All questions

Data protection

i Requirements for registration

Under Finnish law, the employer is allowed to process the personal data of its employees without registering with the data protection authorities. However, according to the Act on Protection of Privacy on Working Life (759/2004, as amended), the employer is only allowed to process necessary personal information relating directly to the employee's work. Primarily, the employer must collect information concerning the employee from the employee himself or herself.

Under the General Data Protection Regulation (GDPR) processing of personal data is considered lawful only if:

  1. the data subject has consented to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation;
  4. processing is necessary in order to protect the vital interests of the data subject or another person; or
  5. processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Under some circumstances the employer (the data controller) and processor must nominate a data protection officer. The duties of the data protection officer include informing and advising the controller, processor and employees in data protection matters, and monitoring compliance with data protection legislation.

ii Cross-border data transfers

In general, personal data cannot be transferred to third parties without a legal reason. However, owing to the controller's legitimate interest, such a transfer is possible (e.g., when it is within the company group for administrative purposes). Furthermore, data processing may be outsourced to a third-party processor. In such a case, the controller must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

Personal data can be transferred outside the European Union or European Economic Area, or to an international organisation, if the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of data. Such a transfer does not require any specific authorisation. In the absence of such a decision by the Commission, personal data can be transferred to the country or organisation if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.

iii Special categories of data

The GDPR recognises special categories of personal data. The processing of these categories is generally prohibited, unless specifically allowed by the GDPR. Personal data is deemed special if it relates to the following:

  1. race or ethnic origin;
  2. political opinions;
  3. religious or philosophical beliefs;
  4. trade union membership;
  5. genetic or biometric data;
  6. health; or
  7. sex life or sexual orientation.
iv Background checks

The employer's right to conduct background checks is somewhat limited and the employee's consent is, in general, required when information is gathered from someone other than the employee, which also applies when looking to recruit a new employee. The term 'background check' leaves open what the employee is giving consent to.

The use of personal data regarding credit information, health and drug use is strictly regulated by law. The employer is only allowed to process personal data directly necessary for the employee's employment relationship. No exceptions can be made to the necessity requirement, even with the employee's consent.

Consent is not required when an authority discloses information to the employer to enable the employer to fulfil a statutory duty or when the employer acquires personal credit data or information on criminal records in order to establish the employee's reliability. However, the employer's right to collect such data is restricted by law and information on criminal records can only be obtained under exceptional circumstances. The employer must also notify the employee in advance that such data is to be collected.