The Finnish law regulating data protection in working life remains in conflict with the GDPR

D&I Alert

The Finnish Act on the Protection of Privacy in Working Life will not be amended during the current electoral term. The government proposal on amending the Section 4 of the Act has not progressed since May 2022 and will lapse, as the electoral term’s last parliamentary session has now ended.

In 2020, the Ministry of Economic Affairs and Employment of Finland launched a project to clarify the Finnish regulation concerning the collection of employees’ personal data. The purpose of the project was to amend the legislation in terms of the consent requirement so that employers could also collect, without employees’ consent, personal data during an employment relationship for the general purpose of fulfilling their rights or obligations provided in the law or when the law separately provides for the processing of personal data. This would have clarified the relationship between the Act on the Protection of Privacy in Working Life and the General Data Protection Regulation (“GDPR”).

The government proposal1 on amending the Section 4 of the Act on the Protection of Privacy in Working Life was submitted to the Parliament in March 2022. The proposal has been under consideration of the Employment and Equality Committee, but the handling of the matter has not progressed since May 2022 and the committee report has not been completed.

Legislative proposals that have not been approved by the end of the electoral term will lapse. It is up to the new government to decide whether it will submit a similar proposal to the Parliament. It should be noted that the new government is not tied to the contents of the lapsed proposal, and eventual regulatory drafting would be conducted anew on the ministry level. Therefore, no changes to the Act on the Protection of Privacy in Working Life can be expected in the near future.

1Government proposal 35/2022. (Available in Finnish and Swedish)

Read also

The law regulating data protection in working life is broken – and only a temporary fix is under way

More by the same author

DORA Is Now Applicable – Key Implications for ICT Service Providers

EU’s Digital Operational Resilience Act (2022/2554, “DORA”) became applicable on 17 January 2025. This regulation strengthens the digital resilience of the financial sector and addresses outsourcing risks, as previously detailed in our Quarterly article. While financial entities are the main focus of DORA, it applies also to ICT service providers providing services to the financial sector.

Mapping and Analyzing Use Cases for AI

As with all work, prioritising AI-related tasks is essential to ensure you focus your time where it is most needed. Even knowing this, the constant overflow of to-dos can be overwhelming – especially when every task is accompanied by a request to complete it yesterday. In this D&I Quarterly series, Iiris Kivikari, our Head of IP, Media and AI, gives you a peek into what is taking up space on our team members’ (virtual) desks in order to help you figure out what AI work you might want to be focusing on right now.

New Cyber Security Requirements for Connected Products

The new EU regulation complementing the cyber security regulatory framework − the Cyber Resilience Act (EU) 2024/2847 (“CRA”) − has been adopted and published in the Official Journal of the EU. The CRA aims to improve cyber security of the connected products at the EU market. It will have significant implications for manufacturers, importers and distributors of products with digital elements across the EU.

Latest insights

DORA Is Now Applicable - Key Implications for ICT Service Providers

Alert / 20 Jan 2025
Reading time 4 minutes

Government Proposal on New Tax Credit for Large Industrial Investments in Finland

Article / 20 Dec 2024
Reading time 2 minutes