Support Centre

Finland - National GDPR Implementation Overview

February 2020

1. THE LAW

1.1. National implementing legislation of the GDPR

In Finland, the GDPR is supplemented by the Data Protection Act (1050/2018) ('the Data Protection Act'), which entered into force on 1 January 2019 and repealed the old Personal Data Act (523/1999). Pursuant to the Data Protection Act, processing of personal data is governed by Finnish laws, if the controller’s place of business is located in Finland, and if the processing is carried out in the context of the activities of an establishment of a controller or processor in the EU. It should be noted that the Data Protection Act provides that it shall apply, together with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') but with the exception of Article 56 (Competence of the Lead Supervisory Authority) and Chapter VII (Cooperation and Consistency), in Finland and also to activities that fall outside the scope of EU law and to processing of personal data by the EU Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union - Official Journal C 191 (29 July 1992), unless specified otherwise elsewhere in the law.

Finland also has special legislation regarding the processing of personal data. The Act on the Protection of Privacy in Working Life (759/2004) as amended in 2019 ('the Act of Privacy in Working Life') sets out specific and comparably strict rules for the processing of applicants' and employees' personal data, monitoring of employees, and other matters related to employees' privacy. The Act of Privacy in Working Life has been amended following the GDPR, and its’ amendments entered into force on 1 April 2019.

The GDPR has also called for amendments to many other national acts. Amendments to the Criminal Code (39/1889) ('the Criminal Code'), the Act on Enforcement of Fines (672/2002) (only available in Finnish here), and the Act on Grey Economy Information Unit (1207/2010) (only available in Finnish here) entered into force on 1 January 2019. Further amendments are also expected, as the Government has submitted a proposal for necessary amendments to social security and insurance legislation. The proposal has not yet been adopted by the Parliament.

Moreover, more detailed obligations on specific topics related to data protection have been adopted in other legislation. The Act on the Secondary Use of Health and Social Data (552/2019) (only available in Finnish here) entered into force on 1 May 2019, consolidating regulations related to the secondary utilisation of health and social care data under the same law. The Public Administration Information Management Act (906/2019) (only available in Finnish here) entered into force on 1 January 2020, repealing the Act of the Administration of Information Management in Public Administration (634/2011) (only available in Finnish here). The act defines the entire lifecycle of information in public administration.

Lastly, the Act on Electronic Communications Services (previously called the Information Society Code) (917/2014) (only available in Finnish here) ('the Act (917/2014)' includes provisions on confidentiality of electronic communications. For example, the Act (917/2014) sets out obligations for the processing of communications data, data retention, and electronic direct marketing. The Act (917/2014) is currently being reformed in order to implement the requirements of the Directive on Audiovisual Media Services (Directive 2010/13/EU) and the European Electronic Communications Code (Directive (EU) 2018/1972).

1.2. Guidelines

The Office of the Data Protection Ombudsmanhas issued a List Compiled by the Office of the Data Protection Ombudsman of Processing Operations which require Data Protection Impact Assessment (DPIA) ('the DPIA List'), in line with Article 35(4) of the GDPR. The DPIA List is based on the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 ('Working Party 29 DPIA Guidelines'). The DPIA List complements and further specifies these guidelines and is of non-exhaustive nature.

Also other guidance on different topics, e.g. privacy in working life, is available at the Ombudsman's website.

1.3. Case Law

As of January 2020, there are a total of five GDPR enforcement decisions published by the Ombudsman. None of the cases led to administrative fines.

  • In the case 60/171/2020, 3.1.2020 (only available in Finnish here) concerning a Finnish bank, the Deputy Data Protection Ombudsman issued a reprimand to the bank for failing to provide the data subjects with information on a data breach transparently, as required under Article 5 and Article 12 of the GDPR.
  • In the case 3075/182/2018, 3.1.2020 (only available in Finnish here) concerning a Finnish financial services company, the Deputy Data Protection Ombudsman confirmed that a user of a shared bonus account had the right to access his/her own bonus point information but not that of others. Providing information on the bonus points of others would have led to a breach of bank-client confidentiality and Article 15(4) of the GDPR.
  • In the case 6465/182/2018, 28.11.2019 (available in Finnish here and a summary in English here) a company operating movie theatres provided a loyalty scheme, which a person had to join for booking movie tickets and purchasing electronic serial tickets. The loyalty scheme could not be joined without consenting to direct marketing. The practice did not meet the consent requirements of the GDPR.
  • In the case 7713/163/2018, 22.11.2019 (available in Finnish here and a summary in English here) the company's practices for confirming the data subject's identity in connection with a data subject request required the data subjects to provide more personal data than the data controller originally had on the data subjects. In light of the GDPR (Recital 57), the practice was considered to exceed the limits set by the principle of minimisation and by the Article 12(2) and Article 12(6) of the GDPR on the conditions to request additional information.
  • In the case 2691/171/19, 10.10.2019 (available only in Finnish here) concerning a Finnish government agency, a postal package containing confidential customer information went missing. By the decision of the Data Protection Ombudsman and in light of Article 34 of the GDPR and the guidelines on personal data breach notifications under the GDPR, the government agency was required to issue a public notice or similar action regarding the data breach in order to reach all affected data subjects, as they were not known and the risk to the rights and freedoms of data subjects as a result of the breach was likely to be high.

2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

2.1. Main regulator for data protection

The Ombudsman acts as the Finnish supervisory authority with regards to the GDPR and its supplementing legislation. As such, excluding the power to impose administrative fines, the powers and tasks of a supervisory authority are allocated to a single governmental official.

The Ombudsman has an office, which consists of a data protection ombudsman, two deputy data protection ombudsmen, a necessary amount of referendaries, as well as other personnel. The Ombudsman's office also includes an internal expert board, which consists of a chairperson, deputy chairperson, and three other members with personal deputies. The board members are experts independent of the Ombudsman. The board can also consult with other experts if required. The board was appointed in the end of 2019 for a term of three years. The Ombudsman also includes the sanctions board with the power to impose administrative fines in accordance with the GDPR. The sanctions board consists of the ombudsman and the deputy ombudsmen.

The decisions of the supervisory authority and the sanctions board can be appealed to an administrative court in accordance with the GDPR and as further specified in the Data Protection Act.

2.2. Main powers, duties and responsibilities

The power to impose administrative fines is vested in the sanctions board (see previous section).

The other main powers of the Ombudsman are based on Articles 55-59 of the GDPR. Additionally, under the Data Protection Act the Ombudsman has been granted a right to access any information necessary to exercise its duties with no cost and even when such information is covered by confidentiality provisions. However, the inspections to be carried out in a space for permanent residency are restricted to suspected infringements punishable by administrative fines or sanctions under the Criminal Code. The Ombudsman may also request executive assistance from the Finnish police when exercising its powers. Furthermore, the Ombudsman has certain additional duties and powers based on the Finnish legislation. Furthermore, the deputy ombudsmen have equivalent powers with the Ombudsman.

If requested to do so, the expert board shall provide the Ombudsman with statements on significant questions concerning the application of data protection law. However, the expert board does not directly participate in the imposition of administrative fines.

3. NOTIFICATION | REGISTRATION

3.1.    National requirements

There is no general obligation to notify regulators of any processing under the GDPR other than the requirement to notify the Ombudsman of the details of a data protection officer ('DPO') (further discussed in section 7). However, under the GDPR, the controller shall consult the Ombudsman prior to processing where a data protection impact assessment ('DPIA') under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The Ombudsman must also be provided with a DPIA, regardless of the level of risk present, prior to the processing of special categories of personal data or criminal convictions data for scientific or historical research purposes or statistical purposes under the derogations of the Data Protection Act, and where basis of such processing is a DPIA in accordance with the procedure described below in section 10.

The Act (917/2014) requires that a corporate subscriber, i.e. a legal person who is party to an agreement concerning the provision of a communications service or an added value service for a purpose other than telecommunications operations, shall inform the Ombudsman in advance of processing data traffic for certain purposes.

4. DATA SUBJECT RIGHTS

4.1. Variations of GDPR on right of information to be provided

In Finland, there is no language requirement for privacy notices, but they must be easy to understand, and the language must be clear and plain. It is recommended that privacy notices are provided in Finnish, but if it is reasonable to presume that all potential data subjects understand another language well enough, e.g. English or Swedish, the information may be provided in that foreign language.

The Data Protection Act provides several derogations with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes. In such case, the GDPR's provisions on data subject's rights, including on informing the data subject, shall not apply.

In addition, under the Data Protection Act, the data subject's right to receive information on the processing may be restricted, if such restriction is necessary for reasons of national safety or defence, public order or safety, preventing or solving crimes, or it is necessary for a surveillance assignment relating to taxation or public finances. Furthermore, certain aspects of the right to receive information may be restricted where information has not been collected from a data subject, providing such information may cause significant damage or harm to the data subject, and the collected information is not used in decision-making regarding the data subject. In case the right to receive information is restricted in accordance with the above-mentioned derogations, the controller shall, as specified in the Data Protection Act, implement appropriate measures to safeguard the rights of the data subjects, which include e.g. keeping the information on processing available to everyone, provided that it does not compromise the purpose of the derogation in question.

Right of access (Article 15)

According to the Data Protection Act, the GDPR's provisions on data subject's rights, including on the access right, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

In addition, under the Data Protection Act, the right may be restricted when personal data are processed for scientific or historical research purposes, where necessary, and provided that the preconditions laid down in the Data Protection Act are met, for example that the processing is based on an appropriate research plan and it is ensured that information of a specific person are not disclosed to third parties.

In addition, right of access may be restricted when personal data are processed for statistical purposes, where necessary and provided that the preconditions laid down in the Data Protection Act are met, for example that the statistics may not be produced or the requirement for information may not be fulfilled without processing personal data and the information is not made available in a way where a specific person is identifiable from the information, unless it is disclosed for public statistics produced by the authorities.

In addition, under the Data Protection Act, right of access may be restricted, if;

  • providing the information could cause harm to national safety or defence, public order and safety, or preventing or solving crimes;
  • providing the information could severely threaten the health or treatment of data subjects or to the rights of data subjects or someone else; or
  • personal data are used for surveillance and inspection tasks, and not providing the information is necessary for an important economic or financial interest of Finland or of the EU. Data subjects shall be informed of the reasons for the restrictions, unless this endangers the purpose of the restriction. If the restriction covers only a part of the data relating to the data subject, he or she still has a right to access the remaining information concerning him or her. If the data subject does not have the right to access his/her personal data, such information shall be provided to the Ombudsman on the data subject's request.

Also the national special legislation may restrict the access right, such as the Finnish Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017) (only available in Finnish here), according to which the data subject does not have a right to access the information gathered by those entities (e.g. credit institutions and insurance companies) that have an obligation to report any suspicious business activities. However, the Ombudsman may inspect the legality of the processing of such data pursuant to the data subject's request.

4.2. Variations of GDPR on right to erasure

According to the Data Protection Act, the GDPR's provisions on the data subject's rights, including on right to erasure, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

4.3. Variations of GDPR on right to restriction of processing

According to the Data Protection Act, the GDPR's provisions on data subject's rights, including on right to restriction of processing, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

Additionally, the right to restrict processing may be restricted under the Data Protection Act when personal data are processed for scientific or historical research or statistical purposes, providing that the preconditions laid down in the Data Protection Act are met, as described in more detail above regarding the access right.

4.4. Variations of GDPR on right to data portability

According to the Data Protection Act, the GDPR's provisions on data subject's rights, including on right to data portability, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

4.5. Variations of GDPR on automated individual decision-making, including profiling

According to the Data Protection Act, the GDPR's provisions on the data subject's rights, including on the rights regarding automated individual decision-making, including profiling, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

There are no other variations in the Data Protection Act concerning data subject's rights regarding automated individual decision-making, including profiling. However, special legislation may contain provisions, such as the rules of the Act of Privacy in Working Life regarding assessment of employees, which shall be taken into account in context of automated individual decision making and/or profiling.

4.6. Other variations

The Data Protection Act rules out also the GDPR's provisions on data subject's right to object processing and a right to have inaccurate data corrected with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

In addition, under the Data Protection Act these rights may also be derogated from when personal data are processed for scientific or historical research or statistical purposes, providing that the preconditions laid down in the Data Protection Act are met, as described in more detail above regarding the access right.

5. CHILDREN

5.1. National regulation of the processing of children's data and age of consent

The applicable age of consent in relation information society services offered directly to a child is 13 years.

Please note that the age limit above applies only for consent given in relation to information society services offered directly to a child. Should the consent be obtained for any other kind of processing (such as use of photographs or direct marketing purposes), the age applicable for consent is determined in accordance with the general rules of the Act on Child Custody and Right of Access (361/1983).The general rule is that the person having custody of a child represents the child in matters concerning his or her person, unless otherwise provided by law. Custody ends when the child attains the age of 18 years. However, a child can represent him/herself (i.e. give consent) in matters where it is appropriate considering the child's age, level of development, and the quality of the matter. As a rule of thumb, it has been considered that in 'ordinary matters' a 15-year-old child may represent him/herself. Even a younger child can give consent in matters appropriate considering their age and level of development, but this should be evaluated on a case-by-case basis.

6. PROCESSING OF SPECIAL CATEGORIES OF DATA & CRIMINAL CONVICTIONS

6.1. National regulation concerning the processing of special categories of data and criminal conviction data

The Data Protection Act restricts the application of Article 9 of the GDPR concerning special categories of personal data and Article 10 concerning criminal conviction data where such data are processed solely for journalistic purposes or academic, artistic, and literary expression purposes.

Furthermore, the Data Protection Act restricts the application of Article 9(1) of the GDPR in several other cases, such as when processed by an insurance company where the data processed relates to health, sickness, or disability of treatment received by a data subject, and such data is necessary to verify the responsibility of the insurance company. When special categories of personal data are processed under derogations referred to in this paragraph, the controller and the processor shall implement appropriate and special measures to protect the rights of the data subject, which include for example the appointment of a DPO and encryption of the personal data.

Processing of special categories of personal data and criminal conviction data is also allowed under derogations from rights of the data subjects' in the context of scientific or historical research purposes or statistical purposes, provided that the preconditions described below in section 10 are satisfied.

The Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018) (only available in Finnish here)  implements the Law Enforcement (Directive (EU) 2016/680) and also provides more detailed rules for processing information on criminal offences by authorities.

7. DATA PROTECTION OFFICER

7.1. Additional/varied requirements on DPO appointment, role and tasks

The Data Protection Act restricts the application of Article 9 of the GDPR concerning special categories of personal data and Article 10 concerning criminal conviction data where such data are processed solely for journalistic purposes or academic, artistic, and literary expression purposes.

Furthermore, the Data Protection Act restricts the application of Article 9(1) of the GDPR in several other cases, such as when processed by an insurance company where the data processed relates to health, sickness, or disability of treatment received by a data subject, and such data is necessary to verify the responsibility of the insurance company. When special categories of personal data are processed under derogations referred to in this paragraph, the controller and the processor shall implement appropriate and special measures to protect the rights of the data subject, which include for example the appointment of a DPO and encryption of the personal data.

Processing of special categories of personal data and criminal conviction data is also allowed under derogations from rights of the data subjects' in the context of scientific or historical research purposes or statistical purposes, provided that the preconditions described below in section 10 are satisfied.

The Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018) (only available in Finnish here)  implements the Law Enforcement (Directive (EU) 2016/680) and also provides more detailed rules for processing information on criminal offences by authorities.

8. DATA BREACH NOTIFICATION

8.1. Variation/exemptions on breach notification obligation

According to the Data Protection Act, when processing is performed for purposes of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes, notification of a personal data breach to the data subject is not mandatory unless required by the supervisory authority.

8.2. Sectoral obligations

Specific notice of breach rules apply to the electronic communications sector under the Act (917/2014).

9. DATA PROTECTION IMPACT ASSESSMENTS

9.1. National activities subject to prior consultation/authorisation

As further described in section 10 below, when processing special categories of personal data as specified in Article 9 of the GDPR, restricting the rights of a data subject specified in Articles 15, 16, 18, and 21 of the GDPR may require that a DPIA is provided to the Ombudsman before commencing with the envisaged processing.

Additionally, the Ombudsman requires a DPIA to be conducted for certain processing operations in line with the DPIA List:

  • when biometric data is processed for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion as specified in the DPIA List and the Working Party 29 DPIA Guidelines, such as when processing of biometric data is used in systematic monitoring of data subjects;
  • when genetic data is processed in conjunction with at least one other criterion as specified in the DPIA List and the Working Party 29 DPIA Guidelines, such as when genetic data is processed on a large scale;
  • when location data are processed in conjunction with at least one other criterion as specified in the DPIA List and the Working Party 29 DPIA Guidelines, such as when location data processed reveals sensitive data or data of a highly personal nature;
  • when personal data are collected from a source other than the individual without providing them with a privacy notice because of application of Article 14(5)(b) of the GDPR in conjunction with at least one other criteria as specified in the DPIA List and the Working Party 29 DPIA Guidelines, such as when personal data concerns vulnerable data subjects; and
  • when personal data are processed in whistleblower systems.

9.2. National activities not subject to prior consultation/authorisation 

There are no such derogations under the Data Protection Act.

10. PROCESSING FOR SCIENTIFIC OR HISTORICAL RESEARCH PURPOSES

10.1. National implementation of Article 89 of the GDPR

Under the Data Protection Act, when personal data are processed for scientific or historical research purposes, the rights specified in Articles 15, 16, 18, and 21 of the GDPR may be restricted where necessary and provided that the preconditions laid down in the Data Protection Act are met, for example that the processing is based on an appropriate research plan and it is ensured that information related to a specific person are not disclosed to third parties.

Where personal data are processed for statistical purposes, the rights specified in Articles 15, 16, 18, and 21 may be restricted where necessary and provided that the preconditions laid down in the Data Protection Act are met, for example that the statistics may not be produced or the requirement for information may not be fulfilled without processing personal data and the information is not made available in a way where a specific person is identifiable from the information, unless it is disclosed for public statistics produced by the authorities.

Additionally, when processing special categories of personal data as specified in Article 9 of the GDPR or criminal conviction data as specified in Article 10 of the GDPR for the aforementioned purposes, restricting the rights specified in Articles 15, 16, 18, and 21 of the GDPR additionally requires that a DPIA is conducted or that the processing is carried out in compliance with a code of conduct which has been approved in accordance with Article 40 of the GDPR and in which the aforementioned restrictions have been sufficiently taken into account. In case the basis of such restriction is a DPIA, the assessment shall be provided to the Ombudsman before commencing with the envisaged processing.

11. SANCTIONS

Supervisory authority's measures

As provided above, in Finland the administrative fines are imposed by the sanctions board comprised by the ombudsman and the deputy ombudsmen.

Administrative fines may not be imposed on public authorities or bodies, including e.g. the church and universities. Moreover, administrative fines may not be imposed if more than 10 years have passed since the offense or wrongdoing. To enforce its use of correctional powers under Articles 58(2)(c-g) and 58(2)(j) of the GDPR as well as its decisions concerning access to information under Section 18 of the Data Protection Act, the supervisory authority has also been granted the power to impose conditional fines under the Data Protection Act.

Criminal law

Unlawful processing of personal data by persons other than a controller or a processor, such as employees of a company acting as data processor or controller, may be punished under the Criminal Code as a data protection crime by fine or imprisonment up to one year.

12. OTHER SPECIFIC JURISDICTIONAL ISSUES

According to the Data Protection Act, a personal identity code may be processed where identification of an individual is important, and in such context only with consent of an individual or alternatively if the processing is stipulated by the law. Additionally, personal identity code may be processed in a limited amount of other cases that are specified in the Data Protection Act. It is also stipulated in the Data Protection Act that a personal identity code may not be included in printed documents or documents which are drafted based on information contained within a filing system when it is unnecessary.