Administrative fine on Viking Line for unlawful processing of employees' health data
The Office of the Data Protection Ombudsman's Sanctions Board has imposed an administrative fine on Viking Line Oy Abp for data protection violations related to the processing of its employees' health data. Among other things, the company stored the health data of its employees unlawfully in a human resource management system. Shortcomings were also identified in how the company informed its employees of the processing of their personal data.
The Office of the Data Protection Ombudsman investigated Viking Line's activities on the basis of a complaint instituted with the Office. A former employee of Viking Line informed the Office of the Data Protection Ombudsman that they had not received all of their personal data being stored in the company's systems despite their request.
According to the former employee, Viking Line had been keeping their health data in the HR system for 20 years. For example, Viking Line had saved diagnoses in connection with information on absences due to illness into the HR system. According to the complainant, some diagnosis information stored into the system was inaccurate, because it was not possible to enter all diagnosis codes into it. Viking Line had not provided the employee with the requested diagnosis data even though the company was in possession of that data.
Health data must be stored separately from other data on employees and its accuracy must be ensured
The Deputy Data Protection Ombudsman finds that there have been a number of serious shortcomings in Viking Line's practices for processing personal data.
According to the law, an employee must store data on an employee's state of health separately from their other personal data. Saving diagnosis information in connection with other employment-related data was against the law.
Not only had Viking Line unlawfully saved its employees' diagnosis information in the HR system, but some of the data was inaccurate as well. The Sanctions Board found the company's activities to be particularly reprehensible in this regard. Health data should have been erased immediately when its storage was no longer necessary.
Data subjects must be transparently informed of processing
Viking Line had not informed its employees appropriately of the processing of their personal data. The Deputy Data Protection Ombudsman ordered the company to correct its practices and inform its employees of the processing of their personal data as required by the GDPR.
The Deputy Data Protection Ombudsman also notes that the company should have provided the employee with all of the data requested by them.
Reprimand and administrative fine for data protection violations
The Office of the Data Protection Ombudsman's Sanctions Board ordered Viking Line Oy Abp to pay an administrative fine of EUR 230,000 for several violations of data protection legislation. The company was also reprimanded.
The Sanctions Board emphasised that even inaccurate diagnosis information had been stored for a considerable period of time. Inaccurate diagnosis information can pose a risk to an individual's legal protection.
The matter was resolved in cooperation with the Swedish, Norwegian and Estonian data protection authorities.
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. +358 29 566 6787
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.