Tietosuojavaltuutetun toimisto (Finland) - 6652/154/19

From GDPRhub
Tietosuojavaltuutetun toimisto - 6652/154/19
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 17(3)(b) GDPR
Article 17(3)(e) GDPR
Chapter 8 § 1(2)(4) Criminal Code
Chapter 8 § 2(1) Criminal Code
Type: Complaint
Outcome: Rejected
Started: 02.09.2019
Decided: 13.08.2020
Published: 17.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 6652/154/19
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA found that a controller did not have to comply with the data subject's request to erase personal data relating to the recruitment process, as it was necessary to store data for up to 2 years in order for the controller to defend itself against possible discrimination claims.

English Summary

Facts

The Finnish DPA was notified that a company ("controller") had refused to erase the data subject's personal data relating to their recruitment process. The DPA then asked the controller to explain why it had refused the erasure request and for how long it stored the personal data of its job applicants.

In response to the request, the controller clarified that it could not comply with the data subject's request because the processing was necessary according to Article 17(3)(b) GDPR and Article 17(3)(e) GDPR. The controller stated that, according to Chapter 8 Section 1(2)(4) of the Finnish Criminal Code, a work discrimination claim must be filed within two years. Therefore, the controller could not erase the personal data because two years had not passed since the end of the recruitment process.

The controller also stated that it continued to process the job applicants' personal data for six months after the end of the two-year statute of limitations as a precautionary measure in order to be able to deal with discrimination claims if they were filed at the very end of the statute of limitations.

Holding

On the basis of the information provided by the controller, the DPA considered that the controller was entitled to store the data subject's personal data for two years after the end of the recruitment process. The DPA stated that if the controller deleted the data subject's personal data, it would not be able to defend itself against possible discrimination claims.

The DPA noted that according to Chapter 8 Section 2(1) of the Finnish Criminal Code, the statute of limitations is calculated from the date when the offense is committed. In light of this, the DPA emphasised that it is not the date when the claim was filed that is relevant, but the date when the work discrimination took place. Thus, the DPA found that the controller could not store the personal data for more than two years.

On the basis of the information gathered, the DPA held that the controller did not have to comply with the data subject's request to erase the personal data in question pursuant to Article 17(3)(b) GDPR and Article 17(3)(e) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

The right to have job search information deleted
The applicant's requirements with justification

On September 2, 2019, the applicant has initiated a case at the data protection commissioner's office regarding the right to have his data deleted.

On 25 August 2019, the applicant requested the deletion of his data from the controller. The registrar has not agreed to the deletion request, stating on September 2, 2019, that the jobseekers' data will be kept for two years due to the time limits for a possible discrimination situation. According to the answer received by the applicant on August 26, 2019, the two-year storage period also applies to test results. The applicant has considered that a year is a sufficient storage period.
Statement received from the registrar

An explanation has been requested from the registrar on May 27, 2020. The registrar has issued his statement on 11 June 2020.

The controller has stated that when defining the storage periods of data related to the recruitment process, it has particularly looked at the law on equality between women and men (609/1986), the equality law (1325/2014) and the criminal law (39/1889). According to the report, due to human error, the e-mail response given to the applicant lacks a reference to the criminal law's employment discrimination regulations and the criminal law's time limits, which is the root cause behind the two-year retention period. In the report given, it has been established that two years after the end of the recruitment process have not been completed for the applicant.

In addition, it has been stated in the report that if a discrimination lawsuit regarding the employment situation is presented, it can be filed against the data controller, its corporate client, or both. According to the report, the data controller sees itself as an independent data controller during the recruitment process, and when it sends introduction texts and resumes of job applicants to a business customer, the business customer becomes an independent data controller for the information sent to it. Depending on the case, according to the report, the usual recruitment process can also be deviated from, and in this case, for example, the relationship between the data controller and its business client is re-evaluated. According to the report, the company client of the data controller makes a decision whether it wants to interview all, certain or none of the job applicants presented by the data controller. Typically, the business client also makes the final decision on which of the presented job seekers will be selected for the position.

In the report given, it has been stated that the results of the tests are a mandatory part of the recruitment processes. Along with the report, based on the test results, a first selection is made as to which of the applicants will advance in the application and which will not. In order to move to the second stage of the recruitment process, a certain minimum test result must be obtained, which is why the test results are an important part of the recruitment process and also a way for the registrar, if necessary, to show why some of the applicants have or have not been selected for the next stage of the recruitment process.

In the report provided, it has finally been stated that the data controller has had an ongoing project to update the privacy statements, and the updated Privacy Statement and the statement regarding the processing of personal data have been attached to the clarification request.
Additional explanation received from the registrar

On June 12, 2020, the controller has been asked for additional clarification as to why the retention period for applicants' job applications and test results is specified in the data protection statement as 30 months and not 24 months. The registrar has given his answer on 12 June 2020.

The registrar has stated that it has developed an automatic function that deletes information from the registrar's database and all applications linked to the database. According to the report, the automated function deletes most of the personal data related to job seekers, with a few exceptions, for which the data is deleted manually. Since discrimination claims can be filed up to the last day of the 24th month, the registrar has developed an automatic deletion function and added another six months as a precaution so that it can process discrimination claims even if they are presented at the very end of the claim period.
The applicant's equivalent

On June 16, 2020, the applicant has been asked for a consideration. The applicant has given his response on 7 July 2020.

The applicant has considered that it is undisputed that the time limit for filing a lawsuit in employment discrimination situations is two years. However, the applicant has considered that although employment discrimination is a crime subject to general prosecution, possible lawsuits for employment discrimination in the recruitment process can only be based on the compensation demanded by the person who experienced discrimination in that and similar recruitment cases. Furthermore, according to the applicant, such a claim is either directly based on, or in practice is always compared to, the claim for compensation stipulated in Section 23 of the Equality Act (1325/2014). The applicant has considered the two-year storage period to be an exaggeration, because it is doubly based on a hypothetical claim for employment discrimination, where the process has not started from the claim of the person who experienced discrimination and the discrimination claim is filed late.

The applicant has considered that there is no legal basis for the 30-month storage period, and according to the applicant, a security measure can be requested if necessary.
On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019. The previously valid Personal Data Act (523/1999) was repealed by the Data Protection Act.
A legal question

The data protection commissioner assesses and decides the applicant's case on the basis of the aforementioned general data protection regulation (EU) 2016/679 and the data protection act (1050/2018).

In the case, it is up to the data protection commissioner to decide whether the conditions according to Article 17 of the General Data Protection Regulation are met for the controller to delete the relevant personal data at the request of the applicant.

The matter must also be decided whether the data controller must be given an order according to Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the data subject's request, which concerns the use of the data subject's rights based on the data protection regulation.
Decision of the Data Protection Commissioner

The applicant's claim is partially rejected.
Reasoning

Pursuant to Article 17(1)(a) of the General Data Protection Regulation, the data subject has the right to have the data controller delete the personal data concerning the data subject without undue delay, and the data controller has the obligation to delete the personal data without undue delay if the personal data is no longer needed for the purposes for which they were collected or for which they were otherwise processed. Paragraph 1 of Article 17 above does not apply pursuant to subparagraph b of Article 17 paragraph 3 if the processing is necessary to comply with a statutory obligation that requires processing based on the Union law applicable to the data controller or the legislation of a member state, or if the processing takes place for the performance of a task in the public interest or for the exercise of public authority vested in the data controller. In addition, on the basis of Article 17(3)(e) of the General Data Protection Regulation, Article 17(1) does not apply if the processing is necessary for the establishment, presentation or defense of a legal claim.

The processing of personal data always requires a processing basis found in the law. According to Article 6 of the General Data Protection Regulation, the processing of personal data is lawful, for example according to section 1 subsection a, when the data subject has given his consent to the processing of his personal data for one or more specific purposes. Furthermore, the processing is lawful pursuant to Article 6 paragraph 1 subsection c in a situation where the processing is necessary to comply with the legal obligation of the data controller, and according to paragraph 1 subsection f when the processing is necessary to fulfill the legitimate interests of the data controller or a third party. In the case, the controller has received the applicant's personal data in connection with the job search process.

According to introductory paragraph 39 of the rationale of the General Data Protection Regulation: "Especially the specific purposes of personal data processing should be determined and announced in connection with the collection of personal data unambiguously and in accordance with the law. Personal data should be sufficient and relevant and limited to what is necessary for the purposes of their processing. This requires in particular that the storage period of personal data is as short as possible. Personal data should only be processed if the purpose of the processing cannot reasonably be fulfilled by other means. The controller should set deadlines for the deletion of personal data or the periodic review of the necessity of their storage, in order to ensure that personal data is not stored longer than necessary." Furthermore, in accordance with Article 5(1)(e) of the General Data Protection Regulation, personal data must be stored in a form from which the data subject can be identified only for as long as is necessary to fulfill the purposes of the data processing, and in addition, pursuant to the duty of proof in accordance with Article 2(2) above, the controller must be able to demonstrate that 1 has been complied with.

In the report given in the case, the two-year retention period was explained by the fact that, due to the time limits for actions related to employment discrimination (RL 47:3) of the Criminal Law (RL, 39/1889), the data controller has, when determining the retention periods for personal data in the recruitment process, assessed that the data controller has a justified reason to retain personal data collected during the recruitment process for two years after the end of the recruitment process after. Pursuant to Chapter 8, Section 1, Subsection 2, Clause 4 of the Criminal Code, the right to prosecute expires, if no charges have been filed, in two years, if the harshest punishment is a maximum of one year in prison, a fine or a misdemeanor fine.

In the report given in the case, it is also stated that the data controller processes jobseekers' personal data six months after the end of the two-year claim period as a precautionary measure, so that it can process discrimination claims even if they are presented at the very end of the claim period. The report also revealed that the job applicant's test results are an essential part of the registrar's job search process.

The Data Protection Commissioner states that the data controller has set deadlines for the processing of job seekers' personal data for the purpose of deleting personal data and that these deadlines can be seen in the data protection statement of the data controller. The registrar has justified the necessity of keeping personal data by citing the need to defend oneself in possible discrimination situations. Lawsuits or other legal claims can be brought against the data controller in accordance with the legislation brought up by the data controller. The Data Protection Commissioner considers that, based on the report received, in this case, the controller has the right to process the applicant's personal data in such a way that their retention period can be considered two years after the applicant's latest job search has ended. If the data controller were to destroy all the information provided by the job seeker, it would not be able to defend itself against claims of discrimination.

According to the government's proposal for reforming Chapter 8 of the Criminal Code, the types of crimes that come to light exceptionally late are mainly environmental crimes and sexual crimes against children. Since individual crimes that come to light exceptionally late may occur, the possibility to extend the statute of limitations and to claim damages safeguards the position of the person who suffered damage. (HE 27/1999 vp, pp. 13–14) It should be noted that the extension of the prosecution right must be applied for before the end of the original limitation period. (HE 27/1999, p. 23) In the government's proposal, it has been desired to maintain the interruption of the statute of limitations as before. (HE 27/1999 vp, p. 20) Pursuant to Chapter 8, Section 3, Subsection 1 of the Criminal Code, the charge is deemed to have been filed in a manner that interrupts the expiration of the limitation period, when the accused has been legally served with a summons or a penalty claim has been made against him while he was personally present at the trial.

Based on Chapter 8, Section 2, Subsection 1 of the Criminal Code, the times mentioned in Chapter 8, Section 1 of the Criminal Code are counted from the day the crime was committed. On the basis of the above, the data protection commissioner considers that, as a general rule, within two years from the date of the crime, either a summons regarding employment discrimination must be served on the accused or a penalty claim must be made against the accused in his or her personal presence at the trial. The decisive factor is therefore not when the lawsuit regarding employment discrimination is filed.

The Data Protection Commissioner states that, in principle, the storage period of personal data must be as short as possible and that, as a general rule, personal data can only be processed if the purpose of the processing cannot reasonably be fulfilled by other means. Based on the reasons stated above, the data protection commissioner considers that the controller therefore has no grounds to keep the applicant's personal data for more than two years.

The data protection commissioner considers that the data controller has been justified in accordance with Article 17, paragraph 3, subparagraphs b and e of the General Data Protection Regulation, not to implement the personal data deletion request submitted by the applicant, insofar as the processing period is two years. Based on the report given in the case, two years have not yet passed since the end of the applicant's recruitment process. Based on the above grounds, the data protection commissioner partially rejects the applicant's claim.