Background

Even though the European Union’s General Data Protection Regulation (EU) 2016/679 (“GDPR”) is directly applicable in all Member States, it leaves out some issues to be decided on or further regulated by national legislation. According to Article 88 of the GDPR, Member States may provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data.

In Finland, the GDPR is nationally supplemented by the Act on the Protection of Privacy in Working Life (the “Act”), in addition to the Data Protection Act. Due to the changes introduced by the GDPR, the Act, which has been applied since 2001, has now been amended accordingly. The Finnish Parliament accepted the relevant legislative proposal of the amended Act on 12 February with presidential confirmation taking place on 15 March. The Act will enter into force on 1 April 2019.

Comparing Finnish legislation with similar legislation in other jurisdictions, such as in other Nordic countries, Finnish privacy legislation is stricter and employees enjoy a higher level of privacy protection. As its central feature, the Act imposes a specific, heightened necessity requirement in comparison to the GDPR. Namely, the employer is only allowed to process personal data directly necessary for the employee’s employment relationship which is i) connected with managing the rights and obligations of the parties to the relationship, or ii) with the benefits provided by the employer for the employee or iii) which arises from the special nature of the work concerned. No exceptions can be made to this strict necessity requirement, even with the employee’s consent.

Collection of data from other sources than employees themselves without their consent threatened

The main rule set forth in the Act is that the employer is entitled to collect employee’s personal data only from the employee in question. If the employer wants to collect data also from other sources, it is mainly possible only with the consent of the employee. However, there have been some exceptions derived from the interpretations given by the Finnish Data Protection Authority.

The Act includes a revised version of the provision concerned. While the wording of the provision did not change dramatically, the reasoning presented by of the Employment and Equality Committee (the “Committee”) during the legislative process has caused concern. The Committee assessed the provision in clear contradiction with the decisions and interpretations made by the Finnish Data Protection Authority, i.e. the Data Protection Ombudsman (“Ombudsman”). Where the Ombudsman proposed the Act to be amended to correspond to the Ombudsman’s prior given interpretation, the Committee found that the interpretation was not in line with the Act.

In his decisions, the Ombudsman has established a practice according to which the employer may, in certain circumstances, collect information about its employees also without their consent in order to establish their trustworthiness and the existence of possible wrongdoings. Along with the decisions, this has been the modus operandi for many companies so far.

In practice, the trustworthiness may be established by using whistleblowing channels, for example. Possible malpractice by employees may be reported easily via such channels, and often also anonymously, if needed. Adoption of whistleblowing channels has been a growing trend in the evolution of compliance culture and sustainable business practices, not least because of the “Me Too” movement and corporate social responsibility.

The amended Act states that data may be collected without the consent of the employee where collecting or obtaining data has explicitly been provided by law. For example, this is the case regarding anti-money laundering and preventing terrorism financing as well as reacting to market abuse in accordance with the Market Abuse Regulation (MAR), where companies are obliged to have a whistleblowing channel. However, also in these situations the collection of data may only be limited to breaches of the said laws and processing of data regarding other malpractice might be deemed unlawful.

In addition to whistleblowing channels provided by law, many companies have established channels for the employees to report breaches of the company’s code of conduct or to report on their suspicions on harassment at the work place. In these situations the channels are of the essence for the implementation of the code of conduct and for securing a good working environment.

“This kind of data collection would not be possible without the consent of the employee.”

By the amended Act, and especially the interpretations of the Committee, this kind of data collection would not be possible without the consent of the employee. In practice, obtaining a valid consent in accordance with the GDPR in such circumstances is often not an option, as a general consent received within the employment contract, for example, is not sufficient. Therefore, the Committee’s interpretation, which ignored the established practices of the Ombudsman, may lead to insupportable situation where many companies would be deemed to process employee personal data unlawfully.

It should be noted that in practice, employees may use most channels to report any issues they wish and include information regarding other employees. The employer does not have the possibility to fully prevent the employee from including information on other employees to whistleblowing reports. The employer should, however, instruct the employees to provide only such information that the employer is entitled to collect through whistleblowing channels. In situations where some unnecessary information is still received from an employee despite of adequate instructions by the employer, employer’s practices cannot likely be deemed as non-compliant with the Act.

The European Union has also recognized the importance of whistleblowing channels and appropriate protection of whistle-blowers. A new directive on the protection of persons reporting on breaches of Union law (“Directive”) is being prepared. Taking into consideration the described European-wide significance of whistleblowing channels and the Directive, the Finnish approach on collection of employee data cannot be seen as successful either.

Minor amendments to rules on camera surveillance

According to the Act, the employer may operate camera surveillance within its premises only for the purpose of:

• ensuring the personal security of employees and other persons on the premises;
• protecting property or supervising the proper operation of production processes, or
• for preventing or investigating situations that endanger safety, property or the production process.

The Act prohibits the using of camera surveillance for the surveillance of particular employees in the workplace, unless one of the exhaustively listed exceptions applies. Camera surveillance may be directed at a particular work location if the surveillance is essential for safeguarding the employee’s interests and rights. In addition, the camera surveillance must be based on the request of the employee who is to be the subject of the surveillance. Before the amendments, the matter had to be agreed between the employer and the employee. According to the amended Act, this is no longer a requirement (i.e. the matter does not have to be separately agreed between the employer and the employee).

In practice, however, the change is only minor and mostly technical. The employer no longer needs to agree separately with the employee on directing the camera surveillance on their work location if the surveillance is essential for safeguarding the employee’s interests and rights (such as ensuring that the employee may feel safer with the camera surveillance), and the employee in question requests the camera surveillance. It should be noted that the employee has the right to withdraw their request.

Strict protection of employees remains dominant

In the preparation of the GDPR, enabling Member States to keep national laws on privacy in working life in force was of great importance to Finland. As we know, Finland achieved the set goals, and the need to amend the Act on the basis of the GDPR was minor. Hence, the necessary changes are mainly technical. The Act continues having national requirements and restrictions on matters such as background checks on job applicants, drug testing, employee monitoring, accessing employee emails, retention of employee health data, and on cooperation procedures that need to be carried out when implementing new data processing practices.

As was expected, amending the Act launched many unofficial discussions on whether the strict Finnish derogations could be amended and the Finnish legislation brought closer to the level of protection set out in the national laws of many other Member States, especially in the context of monitoring practices. Such changes were not made.

As noted in the government proposal for the Act (“Proposal”), the national derogations decrease the benefits of harmonisation, especially for companies operating globally. It is noted in the Proposal that national employment legislation needs to be taken into account in any case when operating in various jurisdictions. However, there is a difference between the “need to know” what the national provisions are and the “need to adopt” materially different practices in different jurisdictions. The globally operating companies have global monitoring and other surveillance related practices, which need to be, in many events, adopted differently in Finland, also under the amended Act.

There are means to decrease the administrative burden. A good way is to gain a thorough understanding on the areas where the legal requirements vary. With such knowledge, there is less need to dive into the national derogations in each separate case.

Looking forward

All in all, even without any material changes to the wording of the Act, the legal conditions on processing personal data on employees collected from other sources than from the respective employee became ambiguous.

The Committee seemed to be aware of the effects of its interpretation, and required that the Government shall, without undue delay, discover and clarify the need for amending the provisions of the Act with regard to data collection in connection with assessing employees’ trustworthiness. The Government should, according to the Committee, aim to find a balanced resolution taking into account employees’ right to privacy and employers’ needs, as well as the interpretations of the Ombudsman and the Directive. However, this may take a long time as the current Government term is coming to an end and the Parliamentary Elections shall be held in April 2019.

Hence, there will be a period of time where companies need to re-evaluate their practices and make sure they are processing employee data in accordance with the Act. Especially, companies should re-evaluate the instructions given to the employees regarding whistleblowing channels and the information that the employees are allowed to include in the reports.

It is also important to note that the Ombudsman has included the processing of personal data in whistleblowing channels on the list of the kind of processing operations which are subject to the requirement for a data protection impact assessment (“DPIA”). Thus, if you have not yet prepared a DPIA covering whistleblowing systems implemented by your organisation, this is a good occasion to carry out such an assessment.

We are happy to discuss the topic further and will keep you updated on any developments regarding processing of personal data of employees.