Frequently asked questions about working life

The employer is only permitted to process personal data that is directly necessary with regard to the employee's employment relationship, related the performance of the parties’ rights and duties or the benefits offered by the employer, or required by the special nature of the employee’s tasks.

The requirement of necessity cannot be waived even with the employee's consent. In other words, the processing of the employee’s personal data by the employer is strictly limited.

The employer is permitted to process data concerning the employee’s state of health (e.g. diagnoses) if the processing is required for the payment of the wages for the period of illness or other, corresponding health-related benefits or to determine whether the employee has a justified reason for absence. The processing of data concerning the state of health is also permitted if the employee specifically requests that his or her ability to work should be reviewed on the basis of the data.

The employer can collect data concerning the employee’s state of health from the employee. The collection of such data from other sources requires the employee’s written consent. If the employee delivers a medical certificate or statement on his or her ability to work to the employer, the employer may deliver it to the occupational health care provider unless prohibited by the employee.

The employer should keep documents containing data concerning the employee's state of health separate from the employee’s other personal data. Neither may entries concerning state of health be saved in other personal data files maintained by the employer, such as payroll administration files.

The employer and any personnel processing data concerning state of health on behalf of the employer are subject to a non-disclosure obligation and may not disclose the employee's health data to third parties.

The employer has the right to supervise and monitor work (the right of direction), by virtue of which the employer can specify the duties of individual employees, issue work-related orders and monitor the performance of employees. However, this right does not entitle the employer to monitor the employee by collecting or viewing the identifying data accumulated through the employee’s use of the internet.

Neither can the employee give a valid consent to the employer's supervision of his or her browsing. The right to confidential communications also applies to browsing the internet and the identifying data accumulated thereby.

The employer can nevertheless issue rules on the use of information networks, such as whether browsing the internet at the workplace is permitted in the first place and, if it is, what kinds of sites employees are permitted to visit. The employer also has the right to block access to certain sites.

Determining the location of employees is part of technical supervision, which needs to be processed in the co-operation procedure at the workplace. It is only possible if the employer has an appropriate basis and need for it. Locating employees can be justified by, for example, ensuring the safety of employees and the correct allocation of resources (such as vehicles). Locating using a mobile phone requires the consent implied by law on the services of electronic communications.

In the opinion of the Data Protection Ombudsman, location data should not, as a rule, be used for the monitoring of obligations under labour law, such as the monitoring of working hours. Using location data for monitoring and keeping track of working hours can be possible, however, if the employee works at home or mostly away from the employer’s premises and there are no other, less intrusive means of monitoring available.

If the positioning system is intended to be used for monitoring and keeping track of working hours, the employer should specify this as one of the purposes of the processing of location data. If this purpose has not been specified in advance and no cooperation procedure has been implemented on the matter at the workplace, the location data may not be used for monitoring compliance with the terms of the employment or service relationship.

The employee's absence data and complaints made about him or her are personal data. Displaying such data at the workplace can be in violation of the employer's non-disclosure obligation and infringe on the employee’s right to privacy.

In practice, it may be necessary to communicate matters such as the numbers of complaints as general, statistical data at the workplace. The employer should specify the personnel whose duties entitle them to process the personal data of employees. If a person entitled to process personal data has obtained information on another person's characteristics, personal conditions or financial standing in connection with the processing, this information may not be disclosed to third parties.

The data can be published on the employer’s website without the employee’s consent if such publication is appropriately justified and necessary for the employer’s business operations. For example, the publication of such data can be necessary if the employee’s obligations include being identifiable and available on the basis of his or her job title, occupational contact details and photograph.

The employer should consider the necessity of such publication carefully and justify it to the employees and Data Protection Ombudsman if necessary. Even if consent is not required for publishing the data, the employees have the right to know for what purpose their data is published on the internet. The matter must be processed in the co-operation procedure at the workplace.

Trade union membership falls under a special category of personal data, and its processing is provided for in Article 9 of the General Data Protection Regulation. The processing of data concerning trade union membership is permitted when this is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

An organisation involved in trade union activities is permitted to process data concerning trade union membership in connection with its operations provided the appropriate safeguards are observed. Under section 6 (3) of the Data Protection Act, the processing of data concerning trade union membership is permitted in connection with, for example, industrial action.

A trade union may process the data of its own trade associations only. Processing of personal data is permitted if it concerns the data of the current or former members of these associations or persons who have regular contacts with the associations linked to the purpose of these associations. It is also required that personal data be not disclosed to a third party without the consent of the data subject and that the processing concerns data to the processing of which the data subject has specifically consented.

Trustees’ right of access to information is provided for in occupation-specific collective agreements. Employers must provide trustees with data necessary for a successful performance of their duties. Acceptable grounds for disclosing an employee’s contractual and salary information to a trustee include:

1. The employee whose data the discloser concerns, has given their consent to the disclosure.
2. The disclosure of personal data is based on a legal provision or is necessary for the carrying out of the controller’s statutory obligation.
3. The disclosure of personal data takes place in a manner agreed upon in a legally valid collective agreement.
4. The disclosure of personal data may also be acceptable on the employer’s discretion if this is necessary for the exercising the legitimate rights of the controller or a third party, unless these rights are not overridden by the interests or rights and freedoms of the data subject.

Trustees must process personal data as provided in the General Data Protection Regulation. Practices that were observed in the activities of trustees before the General Data Protection Regulation entered into force have continued largely unchanged.

The Data Protection Ombudsman does not have jurisdiction to interpret collective agreements or the powers to grant permission to or to prohibit the disclosing of personal data.

In data protection matters, the employee should first contact their own organisation's Data Protection Officer, if there is one. It is the Data Protection Officer's duty to provide advice and information on matters related to data protection to the controller and employees who process personal data. You can also contact your own supervisor if you notice shortcomings in data protection at the workplace.

The Office of the Data Protection Ombudsman and the occupational safety and health authority jointly monitor compliance with the Act on the Protection of Privacy in Working Life within their respective powers.

The occupational safety and health authority is tasked with the regional monitoring of compliance with occupational safety and health regulations. In addition to this monitoring, the authority provides instructions and advice in matters related to occupational safety and health and the terms of employment.

The Office of the Data Protection Ombudsman is tasked with supervising compliance with data protection legislation and other laws governing the processing of personal data.

In some cases, it can also be useful to discuss the matter with the workplace's occupational safety and health representative. It is the duty of the occupational safety and health representative to represent the employees in all matters affecting their occupational safety and health.

The employer must remember that it must primarily collect personal data concerning an employee from the employee themselves. The employer needs the employee's consent to collect personal data from other sources.

Furthermore, the employer must also take the necessity requirement into consideration, that is, the employer may only process personal data that are directly necessary for the employee's employment relationship, related to the fulfilment of the rights and obligations of the parties to the employment contract or the benefits offered by the employer to its employees, or that must be processed due to the special nature of the work.

In other words, the employer may ask the employee's previous employer about the employee's performance if it considers that the necessity requirement is met, cannot obtain the required information from the employee and has received the employee's consent for asking for the data.

Consent refers to any freely given, specific, informed and unambiguous expression of agreement by which the data subject accepts the processing of their personal data. The employer must be able to prove that it has received the employee's consent.

The principle of storage limitation must be observed in the storage of credit information just as with any other personal data. According to the principle, personal data may not be stored for longer than is necessary for the purposes for which the personal data are processed.

In other words, the employer must determine the purpose for which the credit information is being processed and estimate when the purpose of processing the credit information has been fulfilled. When the credit information is no longer needed for this purpose, it must be erased.

Long storage periods are not justified for credit information, because the information obtained with a credit information query always represents the situation at the time of the query. Credit information can change rapidly after any given query, making the credit information report obsolete.  

Email correspondence is confidential. However, on certain conditions, the employer has the right to retrieve or open messages sent to or from an employee's email address.

In order to do so, the employer must have sought to ensure that it would not need to read the employee's email. In the Act on the Protection of Privacy in Working Life, this obligation is referred to as the employer’s obligations regarding necessary arrangements. In order to avoid the need to read an employee's email, the employer should offer the employee the opportunity to take the following measures:

• The employee can, with the aid of the electronic mail system’s automatic reply function, send a notification to a message sender about his or her absence and the length of absence, and information about the person who is to take care of the tasks of the absent employee.
• The employee can direct messages to another person approved by the employer for this task or to another employer-approved address of the employee.
• The employee can give his or her consent to an arrangement whereby in his or her absence another person of his or her choosing and approved by the employer can receive messages sent to the employee. The aim is to establish whether the employee has been sent a message that is clearly intended for the employer for the purpose of managing the work and on which it is essential for the employer to have information on account of its operations or the appropriate organisation of the work.

As a rule, an employee's email correspondence is confidential. The employer must seek to ensure that it will not need to read the employee's email. In the Act on the Protection of Privacy in Working Life, this obligation is referred to as the employer’s obligations regarding necessary arrangements. (Also see the answer to the question "Does an employer have permission to read an employee's email?")

During or immediately before their absence, the employee may have been sent messages belonging to the employer that the employer needs in order to complete negotiations concerning its operations, to serve customers or to safeguard its operations. The employer may also have sent such messages immediately before their absence.

The Act on the Protection of Privacy in Working Life specifically provides for the circumstances in which the employer may retrieve or open an employee's email messages. The employer may have the right to retrieve messages belonging to it from the employee's email when all of the following conditions are met:

• The employee manages tasks independently on behalf of the employer and the employer does not operate a system with which the matters attended to by the employee and the processing stages involved are recorded or are otherwise ascertained.
• It is evident, on account of the employee’s tasks and matters pending, that messages belonging to the employer have been sent or received.
• The employee is temporarily prevented from performing their duties, and messages belonging to the employer cannot be obtained for the employer’s use despite the fact that the employer has seen to its statutory obligations.
• The employee’s consent cannot be obtained within a reasonable time and the investigation of the matter cannot be delayed.​​​

The employer is permitted to search for messages by sender, recipient or subject with the help of the administrator. The information on the message sender, recipient or title may not be processed more extensively than necessary for the purpose of retrieving the message.

A report signed by the persons involved must be drawn up of the retrieval, stating why the message was retrieved, the time it was retrieved and who performed the retrieval. The report must be submitted to the employee concerned without undue delay.

The persons who participated in the retrieval of the message may not disclose the information they obtained to a third party during the employment relationship or after it has ended.

As a rule, an employee's email correspondence is confidential. In addition, the employer must seek to ensure that it will not need to read the employee's email. In the Act on the Protection of Privacy in Working Life, this obligation is referred to as the employer’s obligations regarding necessary arrangements. (Also see the answer to the question "Does an employer have permission to read an employee's email?")

The Act on the Protection of Privacy in Working Life specifically provides for the circumstances in which the employer may retrieve or open messages from an employee's email. The employer may have the right to open a message sent or received by an employee if the following conditions are met:

• If, after the retrieval of the message, it is apparent that it is essential for the employer to learn the message's content in order to complete negotiations concerning its operations or to serve customers or safeguard its operations. The employer must ensure that the conditions for retrieving the message are also met.
• The message sender and recipient cannot be contacted for the purpose of establishing the content of the message or for the purpose of sending it to an address indicated by the employer.
• The employer may open the message with the assistance of the information system administrator and in the presence of another person.

​​​​​​A report about opening the message must be drawn up and signed by the persons involved. The report must state which message was opened, why it was opened, the time of opening, the persons who opened it and to whom the information on the content of the opened message was given. The report must be submitted to the employee concerned without undue delay.

The opened message must be stored, and its content and the information on the sender may not be processed more extensively than is necessary for the purpose of opening the message. The persons who took part in opening the message may not disclose the content of the message to a third party during or after the employment relationship.

As a rule, the employer no longer has a legal basis for processing an employee's email account after the termination of their employment, so the employer must close the former employee's email account in order to minimise the processing of personal data.

In order to keep an employee's email account open after the termination of employment, the employer must, in the first instance, request the employee's consent for this. The employee's consent is also required for reading or forwarding their email. Consent refers to any freely given, specific, informed and unambiguous expression of agreement by which the employee accepts the processing of their personal data, in this case, keeping their email account open and reading and "forwarding" their email. The employer must be able to prove that it has received the employee's consent.

The employee can withdraw their consent at any time. The employee also has the right to demand that their email account be closed upon the termination of their employment.

An employee has the right to demand that their email account is closed upon the termination of their employment. In the first instance, the employee should contact their former employer directly and demand the closure of their email account.

As a rule, the employer no longer has a legal basis for processing an employee's email account after the termination of their employment, so the employer must close the former employee's email account in order to minimise the processing of personal data.

In order to keep an employee's email account open after the termination of employment, the employer must, in the first instance, request the employee's consent for this. The employee's consent is also required for reading or ”forwarding” their email. Consent refers to any freely given, specific, informed and unambiguous expression of agreement by which the employee accepts the processing of their personal data, in this case, keeping their email account open and reading and "forwarding" their email. The employer must be able to prove that it has received the employee's consent.

The employee can withdraw their consent at any time.

As a rule, the employer needs the employee's consent for setting an out-of-office message for their email account.

However, in exceptional circumstances, the employer may access the employee's email account and set an out-of-office message without the employee's consent if all of the following conditions are met:

• the employee manages tasks independently on behalf of the employer and the employer does not operate a system with which the matters attended to by the employee and the processing stages involved are recorded or are otherwise ascertained;
• it is evident, on account of the employee’s tasks and matters pending, that messages belonging to the employer have been sent or received;
• the employee is temporarily prevented from performing their duties, and messages belonging to the employer cannot be obtained for the employer’s use despite the fact that the employer has seen to its statutory obligations; and
• the employee's consent cannot be obtained in a reasonable time, for example due to illness, and the matter cannot wait.​​

An employer may only use camera surveillance on its premises for the purposes of:

1. ensuring the personal safety of its employees and others on the employer's premises;
2. protecting property;
3. ensuring the functioning of production processes; or
4. preventing or investigating incidents that put safety, property or production processes at risk.

Camera surveillance may not be used

• to monitor an employee or a specific group of employees at the workplace;
• in the personal office of an employee;
• in recreation rooms;
• in changing rooms;
• in toilets; or
• according to the Office of the Data Protection Ombudsman's decision, for monitoring obligations under labour law, such as compliance with working hours.

However, camera surveillance may exceptionally be targeted at specific workstations if necessary

1. due to a manifest threat of violence or risk to the health and safety of an employee;
2. in order to prevent and investigate property offences if handling property of significant value or quality, such as money, securities or valuables, is an essential part of the employee's duties; or
3. upon the employee's request or if the surveillance has been agreed on with the employer, provided that the purpose of the surveillance is to safeguard the interests and rights of the employee.

The employer must take the following considerations into account when planning and implementing camera surveillance at the workplace:

1. Before introducing camera surveillance, determine whether other, less invasive methods would be possible.
2. Make sure that the camera surveillance does not compromise the privacy of employees more than is necessary for the achievement of the appropriate purposes of the surveillance.
3. Make sure that employees are clearly and openly informed of the controller of the data generated by camera surveillance, the purposes of and legal basis for processing the personal data, the recipients of the personal data, the storage times of the data, as well as the rights of the data subject.
4. Draw up internal documentation that includes a record of processing activities and, if necessary, a data protection impact assessment.
5. Specify the individuals in the organisation whose duties or position give them the right to watch/process camera footage according to the controller's instructions. Also specify how the footage will be protected from unauthorised access.
6. Conduct a cooperation or consultation procedure with the required parties on the implementation of camera surveillance.
7. After the cooperation of consultation procedure, inform the employees of the start of camera surveillance, how it is implemented and in which situations the footage may be used, as well as the placement of any cameras used to monitor workstations.
8. Post clearly visible signs of the camera surveillance and its implementation method in the premises under surveillance.
9. Only use the footage for the appropriate, planned and declared purposes for which the camera surveillance has been conducted.
10. Specify the storage time for recorded footage and destroy it immediately when it is no longer required.

As a rule, the employer can only use camera surveillance footage for the pre-planned and declared purposes of the surveillance. However, in exceptional cases, the employer has the right to use such footage:

1. to demonstrate grounds for termination;
2. to investigate or prove harassment referred to in the Act on Equality between Women and Men (609/1986), harassment referred to in section 14 of the Non-Discrimination Act (1325/2014) or harassment and inappropriate behaviour referred to in the Occupational Safety and Health Act (738/2002) if the employer has justified cause to suspect the employee of harassment or inappropriate behaviour; or
3. to investigate an occupational accident or other dangerous or threatening situation referred to in the Occupational Safety and Health Act.