GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Finland
Finland’s Act on the Protection of Privacy in Working Life (759/2004) sets certain employee data privacy standards as well as rights relating to safeguarding the protection of privacy at work. Drug tests, carrying out tests (ex., aptitude tests) or exams, and CCTV monitoring also include specific requirements.
Some key areas that employers should be aware of include:
Cooperative procedure: Finland does not have works councils. Instead, the collection of personal data in the context of employment and recruiting is managed through a formal cooperative procedure. This also applies to the purpose and introduction of methods in camera surveillance, access control and other technical employee monitoring, as well as the use of email and other data networks.
Generally speaking, the procedure involves calling a meeting where the new potential procedure(s) and measure(s) are explained and discussed with employees (or the employees’ elected representatives). After the meeting, employers can make a decision to implement the new procedure and/or method, even if the employees object. Employers cannot make the decision before the cooperative procedure has been concluded.
The cooperative procedure only applies when there are 30 or more Finland based employees. In cases where there are fewer employees, the employer must provide employees (or their representative) the opportunity to be consulted, and inform employees of new measures which will be implemented.
Employee health information: Processing employees’ medical data is limited under the Finnish Act on the Protection of Privacy in Working Life (759/2004). Employers may only process medical data for purposes specified in the Act or when allowed by other laws. In addition, only certain individuals can process employees’ health information (those in specific roles or those who have been nominated). The employer and those who are permitted to process health-related data are subject to non-disclosure obligations and cannot disclose employees’ health information to third parties. Any Information relating to an employee’s state of health should be stored separately from other personal employee information.
Health related data, such as drug tests, should be erased as soon as the grounds for processing the data ceases to exists. In addition, the grounds and necessity for processing the health data must be reviewed at least every five years.
Employee emails and internet usage: In general, employers have limited opportunities to monitor electronic communications and internet usage. In order to search and/or open an employee’s email message, employers must meet strict requirements.