Tietosuojavaltuutetun toimisto (Finland) - 137/161/20: Difference between revisions

From GDPRhub
(fine amount was incorrect)
 
(One intermediate revision by one other user not shown)

Latest revision as of 13:04, 3 March 2024

Tietosuojavaltuutetun toimisto - 137/161/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Finnish Act on the Protection of Privacy in Working Life
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 12500 EUR
Parties: n/a
National Case Number/Name: 137/161/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: n/a

A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship.

English Summary

Facts

Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members.

Dispute

Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR?

Holding

The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions.

As some of the data processed was not directly necessary for the employment relationship, this in turn violated the GDPR’s lawfulness and data minimization principles (Article 5(1)(a) and (c)) and also Article 6(1).

Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR.

Comment

The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.