Tietosuojavaltuutetun toimisto (Finland) - 137/161/20

From GDPRhub
Revision as of 20:39, 15 June 2020 by Ilkku (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - 137/161/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Finnish Act on the Protection of Privacy in Working Life
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 125000 EUR
Parties: n/a
National Case Number/Name: 137/161/20
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: n/a

A controller based in Finland was fined EUR 12,500 for collecting data during job application process that was not directly necessary for the employment relationship.

English Summary

Facts

Finnish DPA received a complaint about a controller's use of job application form to collect information, inter alia, about the applicant’s religious beliefs, health status, possible pregnancy, and data related to the applicant's family members.

Dispute

Was the collection of personal data through the job application form in accordance with Article 3 and 5 of the Finnish Act on the Protection of Privacy in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR?

Holding

The Finnish DPA held that the collection of applicant’s religious beliefs, health status, possible pregnancy and information related to applicant’s family members did not meet the strict necessity requirement under Article 3 of the Act on the Protection of Privacy in Working Life and various GDPR provisions.

As some of the data processed was not directly necessary for the employment relationship, this in turn violated the GDPR’s lawfulness and data minimization principles (Article 5(1)(a) and (c)) and also Article 6(1).

Processing data related to the applicant’s religion, state of health and potential pregnancy was contrary to Article 9(1) GDPR.

Comment

The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.