Frequently asked questions about working life

The employer may only process personal data that is directly necessary with regard to the employee's employment relationship, which is related to the exercise of the rights and obligations of the parties or to the benefits provided by the employer, or that result from the specific nature of the work. The employer is therefore not allowed to process any personal data relating to an employee.

This so-called requirement of necessity is laid down in section 3 of the Act on the Protection of Privacy in Working Life. The requirement of necessity cannot be waived, even with the employee’s consent.

The requirement of necessity also applies to job search situations. The employer's right to collect the personal data of a job applicant depends on the job for which the person has applied. In a job search situation, the information needed is mainly that which demonstrates the applicant's qualifications and suitability for the job in question.

The requirement of necessity also applies to information collected by the employer through testing or assessing the job applicant or employee. The employer’s personal and aptitude tests must be necessary for the employment relationship. The processing of, for example, drug test data and employee health data must also comply with the requirement of necessity.

The employer must collect personal data on employees and jobseekers primarily from the employees and job applicants themselves. If the employer collects personal data from a source other than the employee, the employee's consent to the collection must be obtained in principle. However, consent is not required where an authority discloses information to an employer for the performance of a statutory task, or where the collection or receipt of the information is specifically provided for by law.

For example, if the employer wants to ask a former employer about a job applicant’s performance at work, the employer must obtain the job applicant’s consent to do so.

The employer has the right to supervise and monitor work (the right of direction), by virtue of which the employer can specify the duties of individual employees, issue work-related orders and monitor the performance of employees. However, this right does not entitle the employer to monitor the employee by collecting or viewing the identifying data accumulated through the employee’s use of the internet.

Neither can the employee give a valid consent to the employer's supervision of his or her browsing. The right to confidential communications also applies to browsing the internet and the identifying data accumulated thereby.

The employer can nevertheless issue rules on the use of information networks, such as whether browsing the internet at the workplace is permitted in the first place and, if it is, what kinds of sites employees are permitted to visit. The employer also has the right to block access to certain sites.

Determining the location of employees is part of technical supervision, which needs to be processed in the co-operation procedure at the workplace. It is only possible if the employer has an appropriate basis and need for it. Locating employees can be justified by, for example, ensuring the safety of employees and the correct allocation of resources (such as vehicles). Locating using a mobile phone requires the consent implied by law on the services of electronic communications.

In the opinion of the Data Protection Ombudsman, location data should not, as a rule, be used for the monitoring of obligations under labour law, such as the monitoring of working hours. Using location data for monitoring and keeping track of working hours can be possible, however, if the employee works at home or mostly away from the employer’s premises and there are no other, less intrusive means of monitoring available.

If the positioning system is intended to be used for monitoring and keeping track of working hours, the employer should specify this as one of the purposes of the processing of location data. If this purpose has not been specified in advance and no cooperation procedure has been implemented on the matter at the workplace, the location data may not be used for monitoring compliance with the terms of the employment or service relationship.

The employee's absence data and complaints made about him or her are personal data. Displaying such data at the workplace can be in violation of the employer's non-disclosure obligation and infringe on the employee’s right to privacy.

In practice, it may be necessary to communicate matters such as the numbers of complaints as general, statistical data at the workplace. The employer should specify the personnel whose duties entitle them to process the personal data of employees. If a person entitled to process personal data has obtained information on another person's characteristics, personal conditions or financial standing in connection with the processing, this information may not be disclosed to third parties.

The data can be published on the employer’s website without the employee’s consent if such publication is appropriately justified and necessary for the employer’s business operations. For example, the publication of such data can be necessary if the employee’s obligations include being identifiable and available on the basis of his or her job title, occupational contact details and photograph.

The employer should consider the necessity of such publication carefully and justify it to the employees and Data Protection Ombudsman if necessary. Even if consent is not required for publishing the data, the employees have the right to know for what purpose their data is published on the internet. The matter must be processed in the co-operation procedure at the workplace.

Trade union membership falls under a special category of personal data, and its processing is provided for in Article 9 of the General Data Protection Regulation. The processing of data concerning trade union membership is permitted when this is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

An organisation involved in trade union activities is permitted to process data concerning trade union membership in connection with its operations provided the appropriate safeguards are observed. Under section 6 (3) of the Data Protection Act, the processing of data concerning trade union membership is permitted in connection with, for example, industrial action.

A trade union may process the data of its own trade associations only. Processing of personal data is permitted if it concerns the data of the current or former members of these associations or persons who have regular contacts with the associations linked to the purpose of these associations. It is also required that personal data be not disclosed to a third party without the consent of the data subject and that the processing concerns data to the processing of which the data subject has specifically consented.

Trustees’ right of access to information is provided for in occupation-specific collective agreements. Employers must provide trustees with data necessary for a successful performance of their duties. Acceptable grounds for disclosing an employee’s contractual and salary information to a trustee include:

1. The employee whose data the discloser concerns, has given their consent to the disclosure.
2. The disclosure of personal data is based on a legal provision or is necessary for the carrying out of the controller’s statutory obligation.
3. The disclosure of personal data takes place in a manner agreed upon in a legally valid collective agreement.
4. The disclosure of personal data may also be acceptable on the employer’s discretion if this is necessary for the exercising the legitimate rights of the controller or a third party, unless these rights are not overridden by the interests or rights and freedoms of the data subject.

Trustees must process personal data as provided in the General Data Protection Regulation. Practices that were observed in the activities of trustees before the General Data Protection Regulation entered into force have continued largely unchanged.

The Data Protection Ombudsman does not have jurisdiction to interpret collective agreements or the powers to grant permission to or to prohibit the disclosing of personal data.

In data protection matters, the employee should first contact their own organisation's Data Protection Officer, if there is one. It is the Data Protection Officer's duty to provide advice and information on matters related to data protection to the controller and employees who process personal data. You can also contact your own supervisor if you notice shortcomings in data protection at the workplace.

The Office of the Data Protection Ombudsman and the occupational safety and health authority jointly monitor compliance with the Act on the Protection of Privacy in Working Life within their respective powers.

The occupational safety and health authority is tasked with the regional monitoring of compliance with occupational safety and health regulations. In addition to this monitoring, the authority provides instructions and advice in matters related to occupational safety and health and the terms of employment.

The Office of the Data Protection Ombudsman is tasked with supervising compliance with data protection legislation and other laws governing the processing of personal data.

In some cases, it can also be useful to discuss the matter with the workplace's occupational safety and health representative. It is the duty of the occupational safety and health representative to represent the employees in all matters affecting their occupational safety and health.

The employer must remember that it must primarily collect personal data concerning an employee from the employee themselves. The employer needs the employee's consent to collect personal data from other sources.

Furthermore, the employer must also take the necessity requirement into consideration, that is, the employer may only process personal data that are directly necessary for the employee's employment relationship, related to the fulfilment of the rights and obligations of the parties to the employment contract or the benefits offered by the employer to its employees, or that must be processed due to the special nature of the work.

In other words, the employer may ask the employee's previous employer about the employee's performance if it considers that the necessity requirement is met, cannot obtain the required information from the employee and has received the employee's consent for asking for the data.

Consent refers to any freely given, specific, informed and unambiguous expression of agreement by which the data subject accepts the processing of their personal data. The employer must be able to prove that it has received the employee's consent.

The principle of storage limitation must be observed in the storage of credit information just as with any other personal data. According to the principle, personal data may not be stored for longer than is necessary for the purposes for which the personal data are processed.

In other words, the employer must determine the purpose for which the credit information is being processed and estimate when the purpose of processing the credit information has been fulfilled. When the credit information is no longer needed for this purpose, it must be erased.

Long storage periods are not justified for credit information, because the information obtained with a credit information query always represents the situation at the time of the query. Credit information can change rapidly after any given query, making the credit information report obsolete.