Finland's first GDPR sanctions have been imposed – reminder to employers
The General Data Protection Regulation (the "GDPR") came into force a little over two years ago, on 25 May 2018 and the first administrative fines were imposed in Finland in late May 2020. What is noteworthy is that in two out of the four decisions, the fines concerned violations of processing of personal data of employees and job applicants.
Processing of employee's personal data
Under the Act on the Protection of Privacy in Working Life, the employer is allowed to process personal data of an employee directly necessary for the employee’s employment relationship, which is connected with 1) managing the rights and obligations of the parties to the employment relationship; 2) the benefits provided by the employer for the employee or 3) which arises from the special nature of the work concerned. No exceptions can be made to the necessity requirement, not even with the employee’s consent. Further, personal data of the employee must primarily be collected from the employee him- or herself. Collecting data from other sources generally requires consent from the employee.
In this case, the company had during the recruitment process collected information from job applicants on their place of birth, church, family relationships, defence training, military ranking, housing, start year of military service, duration of military service, spouse's name, spouse's occupation and job, children's years of birth, state of health and pregnancy.
According to the company, information on military training can be relevant for managerial duties and contact information of the job applicant's close relative is necessary in case of an emergency. The company further stated that answering to the data requests was voluntary.
The Data Protection Ombudsman acknowledged that information on military training can be relevant when assessing the applicant's suitability for managerial roles. Collecting such information from all job applicants is not, however, in line with the necessity requirement. Further, the Data Protection Ombudsman stated that the name, occupation and job of the job applicant's spouse are not necessary for the purpose of emergency contact information.
Additionally, the Data Protection Ombudsman concluded that the company did not have a lawful basis for collecting or processing information on place of birth, church, family relations, housing, spouse's name, spouse's occupation and job, children's years of birth, state of health and pregnancy. The Data Protection Ombudsman further noted that information on data subject's church, state of health and pregnancy belong to so-called special categories of personal data, the processing of which is prohibited also by the GDPR. The Data Protection Ombudsman added that the fact that answering to the data requests was voluntary is irrelevant as no exceptions to the necessity requirement under the Act on the Protection of Privacy in Working Life can be made even with the employee's consent. Further, there is an imbalance of power between an employer and employee and a job applicant is comparable to an employee.
Processing of employee's location data
In the other case, the company had adopted a vehicle information system in 2017 and, since 18 December 2018, used location data from the system to monitor, for example, the employees' working time.
The Data Protection Ombudsman pointed out that processing of location data is likely to create a high risk to the employees' rights and freedoms as employees are generally considered to be in a weaker position compared to their employer and location data processed for the purpose of monitoring of working time is systematic surveillance. Based on the decision of the Data Protection Ombudsman, processing of location data of the employees, as such, is permitted. However, the non-compliance concerned the procedural requirements under the GDPR, including data protection impact assessment and the requirements in relation to privacy by design and privacy by default.
The company stated, among other things, that non-compliance resulted from the fact that processing of location data had commenced prior to all relevant regulations had come into force and that the company did not have a correct understanding of the requirements under these regulations. The Sanctions Board concluded that such facts are irrelevant as it is the data controller's responsibility to ensure compliance with applicable law.
What to learn?
As to the case on collecting personal information from job applicants, it may be safe to say that most employers are nowadays aware of the regulations on what information the employer is allowed to collect and process. However, this case serves as a good reminder to check that all data collecting forms and other data collecting systems are up-to-date and fulfil legal requirements.
And, as we see from the other case, even if processing of certain data has been and still is allowed on the basis of local legislation, it must also fulfil procedural requirements under the GDPR. Further, as the employers adopt new information systems, it is important to carefully assess whether such systems involve processing of personal data of the employees and whether such processing triggers any procedural requirements under local legislation or the GDPR. Systems based on fingerprints or other biometric data are good examples of new technology that could come into question and that require data protection impact assessment.