Another fine from the Finnish Data RegulatorJob applicants’ personal data was collected unnecessarily resulting in a €12,500 fine
The Finnish Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. According to the Finnish Act on the Protection of Privacy in Working Life, the employer is only permitted to process data that is necessary in light of the employment relationship. Deficiencies were also discovered in the controller’s documentation related to compliance with the GDPR.
The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects.
The Data Protection Ombudsman ordered the company to delete the unnecessary data and issued a reprimand on the deficiencies in documentation. The sanctions board also imposed an administrative fine of €12,500 on the company.
The decisions are not final since those can be appealed in the administrative court. The Office of the Data Protection Ombudsman publishes the name of the organisation on which the administrative fine was imposed if the matter is considered to be of public significance or the organisation could be confused with another.
Sanctions must be proportionate, efficient and cautionary
The board has the right to impose administrative fines for data protection violations. The maximum amount of the administrative fine is 4 % of the company’s turnover or €20 million.