Finland

§ 10 of Constitution provides: “Everyone’s private life, honor and the sanctity of the home are guaranteed.”

Protection of Privacy and Data Security in Telecommunications Act covers all communications, including emails and communications on the Internet.

Personal Data Act (523/1999) and the Act on the Amendment of the Personal Data Act implement the EU Data Protection Directive.

Data Protection Ombudsman enforces the Act.

The Act applies to controllers established in Finland or otherwise subject to Finnish law and to those not established in the EU but using equipment located there other than for mere transit purposes.

Protection of Privacy in Working Life – 2001

Protection of Privacy in Working Life – 2004

The Act on Protection of Privacy in Working Life (759/2004) went into effect in Finland on October 1, 2004. The law prohibits routine drug tests, places restrictions on the right of video surveillance and guarantees limited email privacy for employees. The law also stipulates that the regulation of these issues is to take place through bargaining and consultation procedures at the workplace level. During these consultations, employers must discuss the conditions under which emails may be monitored. Additionally, the Act Amending Section 6 of the Act on Cooperation within Undertakings (761/2004) mandates that the following matters are covered by the cooperation procedures: “the purpose, implementation and methods used in employee monitoring performed using camera surveillance, access control and other technical methods, and the use of electronic mail and data networks.”

Employers have the burden of justifying the necessity to collect and use information about their employees and potential employees. Once personal information is no longer necessary, it must be destroyed or made anonymous. Generally, personal data must be collected only from individual employees. Written consent is required for processing of health data, and aptitude, psychological and drug testing may be performed only if strictly necessary and the employee has given consent. Section 3 of the Act states that an employer is allowed to process personal data “directly necessary for the employee’s employment relationship which is connected with managing the rights and obligations of the parties to the relationship or with the benefits provided by the employer for the employee or which arises from the special nature of the work concerned.” Section 3(2) of the Act states: “No exceptions can be made to the necessity requirement, even with the employee’s consent.”

The Data Protection Act contains restrictions on the transfer of personal data to third countries outside of the European Economic Area (EEA). Personal data can be transferred to another country only if that country ensures the level of data protection that corresponds to the level of data protection in Finland.

Chapter 5 of the Personal Data Act complies with the requirements of the EU Data Protection Directive.

§ 47 of the Data Protection Act provides a cause of action to recover damages an individual sustains because of violations of the Act.

§ 48 of the Data Protection Act provides criminal penalties for violations.