top of page


What should be taken into account in the recruitment process?

The employer must take into account in its recruitment process, among other things, the provisions of the Equality Act, the Act on Equality between Women and Men and the Act on the Protection of Privacy in Working Life (Working Life Privacy Act). As a general rule, the employer collects and stores various personal data about a job seeker in connection with its recruitment process, and possibly conducts various personal and aptitude assessment tests for the job seeker. The Working Life Privacy Act provides for what purposes and what kind of information about a job seeker may be collected and stored, and how the necessary information shall be obtained.

What information can you ask from a job seeker and collect?

You may only ask questions related to the job search and the job to be applied for from a job seeker. Only the necessary things related to the job applied for can be collected from the job seeker. Sensitive information should not be asked or stored of the job seeker, such as sensitive information related to his or her health, religion, or sexual orientation, unless it is relevant relating to the job. The employer must collect necessary personal data related to job search and work, primarily from the job seeker her-/himself. If the employer collects information about the job seeker from elsewhere, the job seeker's consent must be obtained.

Can the health status of a job seeker be determined?

In certain cases, the employer is obliged to ensure, before concluding an employment agreement, that the employee is medically able to perform the work in accordance with the employment agreement. An employer may have such an obligation, for example, if a person comes to handle hazardous substances at his or her duties or if his or her poor health can pose a danger to other people, such as colleagues or customers. In the context of the recruitment process, the employer may only ask the job seeker questions related to his or her health that are relevant to the proper performance of the duties, taking into account the nature of the job.

Under what conditions may personal and aptitude tests be conducted?

The job seeker may be subjected to various personal and aptitude assessment tests. However, taking the tests always requires the consent of the job seeker. The employer must also ensure that the test methods used are reliable, the tests' authors are knowledgeable and that the results obtained from the tests are accurate. Test may be performed if its purpose is to determine the job seeker's abilities for the proper performance of the duties and the results of the test must be necessary for the employment relationship.

Under what conditions can drug tests be performed and job seeker's credit and criminal record data processed?

The employer may require the job seeker to provide a certificate of drug testing if certain general job-related conditions are met and if the job seeker is to work in duties that require accuracy, good responsiveness, reliability, independent judgment, or in duties involving minors. The employer also has the right, under certain conditions, to process personal credit data about the job seeker in order to assess the job seeker's reliability.

In principle, an employer cannot request information from the authority on the job seeker's criminal record. However, it is the employer's duty to ask the job seeker to provide an extract from his or her criminal record less than six months old before concluding an employment agrement for duties connected with children, for example, duties performed in a kindergarten or school.


The employer also has the option of asking the security police to carry out a security clearance (narrow, basic or extensive) on the job seeker if the company has a strong need to protect its valuable trade secrets or other very important financial interests. Applying for a safety report requires the consent of the job seeker. The conditions for conducting a safety assessment are provided in the Safety Assessment Act.

For how long can job seeker's personal data be stored?

The employer is obliged to prepare a privacy policy required by law, which indicates, among other things, what personal data relating to the job seeker is processed, on what basis and for how long the job seeker's personal data is stored after the recruitment process.

What personal data on the employee may be processed?

The employer may only process personal data which are directly necessary for the employee's employment, which relate to the performance of the rights and obligations of the parties to the employmentor the benefits provided to the employee or which are due to the specific nature of the duties. An employer may not process any personal data on its employee. The necessity requirement in compliance with law cannot be waived even with the consent of the employee.

An employer must not store outdated or unnecessary data relating to its employees. Personal data which are inaccurate and incorrect for the purposes of the processing of personal data must be deleted or rectified without delay. Personal data may only be stored for as long as necessary. There are special provisions regarding the storage periods of employees' personal data, which the employer must comply with. These include, for example, the limitation periods provided for in the Employment Contracts Act, the Working Hours Act and the Accounting Act.

The processing of sensitive data belonging to specific categories of personal data is in principle prohibited. Sensitive information includes, for example, information relating to person’s ethnic origin, political opinions, and sexual orientation.

Under what conditions may data on employee's state of health be processed?

An employer may process data relating to the employee's state of health if the processing is necessary for the payment of the employee's sick pay or equivalent health-related benefits or to determine whether there is a justified reason for the employee's absence from work. The processing of an employee's health data is also permitted in the event that the employee expressly wishes that his or her ability to work should be assessed.

The employer may collect data on the employee's state of health from the employee him-/herself or with his or her written consent from another party. If an employee submits a medical certificate or statement of his or her ability to work to his or her employer, the employer may refer it to occupational health care, unless the employee has refused to provide it.

The employer must keep documents containing  data on the employee's state of health separate from other employee's personal information. Documents concerning an employee's state of health may not be stored in the employer's other personal registers, such as the payroll register.

Information on an employee's state of health may only be processed by persons who, on the basis of that information, prepare, take or implement decisions concerning the employee's employment. The employer shall designate such persons or define the tasks involving the processing of information on the employees' state of health.

What data protection issues should an employer negotiate with its employees?

The collection of personal data during the recruitment process and during the employment relationship is covered by the co-operation procedure in accordance with the Act on Co-operation within Undertakings. If the employer has to apply the provisions of said Act, it has to negotiate with its personnel on the introduction of new personal information systems and their content, as well as on other data to be collected. It is not possible to agree in the co-operation procedure on the collection of such sata that does not meet the necessity requirement required by the Working Life Privacy Act.

What are the consequences of breaking the law?

The employer or the employer's representative may be sanctioned for violating the provisions of the Working Life Privacy Act. Violations of the General Data Protection Regulation may result in an administrative fine being imposed on the controller or data processor in accordance with the Regulation, which may result, for example, from violating the obligations of the controller and the data subject's rights under the Regulation.

Fines for data protection offenses, data breaches, wiretapping, breaches of confidentiality and secrecy, among others, are provided for in the Penal Code. Infringements of the provisions on co-operation procedure are i provided in the the Act on Co-operation within Undertakings.

bottom of page