Finnish SA: Administrative fine on Viking Line for unlawful processing of employees' health data

6 January 2023

Background information

  • Date of final decision: 9 December 2022
  • Cross-border case or national case, One-Stop-Shop Procedure: the decision was taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (OSS).
  • If cross-border, LSA: Finnish SA
  • and CSAs: Swedish SA; Estonian SA; Norwegian SA
  • Controller: Viking Line Oy Abp
  • Legal Reference: accuracy of data (Article 5(1)(d)), data protection by design and by default (Article 25(1)), right of access (Article 15 and Article 12(3)), information to be provided where personal data are collected from the data subject (Article 13)
  • Decision: Reprimand and administrative fine
  • Key words: health data, employee data  


Summary of the Decision


Origin of the case

The Finnish Supervisory Authority (SA) investigated Viking Line Oy Abp’s activities on the basis of a complaint. A former employee of Viking Line informed the Finnish SA that they had not received all their personal data being stored in the company's systems despite their request.

According to the employee, Viking Line had been keeping their health data in an HR system for 20 years. Viking Line had saved diagnoses in connection with information on absences due to illness into the HR system. According to the complainant, some diagnosis information stored was inaccurate, because it was not possible to enter all diagnosis codes into it.


Key Findings

According to the Finnish Data Protection Act, saving diagnosis information in connection with other employment-related data is against the law. Not only had Viking Line unlawfully saved its employees' diagnosis information in the HR system, but some of the data was inaccurate as well. The Finnish SA found the company's activities to be particularly reprehensible in this regard.

Health data should also have been erased immediately when its storage was no longer necessary. Even inaccurate diagnosis information had been stored for a considerable period of time. Inaccurate diagnosis information can pose a risk to an individual's legal protection.

Viking Line had not informed its employees appropriately of the processing of their personal data. The Finnish SA notes that the company should have provided the employee with all of the data requested by them.



An administrative fine of EUR 230,000 was imposed on Viking Line for several violations of data protection legislation. The company was also reprimanded. The Finnish SA ordered the company to correct its practices and inform its employees of the processing of their personal data as required by the GDPR.


For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.