Tietosuojavaltuutetun toimisto (Finland) - 137/161/20: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...") |
(fine amount was incorrect) |
||
| Line 20: | Line 20: | ||
|Date_Published= | |Date_Published= | ||
|Year= | |Year= | ||
|Fine= | |Fine=12500 | ||
|Currency=EUR | |Currency=EUR | ||
| Line 58: | Line 58: | ||
A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship. | A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members. | Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members. | ||
=== Dispute === | ===Dispute=== | ||
Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR? | Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR? | ||
=== Holding === | ===Holding=== | ||
The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions. | The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions. | ||
| Line 73: | Line 73: | ||
Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR. | Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR. | ||
== Comment == | ==Comment== | ||
The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR. | The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR. | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details. | The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details. | ||
Revision as of 13:25, 11 November 2020
| Tietosuojavaltuutetun toimisto - 137/161/20 | |
|---|---|
 | |
| Authority: | Tietosuojavaltuutetun toimisto (Finland) |
| Jurisdiction: | Finland |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 9(1) GDPR Finnish Act on the Protection of Privacy in Working Life |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 12500 EUR |
| Parties: | n/a |
| National Case Number/Name: | 137/161/20 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Finnish |
| Original Source: | Tietosuojavaltuutetun toimisto (in FI) |
| Initial Contributor: | n/a |
A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship.
English Summary
Facts
Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members.
Dispute
Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR?
Holding
The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions.
As some of the data processed was not directly necessary for the employment relationship, this in turn violated the GDPR’s lawfulness and data minimization principles (Article 5(1)(a) and (c)) and also Article 6(1).
Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR.
Comment
The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
