Finland: Deputy Ombudsman fines company €12,500 for GDPR violations
The Office of the Data Protection Ombudsman ('the Ombudsman') announced, on 22 May 2020, that the Deputy Data Protection Ombudsman ('the Deputy Ombudsman'), had issued a decision ('the Decision') in which it fined a company €12,500 for the collection of personal data without a valid legal basis. In particular, the Decision notes that the Act on the Protection of Privacy in Working Life outlines that an employer is only permitted to process data that is necessary in light of the employment relationship and that the company had asked for information on matters such as the religious beliefs, state of health, possible pregnancy, and family status of the data subjects.
In addition, the Decision notes that Deputy Ombudsman ordered the company to erase the unnecessary data and cautioned it about the deficiencies in the documentation required under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Update (29 May 2020)
EDPB issues statement on Deputy Ombudsman's decision to fine company for GDPR violations
The European Data Protection Board ('EDPB') issued, on 27 May 2020, a statement ('the Statement') on the Deputy Ombudsman's decision to fine a company €12,500 for the collection of personal data without a valid legal basis.
You can read the Statement here.