Viking Line Abp – €230,000 Fine (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Viking Line Abp was fined EUR 230,000 for mishandling employee health data. They stored health information longer than necessary and did not fully comply with a former employee's request to access their data. This case highlights the importance of proper data management and transparency in handling sensitive information.
What happened
Viking Line Abp stored employee health data longer than necessary and failed to fully comply with a data access request.
Who was affected
Employees and former employees whose health data was stored in Viking Line's systems.
What the authority found
The Finnish DPA found Viking Line Abp violated GDPR by improperly storing health data and not providing complete access to it upon request.
Why this matters
This case underscores the need for companies to manage sensitive data responsibly and ensure transparency with employees about data handling practices. It serves as a reminder to regularly review data retention policies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A shipping company Viking Line (controller) maintained an extensive register containing employees' and former employees' health data. A former employee (data subject) requested a copy of sick leave certificates, diagnosis information, and the registers' log data from the controller who did not comply with the request in a complete manner. On 26 October 2020, the data subject complained to the Finnish DPA (Tietosuojavaltuutetun toimisto) about the controller's processing of health data. The DPA started an investigation, which addressed the following facts. Storing health data in the personnel management system. The controller operated two registers. Medakt was an electronic patient information system used on the controller's ships, where the nurses recorded notes about treatment procedures and given medicines. MAPS, on the other hand, was a personnel management system holding information related to the employment relationship, such as employee names and contact information, contract status, qualification, salary payment and medical care costs. In addition, the MAPS system contained information on employee absences, including sickness dates and ICD (international classification of diseases) diagnosis codes. However, the controller claimed they removed the diagnosis information from the system in 2020. Storing health data for longer than necessary. The controller claimed they kept the information about the period of sick leave and the right to pay in the MAPS system for ten years after the end of the employee absence. However, the data subject demonstrated that the controller stored their health information (including diagnosis information) in the MAPS system for twenty years. The Medakt system stored data indefinitely. Storing incorrect diagnosis information in MAPS. According to the controller, it was not possible to register all ICD codes in the MAPS system. Hence, nurses tried to find the closest matching code that could be entered. As a result, the diagnosis infor
Related Enforcement Actions (0)
No other enforcement actions found for Viking Line Abp in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Viking Line Abp - Finland (2022). Retrieved from cookiefines.eu
Last updated: