year, there is no need to notify the Data Protection Ombudsman. Ready-made notification forms can be found on the website of the Data Protection Ombudsman.