Finland's Supreme Administrative Court issued on April 29, 2026, a ruling that reverses a lower court's finding and clears the Järvenpää parish of a GDPR violation over an election letter sent to church members in 2022. The decision, catalogued under reference KHO:2026:28, carries implications well beyond Finland's borders. It addresses one of the more technically contested corners of European data protection law: when does indirectly revealed information about a person's religious affiliation qualify as a special category of personal data under Article 9 of Regulation (EU) 2016/679, and under what conditions can such data be processed without infringing the regulation?

The case originated when a data subject referred the matter to Finland's Office of the Data Protection Ombudsman. The complaint concerned a voting envelope sent by the Järvenpää parish ahead of the 2022 Finnish parish elections. Advance voting ran from November 8 to 12, 2022, with election day on November 20, 2022. The envelope displayed the recipient's name and address, identified the sender as the Järvenpää parish, and bore printed text that referenced the parish elections, including a campaign-style line and the phrase "Evangelical Lutheran Church of Finland." Anyone handling the envelope - including, as the data subject pointed out, a spouse sharing the same household - could reasonably conclude that the addressee was a church member.

The administrative journey

On December 12, 2023, the Deputy Data Protection Ombudsman found no violation. According to that decision, the parish had a valid legal basis for processing the personal data of church members when informing them of their right to vote. The distribution had been handled by Posti - Finland's postal operator - acting as a data processor, whose employees carry a statutory duty of confidentiality under Sections 62 and 63 of the Finnish Postal Act. Voting in parish elections is described in the decision as an essential right of church membership, and the parish bore an obligation to ensure that voting information actually reached eligible voters.

The data subject appealed to the Helsinki Administrative Court, which reversed that finding in a decision dated February 11, 2025. The Administrative Court concluded that the envelope's text was not strictly necessary to achieve the purpose of delivering voting information. The church membership information could have ended up with people living in the same household as the addressee, and that risk could have been avoided by placing only neutral text on the outer envelope and including all identifying content inside. The court held that the parish had failed to comply with the data minimisationprinciple under Article 5(1)(c) GDPR and had not satisfied the conditions in Article 9(2)(d).

The Järvenpää parish sought leave to appeal to the Supreme Administrative Court. The Deputy Data Protection Ombudsman supported the request. The Supreme Administrative Court granted the leave, examined the matter, and on April 29, 2026, annulled the Administrative Court's decision. The original decision of the Deputy Data Protection Ombudsman was reinstated.

What the Supreme Administrative Court found

The court's analysis proceeded in two stages. First, it determined whether the envelope contained special categories of personal data within the meaning of Article 9(1) GDPR. Second, it assessed whether that data had been processed lawfully under Article 9(2)(d).

On the first question, the court confirmed that the envelope did disclose special category data. Membership in the Evangelical Lutheran Church is not a direct expression of a person's religious views, but neither is it irrelevant to those views. It can enable conclusions about a person's religious beliefs, even if only with a degree of probability rather than certainty. The court cited case law from the Court of Justice of the European Union - specifically Case C-184/20 (Vyriausioji tarnybinės etikos komisija) and Case C-21/23 (Lindenapotheke) - for the proposition that Article 9(1) cannot be interpreted as excluding data that may reveal sensitive information indirectly. Information classified within the article's scope includes data that concerns a person only with a certain probability, not absolute certainty.

That said, the court introduced a critical qualification. In terms of sensitivity, information about membership in the Evangelical Lutheran Church is not comparable to data that directly expresses religious views or practices. The Supreme Administrative Court stated explicitly that processing this type of data does not constitute as serious an interference with the rights of the data subject as processing of data within the meaning of Article 9(1) typically implies. The degree of sensitivity matters when assessing whether safeguards were appropriate and whether the interference with fundamental rights was proportionate.

On the second question - lawfulness - the court examined Article 9(2)(d), which permits processing of special category data in the context of the legitimate activities of a religious community, provided the processing concerns only members or former members, and that personal data will not be disclosed outside the community without the data subject's consent. The court found that all these conditions were met. The processing concerned church members only. No disclosure to third parties outside the permitted scope was found to have occurred.

The proportionality assessment

The more substantive portion of the ruling engages with proportionality - whether the manner of processing was justified given the nature of the data and the purpose it served.

The court identified the purpose as twofold: carrying out the parish elections provided for in the Church Act, and fulfilling the parish's duty to inform members of their right to vote. The elections exist to implement ecclesiastical democracy and ecclesiastical self-government. The court noted that a similar approach - placing identifying information on the outer envelope - is used in non-religious elections in Finland, equating the practice with a publicly familiar norm.

Critically, the court assessed whether the purpose could reasonably have been achieved by other means. The data subject had proposed that the parish use a plain white envelope with no text linking it to a religious community. The court found it could not be established that this alternative would have achieved the same level of effectiveness in separating voting information from other mail and ensuring recipients actually noticed and opened the letter. The information on the envelope - indicating that the letter concerned a right to vote - was, according to the court, essential and necessary for the purpose pursued.

The fact that household members might have seen the envelope was acknowledged. The court did not dismiss that possibility. But it concluded that this circumstance, which the addressee could also have influenced through their own actions, was not, by itself, sufficient grounds to require that all identifying information be hidden inside a sealed envelope. The court weighed three factors together: the relatively lower sensitivity of church membership data compared to direct expressions of belief, the legitimate democratic purpose of the processing, and the limited practical risk created by sending the letter by post via a confidentiality-bound postal operator.

Assessed as a whole, the court found that the processing had been carried out with appropriate safeguards and did not breach GDPR.

The ruling engages with several interlocking provisions of the GDPR. Article 9(1) establishes the general prohibition on processing special categories of data, including data that reveals religious beliefs. Article 9(2)(d) creates a carve-out for religious organisations operating within their legitimate activities. Article 5(1)(c) - the data minimisation principle - requires that data be adequate, relevant and limited to what is necessary for the purposes for which it is processed. Article 5(1)(f) requires processing that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss.

Recital 4 of the GDPR provides broader context that the court invoked: the right to protection of personal data is not absolute and must be assessed in relation to its role in society, being subject to the principle of proportionality and potentially weighed against other fundamental rights. Recital 51, also referenced in the case documents, notes that exceptions to the general prohibition on processing special category data should apply, among other circumstances, where processing occurs in the context of legitimate activities carried out by certain associations for the purpose of enabling the exercise of fundamental freedoms.

The case also intersects with Article 20(2) of the Finnish Act on the Openness of Government Activities, which the court cited to underline the parish's obligation to ensure that information about voting rights genuinely reaches those entitled to them.

Significance for data controllers

The ruling does not grant religious organisations - or any other type of data controller - blanket permission to display membership information on postal materials. What it does is clarify a methodological approach for assessing Article 9 compliance: the degree of sensitivity of the specific data type matters when evaluating the adequacy of safeguards, and proportionality must be assessed against the concrete purpose pursued, not an abstract worst-case interpretation of data exposure.

The Administrative Court had applied a strict, arguably formalistic reading of data minimisation: if the information was not strictly necessary on the envelope, it should not have been there. The Supreme Administrative Court introduced nuance. Data minimisation does not require controllers to choose the most privacy-protective option in all cases; it requires that data processing be limited to what is necessary for the stated purpose. If the purpose cannot reasonably be achieved without the information, and the information has been processed with appropriate safeguards, the principle is satisfied.

This distinction has practical implications for direct mail operations, voter and member communication programmes, and any context where an organisation must communicate with its members using identifying materials that may incidentally reveal membership status. The case also adds to a growing body of European case law on the boundaries of Article 9(1), alongside CJEU rulings that have extended its reach to indirectly revealing data.

The broader GDPR landscape is in flux. The European Commission has proposed amendments through the Digital Omnibus initiative that would, among other things, restrict Article 9(1) protections to data that "directly reveals" sensitive characteristics - a narrower formulation than the current broad interpretation applied by the CJEU and now confirmed by Finland's Supreme Administrative Court. The European Data Protection Board and European Data Protection Supervisor have strongly opposed those proposed changes, warning that narrowing the personal data definition would create new legal uncertainties. The Finnish ruling sits squarely in this unresolved debate, applying the existing broad standard rather than the Commission's proposed narrower one.

Other national courts have been working through similarly granular questions. A Polish Supreme Administrative Court ruling in October 2025 examined whether business name and address information constitutes personal data, concluding that practical identifiability - not theoretical possibility - determines GDPR applicability. The Court of Justice's September 2025 judgment in EDPS v SRB established that pseudonymised data may not qualify as personal data for a recipient who lacks the means to re-identify individuals. Together, these rulings form a patchwork of national and supranational guidance on the outer edges of the regulation's scope.

Costs dismissed

The Supreme Administrative Court also addressed the data subject's claim for reimbursement of legal costs. Given the outcome, that claim was dismissed. According to Article 95 of the Finnish Law on Administrative Procedure, no compensation for the costs of the proceedings was payable to the data subject in the circumstances of this case.

The case was decided by President Kari Kuusiniemi and Justices Petri Helander, Tuomas Kuokkanen, Taina Pyysaari, and Toni Kaarresalo. Rapporteur was Elina Ranz. The case number at the Helsinki Administrative Court level was 827/2025. The ECLI identifier for the Supreme Administrative Court ruling is ECLI:FI:KHO:2026:28, volume number 1145, reference number 563/2025.

Timeline

Summary

Who: The Järvenpää parish (controller), an unnamed data subject (complainant), the Finnish Deputy Data Protection Ombudsman, the Helsinki Administrative Court, and the Supreme Administrative Court of Finland, whose decision panel included President Kari Kuusiniemi and four justices.

What: Finland's Supreme Administrative Court ruled on April 29, 2026, in case KHO:2026:28, that a parish election envelope which revealed the recipient's church membership constituted special category personal data under Article 9(1) GDPR, but that the data had been processed lawfully and with appropriate safeguards under Article 9(2)(d). The ruling reversed the Helsinki Administrative Court's finding of a GDPR violation and reinstated the Deputy Data Protection Ombudsman's 2023 decision clearing the parish.

When: The election envelope was sent ahead of the November 2022 parish elections. The Ombudsman's first decision was issued December 12, 2023. The Administrative Court's reversal came February 11, 2025. The Supreme Administrative Court issued its final ruling on April 29, 2026.

Where: Finland. The Järvenpää parish is located in Järvenpää, a town north of Helsinki. The proceedings ran through the Office of the Data Protection Ombudsman, the Helsinki Administrative Court, and the Supreme Administrative Court.

Why: The case tested whether a church was required to use a neutral, unmarked envelope when mailing voting information to members, given that the envelope's appearance disclosed membership in the Evangelical Lutheran Church. The Supreme Administrative Court concluded that the processing was necessary to fulfil the parish's democratic and legal obligations, that church membership data in this context carries a lower degree of sensitivity than direct expressions of religious belief, and that the postal handling arrangement provided adequate safeguards - making the processing compliant with GDPR overall.

Share this article
The link has been copied!