Following the outbreak of COVID-19 and its development into a global pandemic, organizations have been implementing exceptional measures to safeguard employees, customers and others against the health threat. Organizations are also endeavouring to maintain 'business as usual' to the extent allowed by their particular circumstances. We already discussed the resulting data protection compliance implications from the perspective of the European Union ("EU") General Data Protection Regulation ("GDPR").1
Besides EU law, it is also important to consider the respective national data protection laws, bearing in mind that, despite the fact that the GDPR is a Regulation, it does not create completely identical data protection rules across all Member States. Instead, it permits or requires Member States to implement specifications or restrictions on certain rules set out in the GDPR. National Data Protection Authorities ("DPAs") have already provided guidance on such particularities relating to COVID-19. The present article discusses the legal situation in Finland.
1. Overview: Guidance provided by Finnish DPA
The Data Protection Ombudsman (the "Finnish DPA") is the Finnish national supervisory authority, which supervises compliance with data protection legislation.2 To address the concerns of organizations and private persons, the Finnish DPA has compiled answers to frequently asked questions about data protection and the COVID-19 epidemic on its website.3 This is updated based on additional information as the situation evolves. The Finnish DPA's website also provides useful information and updates on COVID-19-related statements by the European Data Protection Board as the DPAs across the European Economic Area are increasing their cooperation in order to fight the COVID-19 pandemic.
2. Data Protection and limiting the spread of COVID-19
As in other countries, organizations in Finland are taking steps to limit the spread of COVID-19 and mitigate its effects. Some of these measures may involve processing of personal data. The Finnish DPA highlights that the data protection legislation does not restrict public health measures for the prevention of infectious diseases, but the various rights of data subjects and obligations of the data controllers and data processors set by the GDPR and other applicable legislation must still be taken into account in the processing of personal data. The processing of personal data must always be necessary and proportionate.
3. National Particularities
Organizations must have an appropriate legal basis for the processing of personal data and/or special categories of personal data ("SCD")4 relating to COVID-19. In addition to the legal basis laid down in the GDPR, the processing of personal data is also governed by the Finnish Data Protection Act.5 The processing of employees' personal data is also subject to the Finnish Act on the Protection of Privacy in Working Life,6 which specifically provides for the processing of health data and stipulates that the personal data of employees may only be processed when necessary. The Finnish Contagious Diseases Act7 and other legislation on occupational safety may also apply.
The Finnish DPA has confirmed that the below information constitutes personal data and/or health data that falls under SCDs:
- The information that someone has contracted COVID-19 is health data.
- The information that a person has returned from a risk zone is not health data.
- The information that someone is in quarantine (without specifying the reason) is not health data.
- The information that someone belongs to a high-risk group constitutes health data if the data is processed for assessing the person's state of health (is the person at risk due to chronic illness). However, a person's age is not health data although age is a risk factor for coronavirus.
As data protection legislation does not apply to the processing and publication of anonymous data, COVID-19-related data that cannot be used to identify individuals, e.g., publishing of anonymized statistics, is not prohibited by the data protection legislation.
4. Applying the National Particularities to Individual Measures
Considering the national legal particularities outlined above, the Finnish DPA has assessed the admissibility of specific individual measures in relation to organizations processing data concerning employees in the private sector:
- Obligation to inform others of COVID-19 infection: Unlike in certain other countries, in Finland the national legislation does not set an obligation to inform other people who are at risk of infection due to close contact with an infected person. Based on contagious disease legislation in Finland, an infected person has, however, the obligation to inform the doctor attending to the matter of the infection, including identifying the persons who may be at risk due to close contact. The person infected may, however, choose to inform other persons of the infection. If the person receiving such information does not collect such information, the data protection legislation does not apply.
- Notifying employees of potential infections: If an employee is diagnosed with COVID-19, the employer may not, as a rule, publicly name the employee in question. The employer can generally inform other employees of an unnamed employee's infection and instruct the employees to work fromhome. Employees' health data may only be processed by people whose job description includes health data processing and such individuals are subject to a confidentiality obligation.
- Informing third parties about the potential infection of a specific employee or that the employee has an increased risk of severe illness from COVID-19: The employer is under a confidentiality obligation concerning the health data of employees. If necessary, the employer can generally inform third parties according to the organization's practices that the employee is prevented from carrying out his or her duties. If an employee is diagnosed with COVID-19 or placed in quarantine, the employer may not, as a rule, name the employee in question.
- Taking data protection into account when rearranging the duties of at-risk employees: Occupational safety and health legislation8 sets an obligation for the employer to refer at-risk employees, if necessary, to the employer's occupational health care provider for an assessment on rearranging such employees' duties. The processing of health data is permitted if the employee specifically requests such assessment. The processing basis provided for in the Act on the Protection of Privacy in Working Life would apply and the employee's specific consent is not required.
- Health tests organized by the employer: Employers may arrange voluntary health tests (e.g., taking employees' temperature), but obligatory health tests are governed by the occupational health care legislation. Health tests and taking of samples may only be carried out by health care professionals and properly trained laboratory personnel.
- Data Protection Officer's position in lay-offs: The GDPR states that a Data Protection Officer ("DPO") may not be dismissed for performing his or her tasks,9 but as the GDPR does not specifically provide for lay-offs in general, the national labor legislation is applied to lay-offs. If the GDPR requires an organization to appoint a DPO, the organization must continue to fulfill this obligation in the event of lay-offs. The person acting as the DPO must have the expertise and the ability to fulfill the tasks provided for in the GDPR10 and, if need be, the organization can refer to its previous practices for arranging deputies for DPOs, e.g., during vacations.
Each of the above-mentioned measures need to respect the general principles relating to processing of personal data. These include that personal data may be collected only for specified, explicit and legitimate purposes – in the cases discussed above, in particular for the purpose of reducing the risk of infection – and that such personal data may be kept only for so long as is necessary for the purposes for which such data is processed – i.e., no longer than necessary on the grounds of the COVID-19 pandemic's persistence – and that such personal data may be processed only in a manner that ensures appropriate security and confidentiality of the data, including protection against unauthorized or unlawful processing – which is of particular importance in the context of processing of SCD.11
1 For further information, please see our general guide on COVID-19 and Data Protection Compliance (https://www.whitecase.com/publications/alert/covid-19-and-data-protection-compliance).
3 The FAQ is also available on the Finnish DPA’s website in English: https://tietosuoja.fi/en/article/-/asset_publisher/tietosuojavaltuutetun-toimisto-julkaisi-vastauksia-kysymyksiin-koronaviruksesta-ja-tietosuojasta.
4 See Article 9 GDPR; for further information on the qualification of personal data as SCD in the context of data processing following the COVID-19 pandemic, please see our general guide on COVID-19 and Data Protection Compliance.
5 1050/2018, as amended.
6 759/2004, as amended.
7 1227/2016, as amended.
9 The Finnish Occupational Safety and Health Act (1383/2001, as amended).
10 See Article 38 GDPR.
11 See Article 37 GDPR.
12See Art. 5(1)(b), (e) and (f) GDPR and Art. 14 of Law Decree no. 14 of March 9, 2020.