The most significant regulatory change of the last few decades in EU data protection law is drawing nearer: the General Data Protection Regulation, known as the 'GDPR', comes into force in May 2018. The GDPR sets out harmonised core principles and rules on data protection across all EU Member States, therefore requiring them to review national data protection laws, and amending or repealing those that overlap with the GPDR. Member States are allowed to introduce additional data protection rules through derogations on a range of areas including employment practices.
A Nordic View
Member States can also maintain currently applicable specific provisions. For example, under Danish data protection law, it is a requirement that the Data Protection Agency is notified if sensitive data (such as health information or whistleblower information) is processed. Since the GDPR does not contain any requirement for personnel administration notifications, it is likely that the obligation will be maintained in the new Danish Data Protection Act. As well as the proposal for a Data Protection Act, the Danish Ministry of Justice has announced that it will issue practical guidance to supplement a report on the GDPR and the proposal for the Data Protection Act. It is expected that this guidance will address issues such as the use of consent in employment relationships.
In Finland, the review of national legislation signified a step forward in the run up to Midsummer when the Working Group set up by the Finnish Ministry of Justice gave a memorandum of proposed amendments to the general data protection laws. When it comes to specific laws concerning privacy in employment, more information about the proposed changes is expected in late 2017. While Finland currently has strict laws that aim to ensure privacy in employment, it is not expected that any significant amendments to these rules are necessary for the GDPR.
While many of the principles and concepts of the GDPR are in line with the data protection laws in the Nordic countries, the GDPR does implement new rules and a marginally harsher regime. A Government Official Report covering the proposal of new national data protection legislation in Sweden was published on 12 May 2017 (SOU 2017:39). The new legislation, known as 'dataskyddslagen', will replace the existing data protection act and supplement the GDPR. According to the report, the aim of the new legislation will be to permit the processing of personal data to the same extent as is currently permitted under national law so as not to broaden or restrict current practices, except in cases where the GDPR requires such a change.
How can Nordic employers prepare for these changes?
In addition to the expected national derogations in employment practices in Finland, Sweden and Denmark, the GDPR itself is directly applicable to personal data processing of employees. In practice, this means that all employers must be able to comply with the rules set out in the GDPR in addition to those contained in national law. For example, employers must prepare for the GDPR by updating current privacy policies and other relevant documentation and by reviewing contracts concerning outsourced payroll and accounting functions. As the GDPR is based on the so-called risk-based approach, employers are also expected to recognise areas that might be especially risky to employees' privacy, with video camera surveillance and the monitoring of the location of employees likely to form particular areas of concern. Employers must then focus on minimising those risks with suitable technical and organisational measures.
How is this relevant?
As national data protection authorities will have extensive investigative and corrective powers, including those to impose significant sanctions (up to the higher of EUR 20 million, or 4 % of the group's total worldwide annual turnover of the preceding financial year) on data controllers, this demonstrates how compliance with the new, stricter data protection rules is even more important than before.
Overall, while the full picture regarding Nordic privacy legislation in employment law is still unclear, as it also currently is in many Member States, it is highly recommended that all employers take steps to prepare for the GDPR as early as possible, especially given the potential organisational, technical and administrative impact of the new rules across all business sectors.