Kuvaaja
Outi Kainiemi
Kirjoittaja
Maiju Haapaniemi, Translation: Apropos Lingua

The employer may only process necessary personal data

The employer may not process just any kind of personal data, nor for just any purpose.

When processing the personal data of their employees, employers must adhere to regulations and legislation such as the Finnish Act on the Protection of Privacy in Working Life (hereinafter Privacy Protection Act, PPA) and the EU’s General Data Protection Regulation (hereinafter GDPR). The collection of personal data in conjunction with hiring and during the employment relationship is permitted as part of the co-operation procedures described in the Co-operation Act. 

The PPA contains some more detailed instructions on how an employee’s health records are processed. However, neither the PPA nor the GDPR contain a full list of the types of personal data that the employer may process as part of an employment relationship.

What needs to be processed, may be processed

In this context, one of the most crucial legal rules is the necessity requirement described in the PPA. It decrees that personal data may only be processed if it is immediately necessary for the fulfilment of the employee’s employment relationship. The processed personal data must concern the fulfilment of the rights and responsibilities of the involved parties, or benefits provided by the employer, or the data must be required by the special requirements of the employee’s work tasks.

The employer may not collect or process any such personal data that does not meet this necessity requirement, even with the employee’s consent!

Personal data should never be collected just in case.

The necessity of the data must always be evaluated on an individual basis based on the work tasks involved, the employer’s field of operations and other such conditions. As a rule, it is the employer’s responsibility to define what personal data items are necessary for that particular employment relationship. 

If the employer fails to define which personal data items are necessary, or processes personal data that cannot be considered necessary, the data protection ombudsman may intervene or even issue the employer a penalty for the unnecessary collection of personal data.

Personal data should never be collected just in case, but all collection of personal data should have a statutory basis and be for a specific purpose.

Important principles of privacy

The data protection principles defined in the GDPR must be adhered to whenever personal data is processed – including in employment relationships. First of all, personal data must always be processed lawfully, appropriately and in a manner that is transparent to the employee.

The employer must let their employees know how their personal data is being processed in a clear and understandable manner. The employees must know what personal data is collected of them, the purposes for which this data is being processed and what kind of rights they have regarding the processing of the data. This information must be readily available to employees in clear and understandable fashion.

Personal data must be collected and processed only for a certain specific and lawful purpose. In other words, the personal data collected from employees may only be used for the specific purpose for which it has been collected.

If an employee’s personal data has been collected for the purposes of filling one’s professional duties, the employer may not use the data for direct marketing, for example. Publishing the personal data of employees on the employer’s website may be considered necessary and appropriately justified in relation to the fulfilment of the employees’ work tasks.

If an employee’s personal data has been collected for the purposes of filling one’s professional duties, the employer may not use the data for direct marketing, for example.

As an employment relationship comes to a close, the employee has the right to demand the closure of their work-related email address, since the termination of the employment agreement usually means that there is no longer a lawful basis for the processing of the employee’s company email account.

Personal data must only be collected in such amounts and stored only for as long as is necessary for the fulfilment of the purpose for which it was collected. The employer must also ensure the accuracy and correctness of the data.

Furthermore, the employer is responsible for finding out and defining how the collected personal data can be processed confidentially and securely regarding the conditions and the risks involved in data processing. 

The employer is responsible for the processing of data

If you doubt whether personal data is being processed in accordance with the aforementioned rules and principles, you should first ask your employer for more information about your company’s adherence to them. TEK’s lawyers can help you identify problems and, if necessary, resolve the situation together with your employer.

According to the GDPR, the employer is responsible for possible damages incurred by the employee as a result of inappropriate and unlawful processing of their personal data.

If it appears that the employer will not adhere to rules and regulations in the processing of personal data despite your best efforts to resolve the situation, you could also ask the supervising authority, the data protection ombudsman, for advice. An employee has the right to bring a matter to the data protection ombudsman if the employee sees that their personal data is being processed in an unlawful manner.

The rights of the data subject defined in the GDPR also protect employees. Among other rights, the data subject has the right to be informed of how their personal data is processed and gain access to the data collected about them.

According to the GDPR, the employer is responsible for possible damages incurred by the employee as a result of inappropriate and unlawful processing of their personal data. If a private sector employer breaches the GDPR, they might incur an administrative penalty as described in the Regulation. The employer or a representative of the employer may also be issued a fine for breaking the Act on the Protection of Privacy in Working Life.

The author works as an employment lawyer at TEK.
 

TEK members enjoy a comprehensive range of legal services

Legal advice is available both in person and through a flexible 24/7 online service. The TEK legal advisors will:

  • review draft employment and management contracts,
  • help with various employment issues,
  • advise on aspects of family and inheritance law,
  • help self-employed members in establishing a business, drafting agreements and other issues,
  • manage employment disputes and advise members involved in co-operation negotiations and other special situations.

The eLawyer service also provides answers to the most common legal questions. Also check out the TEK legal information pages and FAQ at www.tek.fi/en/legal.

Asiasana