An employer is allowed to handle the personal data of an employee only to such an extent as is necessary for the employment relationship. Provisions protecting the personal data of employees are given in the Act on Data Protection in Working Life.
Personal data collected by the employer must principally be collected from the employees themselves. The employer must determine why the collecting of personal data is necessary for carrying out the employer’s duties, and this must be done in connection with the planning of the data collection. The employer may not retain any outdated or unnecessary data on employees.
The Act also addresses technological surveillance of employees, the employer’s right to retrieve and open e-mail messages in the employee’s personal e-mail, and cases when the employer is allowed to access an employee’s credit data or investigate an employee’s drug use. The Act also imposes retrictions on the handling of an employee’s health information at the workplace.
In order to collect personal data from elsewhere than the employee himself/herself, the employer must generally obtain the consent of the employee. However, this consent is not required when an authority discloses information to the employer to enable the latter to fulfil a statutory duty or when the employer acquires personal credit data or information from the criminal record in order to establish the employee’s reliability.