The most significant regulatory change of the last few decades in EU data protection law is drawing nearer: the General Data Protection Regulation, known as the 'GDPR', comes into force in May 2018. As Member States are allowed to introduce additional data protection rules through derogations in a range of areas including employment, all employers must comply with the rules set out in the GDPR in addition to those contained in national law. For example, employers must prepare for the GDPR by updating current privacy policies and other relevant documentation and by reviewing contracts concerning outsourced payroll and accounting functions.
The Danish Data Protection Bill, introduced 25 October 2017, is currently at the committee stage in Parliament and is expected to pass in the spring of 2018. The Bill introduces supplementary national provisions on data processing within the scope allowed by the GDPR for national discretion, including processing of personal data in relation to employment relations. Unlike the current Danish Data Protection Act data controllers are no longer obliged to notify and obtain permission from the Danish Data Protection Agency when processing sensitive personal data in relation to personnel administration. Hence, the current notification system - with a few exceptions - will cease to exist when the GDPR and the Bill come into force on25 May 2018. The Danish Data Protection Agency has announced that practical guidance on data protection in an employment context will be issued in February 2018.
While proposed amendments to the Finnish data protection laws were published in summer 2017, work on specific areas of data protection legislation continues on full speed. A working group set up by the Ministry of Economic Affairs and Employment is currently discussing the relationship between specific laws concerning privacy in employment and the GDPR. The working group will end its term in March 2018, which makes it likely that more information about proposed changes to laws concerning privacy in employment will be available in late spring 2018. As Finland currently has strict laws that aim to ensure privacy in employment, it is not expected that any significant amendments to these rules will be necessary for the GDPR.
While many of the principles and concepts of the GDPR are in line with the data protection laws in the Nordic countries, the GDPR does implement new rules and a marginally harsher regime. A Government Official Report covering the proposal of new national data protection legislation in Sweden was published on 12 May 2017 (SOU 2017:39). A government bill is currently being drafted, which subsequently will be submitted to the Parliament for its decision. The new legislation, known as 'dataskyddslagen', will replace the existing data protection act and supplement the GDPR. According to the report, the aim of the new legislation will be to permit the processing of personal data to the same extent as is currently permitted under national law so as not to broaden or restrict current practices, except in cases where the GDPR requires such a change.
How is this relevant?
As national data protection authorities will have extensive investigative and corrective powers, including the power to impose significant sanctions (up to the higher of €20 million, or 4 % of the group's total worldwide annual turnover of the preceding financial year) on data controllers, this demonstrates how compliance with the new, stricter data protection rules is even more important than before.
Overall, while the full picture regarding Nordic privacy legislation in employment law remains unclear, this is also the case in many Member States. It is highly recommended that all employers take steps to prepare for the GDPR as early as possible, especially given the potential organisational, technical and administrative impact of the new rules across all business sectors.