On June 10, 2025, the Finnish Data Protection Ombudsman published a decision (in FI) where it found that the processing of personal data for enforcing parking violations was unlawful because the enforcement mechanism was not described in the parking rental agreement.  This recent decision is a striking example of how data protection and consumer protection law are increasingly intertwined.  The case demonstrates that the way in which customer services—and any related enforcement mechanisms for non-performance—are described in contracts is not just a matter of consumer transparency, but a legal requirement for the lawful processing of personal data under Article 6(1)(b) of the GDPR (“processing [that] is necessary for the performance of a contract”).

Background

In this case, persons who violated certain applicable rules for parking in a designated area (e.g., did not display a badge indicating their right to park), set out in a property rental agreement, faced collection actions for alleged parking violations from a third-party debt collection company.  However, the rental agreement made no mention of such enforcement of the rules or any requirement to display a parking permit.  Despite this, the debt collection agency processed the renter’s personal data to pursue contested parking fines.

Upon review, the Data Protection Ombudsman determined that the absence of any contractual provision pertaining to the enforcement of the parking rules in the rental agreement meant there was no lawful basis for processing the renter’s personal data for enforcement purposes.  In this case, the third-party debt collection company may not rely on Article 6(1)(b) of the GDPR (“processing [that] is necessary for the performance of a contract to which the data subject is party”).  From a contract law perspective, the agreement between the party renting out the parking spaces and the third-party debt collection company did not bind individual renters, as the terms were not referenced in the latter’s rental agreement.

Why Service Descriptions Matter in Contracts

While the General Data Protection Regulation (GDPR) requires a lawful basis for personal data processing, EU consumer law—specifically the Consumer Rights Directive (CRD) and the Unfair Commercial Practices Directive (UCPD)—requires that consumers receive clear, comprehensive information about the characteristics of products and services before entering into a contract.  This includes details on enforcement mechanisms, such as fines or collection actions, if they are part of the service.

• The CRD (Directive 2011/83/EU) obliges traders to inform consumers about the main characteristics of services and any conditions for enforcement or termination before the contract is concluded.
• The UCPD (Directive 2005/29/EC) prohibits misleading omissions, ensuring consumers are not left in the dark about key contract features.

If enforcement mechanisms are not clearly described and agreed upon, not only may the consumer’s right to information be infringed, but any data processing for enforcement purposes may lack a lawful basis under the GDPR.

Implications for Service Providers

For service providers, the key takeaways are:

• Review and update contract templates to ensure that all enforcement mechanisms and data processing purposes for fulfilling and enforcing the contract are clearly described.
• Before processing personal data with the intention of enforcing contractual terms that have been breached or other purposes, verify that the contract with the consumer expressly covers these activities.

*              *              *

Covington & Burling continues to monitor and advise companies on navigating EU data protection law and its intersection with EU consumer protection law.  Please do reach out if you need assistance in these areas.

(This blog post was written with the contribution of Alberto Vogel.)