|OVERVIEW||Finnish data protection norms derive from a variety of legal sources, such as the constitution, international agreements, European Union laws, ordinary legislation, and regulations and/or advisory opinions by the Finnish Data Protection Ombudsman and Data Protection Board.|
|GENERAL PRIVACY LAWS||
§ 10 of Constitution provides: “Everyone’s private life, honor and the sanctity of the home are guaranteed.”
Protection of Privacy and Data Security in Telecommunications Act covers all communications, including emails and communications on the Internet.
|PERSONAL DATA PROTECTION LAWS AND REGULATIONS||
Data Protection Ombudsman enforces the Act.
The Act applies to controllers established in Finland or otherwise subject to Finnish law and to those not established in the EU but using equipment located there other than for mere transit purposes.
|TYPE OF DATA PROTECTED||Personal Data.|
|WORKPLACE PRIVACY LAWS||
Protection of Privacy in Working Life – 2001
Protection of Privacy in Working Life – 2004
The Act on Protection of Privacy in Working Life (759/2004) went into effect in Finland on October 1, 2004. The law prohibits routine drug tests, places restrictions on the right of video surveillance and guarantees limited email privacy for employees. The law also stipulates that the regulation of these issues is to take place through bargaining and consultation procedures at the workplace level. During these consultations, employers must discuss the conditions under which emails may be monitored. Additionally, the Act Amending Section 6 of the Act on Cooperation within Undertakings (761/2004) mandates that the following matters are covered by the cooperation procedures: “the purpose, implementation and methods used in employee monitoring performed using camera surveillance, access control and other technical methods, and the use of electronic mail and data networks.”
Employers have the burden of justifying the necessity to collect and use information about their employees and potential employees. Once personal information is no longer necessary, it must be destroyed or made anonymous. Generally, personal data must be collected only from individual employees. Written consent is required for processing of health data, and aptitude, psychological and drug testing may be performed only if strictly necessary and the employee has given consent. Section 3 of the Act states that an employer is allowed to process personal data “directly necessary for the employee’s employment relationship which is connected with managing the rights and obligations of the parties to the relationship or with the benefits provided by the employer for the employee or which arises from the special nature of the work concerned.” Section 3(2) of the Act states: “No exceptions can be made to the necessity requirement, even with the employee’s consent.”
The Data Protection Act contains restrictions on the transfer of personal data to third countries outside of the European Economic Area (EEA). Personal data can be transferred to another country only if that country ensures the level of data protection that corresponds to the level of data protection in Finland.
Chapter 5 of the Personal Data Act complies with the requirements of the EU Data Protection Directive.
|FINES AND SANCTIONS||
§ 47 of the Data Protection Act provides a cause of action to recover damages an individual sustains because of violations of the Act.
§ 48 of the Data Protection Act provides criminal penalties for violations.
|OTHER PRIVACY LAWS AND REGULATIONS||
Telecommunications: The Act on Protection of Privacy in Electronic Communications (516/2004);
Employee data protection: The Act on Protection of Privacy in Working Life (759/2004);
Control of access to public records: Act on the Openness of Government Activities;
Information security and protection of privacy: Act on Electronic Services and Communication in the Public Sector; and
Healthcare data protection: Act on the Status and Rights of Patients.