Privacy protection

Privacy protection - Alasivu

The employer is only allowed to process personal data directly necessary for the employee’s employment relationship that is connected to managing the rights and obligations of the parties to the employment relationship or to the benefits provided by the employer for the employee, or that arise from the special nature of the duties in question. No exceptions can be made to the necessity requirement, even with the employee’s consent. Provisions protecting the personal data of employees are given in the Act on the Protection of Privacy in Working Life (759/2004).

Outdated information on employees must not be stored at the workplace.

Personal data collected by the employer must principally be collected from the employees themselves. In order to collect personal data from elsewhere than the employee himself/herself, the employer must generally obtain the consent of the employee. However, this consent is not required when an authority discloses information to the employer to enable the latter to fulfil a statutory duty or when the employer acquires personal credit data or information from the criminal record in order to establish the employee’s reliability.

The employer must determine why the collecting of personal data is necessary for carrying out the employer’s duties and the purpose for which personal data is collected, and this must be done in connection with the planning of the data collection. This assessment must be made separately in each case. In addition, the employer must determine in advance the person who is responsible for processing personal data. The employer may not retain any outdated, incorrect or unnecessary data on employees.

When processing the personal data of employees, the employer must implement appropriate measures in order to protect the privacy of employees and to facilitate the data subject’s right of access.

According to the Data Protection Regulation, the data subject has the right to:

  • be informed of the processing of his or her personal data
  • have access to the data
  • rectify the data
  • erase the data and be forgotten
  • restrict the use of the data
  • move the data from one system to another
  • object to the use of the data
  • not be subjected to automated decision-making.

The data subject may not use all the rights in all situations. The basis for processing personal data may affect this right. The basis for processing data in working life are often statutory, and the right to be forgotten or the right to object do not apply to these situations.

The Act on the Protection of Privacy in Working Life also addresses technological surveillance of employees, the employer’s right to retrieve and open e-mail messages in the employee’s personal e-mail, and cases when the employer is allowed to access an employee’s credit data or investigate an employee’s drug use. The Act also imposes restrictions on the handling of an employee’s health information at the workplace.

Rights and responsibilities at work - Privacy protection - Lainsäädäntö

Privacy protection - Muualla verkossa