Finnish SA imposes 230.000 Euro fine on passenger traffic company
On January 6th, 2023, the Finnish Supervising Authority (SA) imposed an administrative fine on the passenger traffic company Viking Line. Following a complaint, the Authority began an investigation that quickly found out that the company was unlawfully processing the employees’ health data.
In particular, Viking Line stored employees’ diagnosis in an HR system in order to handle absences. The Authority found that several of these diagnosis were stored for over 20 years, and in some cases were also inaccurate.
The inaccuracy of health data poses a clear risk for the legal protection of an individual. Furthermore, it was highlighted in the Authority’s decision that health data should be stored only as long as strictly necessary.
Moreover, the complainant had requested access to his personal data. This was granted, but only after a long and difficult iter, with the company bringing forward several different arguments to justify the delay.
In addition to these findings, the SA also stated that Viking Line had not appropriately informed its employees about the processing of their personal data, thus resulting in a clear breach of the GDPR.
Besides the administrative fine of 230.000 Euros, the SA ordered Viking Line to correct their practices and inform their employees about the processing of their personal data according to the GDPR.
