HR Data Basics Guide: Nordic Region

History and overview

The Nordic region is part of the EU and therefore subject to the General Data Protection Regulation (“GDPR”) since May 2018 and its forerunner, the Data Protection Directive. That said, the Nordic region has long had a keen awareness of the paramount importance of careful handling of personal data.

Nordic employers, like many others, collect extensive personal information in the context of employment relationships. Aside from the usual questions for applicants (such as their school and university history), checking criminal records is, for example, not uncommon for senior executives.

In order to balance the employer's need for information with the need to protect applicants and employees, the Nordic countries have each created a clear framework for dealing with personal data. In addition to GDPR, there are numerous country-specific regulations which regulate the handling of data and impose severe penalties for violations and which include stipulations explicitly focusing on data protection in employment relationships.

It is anticipated that the country-specific regulations will be further adapted and refined in future as the uses of technology and information available expand and develop. This will also involve the development of public understanding and interpretation and of GDPR and local case law.

Monitoring and transparency: why is data privacy so important and at the same time so successful in Nordic regions?

It is not for nothing that the Nordic countries have the reputation of being some of the safest countries in the world. The Nordic countries collect a wide range of information about their inhabitants for health and safety, crime prevention and other socio-economic purposes.

The practice of collecting such vast amounts of personal data is a double-edged sword; on one hand, it may allow the state to better protect its people, but it also raises clear risks from a data protection perspective, not least given the relatively strict requirements under both the GDPR and local laws. This tension is particularly evident in the employment sphere.

In parallel with technological progress, the Nordic countries are taking steps to protect and limit the processing and storage of personal data in the employment sphere. There are, for example, clear local provisions governing the processing of sensitive employee personal data such as drug usage, requirements for the way in which tests and examinations are carried out, provisions concerning camera surveillance in the workplace and provisions on retrieving and opening workplace emails.

Nordic countries are seeking to strike a balance between the encroachment on the employees' personal rights and employers' interest in and need for information.

The interplay between national legislation and European requirements

Finland, Sweden and Denmark are part of the EU and therefore been subject to the basic data protection regulation since 25 May 2018. Although not a member of the EU, Norway is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA agreement and became applicable in Norway on 20 July 2018. Norway is therefore bound by the GDPR in the same manner as EU member states.

The GDPR provides the framework and at the same time the minimum standard for data protection in the Nordic countries. Each of the states enacted domestic legislation, which included a number of enhanced provisions and requirements beyond those provided by GDPR. There is a clear emphasis across the region on data security and the use of personal data, and a marked emphasis on ensuring compliance coupled with increased sanctions for failure to comply.

Unsurprisingly, the European influence on data protection in the Nordic regions is significant. Further, the national legislation across the Nordic region is similar, informed as it is by the shared history and experience of the region and characterised by the desire to supplement the GDPR in a meaningful way in the interests of the relevant country and the general public. That said, and again informed by the needs of each country and its people, there are differences across the region.

• The Finnish Data Protection Act came into effect on 1 January 2019 and the Finnish Data Protection Ombudsman officially became the Finnish supervisory authority after January 2019. An unusual feature of the Finnish Act is that, in contrast to GDPR, fines cannot be imposed on public authorities, only on private persons. Under the Act, administrative fines can only be imposed by a collegial body which is composed of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. Since these Deputy Data Protection Ombudsmen were only appointed on 1 May 2019, it was not possible to impose administrative fines in Finland before that date.
• The Danish Data Protection Act has been in place since 2018 and was adapted to complement the GDPR. The Danish Data Protection Agency has signalled (by regularly updating the Danish Data Protection Act amongst other steps) its intention to take a more aggressive approach to enforcement and to impose significant fines where appropriate. As of May 2019, the Danish Data Protection Agency has imposed a fine of EUR 160,000 for retaining data for longer than necessary to fulfil the required purpose. With regard to data protection in the employment relationships, the Danish Data Protection Agency has published specific guidelines for the processing of personal data in an employment context (in Danish only).
• There are several local regulations under Swedish law which support and add to the position established under the GDPR. In addition to the general Swedish Data Protection Act, the Swedish Monitoring Act of 2018 which regulates the monitoring of closed circuit television (“CCTV”) in the employment relationship is of particular interest for employers. As a general rule, private businesses do not require a governmental permit to carry out CCTV monitoring. Exceptions apply where the business operates school, healthcare or public transportation activities. Any CCTV monitoring must be carried out in compliance with GDPR and the general Swedish Data Protection Act.

Employee data: what are the implications?

The relationship between employee and employer is facing new challenges in light of the increasing technological advances, as employers have to balance their needs and wants against the growing recognition of personal data protection and individual rights. 

Employers may increasingly have access to new means of communication, monitoring systems, etc. and will need to consider how to best use these in the context of their growth and development (whether this may be to improve production, incentivise or control employees or for other purposes), whilst always considering the implications, risk and potential harm to employees. Whilst the Nordic region has always sought to be a pioneer in in safeguarding workers' rights and minimising interference with personal rights, the challenge it faces is in doing so when confronted with increasing technological advances and developments.