Tietosuojavaltuutetun toimisto - 137/161/20

From GDPRhub
Tietosuojavaltuutetun toimisto - 137/161/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Finnish Act on the Protection of Privacy in Working Life
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: 125000 EUR
Parties: n/a
National Case Number/Name: 137/161/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: n/a

A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship.

English Summary[edit | edit source]

Facts[edit | edit source]

Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members.

Dispute[edit | edit source]

Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR?

Holding[edit | edit source]

The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions.

As some of the data processed was not directly necessary for the employment relationship, this in turn violated the GDPR’s lawfulness and data minimization principles (Article 5(1)(a) and (c)) and also Article 6(1).

Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR.

Comment[edit | edit source]

The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR.


Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.