Tietosuojavaltuutetun toimisto (Finland) - 137/161/20: Difference between revisions
(fine amount was incorrect) |
m (Fred moved page Tietosuojavaltuutetun toimisto (Findland) - 137/161/20 to Tietosuojavaltuutetun toimisto (Finland) - 137/161/20: corrected the name) |
||
(One intermediate revision by one other user not shown) |
Latest revision as of 13:04, 3 March 2024
Tietosuojavaltuutetun toimisto - 137/161/20 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 9(1) GDPR Finnish Act on the Protection of Privacy in Working Life |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 12500 EUR |
Parties: | n/a |
National Case Number/Name: | 137/161/20 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Finnish |
Original Source: | Tietosuojavaltuutetun toimisto (in FI) |
Initial Contributor: | n/a |
A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship.
English Summary
Facts
Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members.
Dispute
Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR?
Holding
The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions.
As some of the data processed was not directly necessary for the employment relationship, this in turn violated the GDPR’s lawfulness and data minimization principles (Article 5(1)(a) and (c)) and also Article 6(1).
Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR.
Comment
The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.