Protection of privacy in working life
The most important Finnish legislation related to the processing of employees’ personal data is the Act on the Protection of Privacy in Working Life (759/2004). All processing of employees’ personal data must also comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) of the European Union. More information about the GDPR and its content is available on the website of the Office of the Data Protection Ombudsman at tietosuoja.fi. Provisions relevant for the processing of employees’ personal data are also included in the Personal Data Act (1050/2018) and many special acts.
The Act on the Protection of Privacy in Working Life applies exclusively to the relationship between employers and employees. It applies to all employees in contractual and public service employment relationships and to employees in comparable public-law employment relationships and, as appropriate, to jobseekers (both contractual and public service employment relationships).
The provision on the necessity requirement is the most important provision in the Act on the Protection of Privacy in Working Life. Employers are only allowed to process personal data directly necessary for their employees’ employment relationship. The data must be connected with managing the rights and obligations of the parties to the employment relationship or with the benefits provided by the employers for their employees, or the need to collect data must arise from the special nature of the work concerned. No exceptions can be made to the necessity requirement, even with an employee’s consent. The necessity requirement must be applied together with other provisions in the Act on the Protection of Privacy in Working Life. However, if there are specific provisions on the processing of certain types of data in the Act, the employers do not need to determine separately whether the data is directly necessary for the employment relationship.
General requirements for collecting personal data about employees and employers’ obligation to inform employees
Employers should in the first place collect personal data directly from the employee. This is the easiest way to ensure that employees know what kind of data is being collected. Personal data can be collected from other sources than the employee only with the employee’s consent. However, this consent is not required when a public authority discloses information to enable the employer to fulfil a statutory duty (e.g. distraint of wages) or when the employer acquires personal credit data in order to establish the employee’s reliability.
As a rule, employers have no right to acquire information from an employee’s criminal record or request a criminal record extract from an employee. There are separate provisions on checking the criminal background of persons working with children and on their security clearance.
An employer, who intends to acquire personal data on an employee for the purpose of establishing the employee’s reliability, must notify the employee of the matter before requesting the data. An employer, who intends to acquire personal credit data on an employee, must notify the employee of the register from which the credit data will be requested. If an employer retrieves personal data on an employee from a source other than the employee him/herself, the employer must notify the employee of this data before it is used in making decisions concerning the employee. Employers are obligated to take initiative to inform their employees. Employers as controllers must also ensure compliance with its obligations to provide information under Chapter III of the GDPR.
Health state information and personal credit data
The Act on the Protection of Privacy in Working Life contains restrictions on the processing of information concerning employees’ state of health and of their personal credit data. Employers may request a drug test certificate during recruitment or require a drug test certificate during an employment relationship only when the detailed conditions listed in the Act are met. Information based on general screening tests may not be processed.
The processing of information on the employee’s state of health (including drug test data) must observe the protective measures laid down in the Act. Controls and tests concerning employees’ state of health (including alcohol and drug testing) and the collection of samples must be performed by healthcare services.
Personality and aptitude assessments
The Act on the Protection of Privacy in Working Life lays down provisions on personality and aptitude assessments, too. Employees, who give their consent to testing, may be tested by means of personality and aptitude assessments to establish their capacity to perform the work in question or their need for training and other professional development. Employers must ensure that they use reliable assessment methods.
Camera surveillance and employees’ emails
According to the Act on the Protection of Privacy in Working Life, employers may operate camera surveillance at workplaces only for the purpose of
- ensuring the personal security of employees and other persons on the premises,
- protecting property or supervising the proper operation of production processes, and
- for preventing or investigating situations that endanger safety, property or the production process.
Camera surveillance may not, however, be used for the surveillance of a particular employee or particular employees in the workplace. Moreover, camera surveillance may not be used in lavatories, changing rooms or other similar places, in other staff facilities or in workrooms designated for the personal use of employees.
The Act provides In addition provisions
- for certain situations where camera surveillance can focus on a particular workstation,
- for additional conditions to ensure transparency when implementing camera surveillance and on the destruction of recordings and
- for detailed conditions for retrieving and opening employees’ electronic mail messages in situations where consent of the employee cannot be obtained.
By the cooperative procedure referred to in the Act on Cooperation within Undertakings and in the other Acts concerning Cooperation are governed
- the collection of personal data during recruitment and employment relationship,
- the purpose and introduction of and methods used in camera surveillance, access control and other technical monitoring of employees,
- the use of electronic mail and other data networks, and the processing of information concerning electronic mail and other electronic communications.
Law-drafting: Johanna Ylitepsa, johanna.ylitepsa(at)gov.fi