Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Finland - Data Protection Overview
Back

Finland - Data Protection Overview

February 2024

1. Governing Texts

Finland, located in northern Europe, is a member state of the European Union. Thus, the EU data protection legislation, including the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), is applicable in its territory. In Finland, the GDPR and its national application are further specified and supplemented by the Data Protection Act (1050/2018) ('the Data Protection Act'). The Data Protection Act provides for example for the appointment, organization, and powers of the supervisory authority on data protection matters. Further, Finland has various sector-specific obligations related to the processing of personal data adopted in specific legislation. For example, the processing of personal data at workplaces is governed by the Act on the Protection of Privacy in Working Life (759/2004) as amended in 2019 ('the Act of Privacy in Working Life'), which sets out comparably strict rules with relation to the processing of job applicants' and employees' personal data.

1.1. Key acts, regulations, directives, bills

The Data Protection Act entered into force on January 1, 2019, and repealed the old Personal Data Act (523/1999). Pursuant to the Data Protection Act, processing of personal data is governed by Finnish laws, if the controller's place of business is located in Finland, and if the processing is carried out in the context of the activities of an establishment of a controller or processor in the EU. It should be noted that the Data Protection Act provides that it shall apply, together with the GDPR but with the exception of Article 56 (Competence of the Lead Supervisory Authority) and Chapter VII (Cooperation and Consistency), in Finland and also to activities that fall outside the scope of EU law and to processing of personal data by the EU Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union ('TEU'), unless specified otherwise elsewhere in the law.

Finland also has special legislation regarding the processing of personal data. The Act of Privacy in Working Life sets out specific and comparably strict rules for the processing of applicants' and employees' personal data, monitoring of employees, and other matters related to employees' privacy. The Act of Privacy in Working Life has been amended following the GDPR, and its amendments entered into force on April 1, 2019.

The GDPR has also called for amendments to many other national acts. Amendments to the Criminal Code (39/1889) ('the Criminal Code'), the Act on Enforcement of Fines (672/2002) (only available in Finnish here), and the Act on Grey Economy Information Unit (1207/2010) (only available in Finnish here) entered into force on January 1, 2019. Further, necessary amendments to social security and insurance legislation entered into force on  April 20, 2020.

Moreover, more detailed obligations on specific topics related to data protection have been adopted in other legislation. The Act on the Secondary Use of Health and Social Data (552/2019) entered into force on 1 May 2019, consolidating regulations related to the secondary utilization of health and social care data under the same law. The Public Administration Information Management Act (906/2019) entered into force on  January 1, 2020, repealing the Act of the Administration of Information Management in Public Administration (634/2011) (only available in Finnish here) ('Public Administration Information Management Act'). The Public Administration Information Management Act defines the entire lifecycle of information in public administration.

Lastly, the Act on Electronic Communications Services (previously called the Information Society Code) (917/2014) ('the Act 917/2014') includes provisions for the confidentiality of electronic communications. For example, Act 917/2014 sets out obligations for the processing of communications data, data retention, and electronic direct marketing. The Act 917/2014 was reformed in order to implement the requirements of the Directive on Audiovisual Media Services (Directive 2010/13/EU) and the European Electronic Communications Code (Directive (EU) 2018/1972). These amendments entered into force on January 1, 2021.

1.2. Guidelines

The Office of the Data Protection Ombudsman ('the Ombudsman') has issued a List Compiled by the Office of the Data Protection Ombudsman of Processing Operations which requires Data Protection Impact Assessment (DPIA) ('the DPIA List'), in line with Article 35(4) of the GDPR. The DPIA List is based on the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 ('Working Party 29 DPIA Guidelines'). The DPIA List complements and further specifies these guidelines and is of a non-exhaustive nature.

The Ombudsman has also published the following: guidelines relevant to DPIAs:

Also, other guidance on different topics, e.g. privacy in working life, is available at the Ombudsman's website here.

Furthermore, the European Data Protection Board ('EDPB') has published the following Opinion for Finland Opinion 8/2018 on the draft list of the competent supervisory authority of Finland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) (25 September 2018)

The Finnish Transport and Communications Agency ('Traficom') has given guidance on topics relating to the confidentiality of electronic communications, including guidelines on the use of cookies.

1.3. Case law

The Supreme Administrative Court of Finland ('the Supreme Administrative Court') has given the following precedents in which it has applied the GDPR:

  • in the case 31344/2022, September 12, 2023 (only available  in Finnish here), the Supreme Administrative Court found that the evidence submitted in the case could not be considered sufficient to indicate that the company had collected unnecessary personal data without a lawful basis for processing;
  • in case 23856/2021, September 12, 2023 (only available in Finnish here), the Supreme Administrative Court found that Articles 12(1), 13(1) and (2) of the GDPR require the controller to take active measures in order to provide the information referred to in the said articles to the data subjects;
  • in the case 2562/2022, June 5, 2023 (only available in Finnish here), the Supreme Administrative Court found that the controller had not provided sufficient evidence that would allow the collection of the personal identification numbers of minor children living with their parents in rented accommodation. Moreover, the Supreme Administrative Court held that where the collection of the personal identification numbers of minor children is necessary for reasons related to the tenancy agreement and the application for accommodation, it does not constitute a need to collect personal identification numbers as a rule from all minor children of tenants or applicants for accommodation;
  • in the case 785/2022, January 13, 2023 (only available in Finish here), the Supreme Administrative Court found that it was not possible to retroactively record the changes submitted by the appellant in his request for correction in the Population Information System from the dates submitted. Since the address data in the Population Information System corresponded to the notifications of the changes of address made, the data on the place of residence requested by the appellant for correction on the basis of Article 16 of the GDPR could not be considered incorrect for the purposes of the processing of the data under the Municipality of Residence Act (201/1994) (only available in Finnish here);
  • in the case 21814/2021, December 21, 2022 (available only in Finnish here), the Supreme Administrative Court found that the Tax Administration had a legal obligation to hand over a requested list regarding taxpayer information to the media. Thus, the disclosure of the requested information was processing of personal data within the meaning of Article 6(1)(c) of the GDPR. Therefore, the right to object under Article 21 of the GDPR could not be used for such processing of personal data. Further, information about exercising the right to object under Article 21 of the GDPR was considered public, as it was not expressly stipulated to be kept secret under the Finnish Act on the Openness of Government Activities (621/1999; amendments to 907/2015 included);
  • in the case 20397/2021, November 23, 2022 (available only in Finnish here) the Supreme Administrative Court found that the risk to the rights and freedoms of data subjects caused by a data security breach at a law firm could be considered both probable and serious. Further, the data security breach of personal data in question likely resulted in a high risk to the rights and freedoms of natural persons, as referred to in Article 34 of the GDPR;
  • in the case 20383/2020, September 10, 2021 (available only in Finnish here), the Supreme Administrative Court found that the one-year probationary period of the Data Protection Authority of Åland did not comply with Article 54 (1)(d) of the GDPR. Thus, the decision to terminate the appointment could be appealed;
  • in case 3145/1/19, June 11, 2020 (available only in Finnish here), the Supreme Administrative Court ruled that the data subject was entitled to appeal directly to an administrative court against a decision by a public authority controller concerning the refusal to grant access to information under Article 15 of the GDPR; and
  • in the case 86/2/18, January 30, 2020 (available only in Finnish here), the Tax Administration had instructed Bank A Oyj to submit a list of all its customers for the purpose of performing a comparative information audit. However, the Supreme Administrative Court ruled that the request was not in accordance with Articles 5 and 6 of the GDPR.

2. Scope of Application

2.1. Personal scope

The Data Protection Act is applied in accordance with the scope of Article 2 of the GDPR with the exceptions defined below. There are no separate provisions on this matter in the Data Protection Act. Thus, it applies to natural persons and both private and public organizations.

2.2. Territorial scope

Pursuant to the Data Protection Act, processing of personal data is governed by Finnish laws, if the controller's place of business is located in Finland, and if the processing is carried out in the context of the activities of an establishment of a controller or processor in the EU.

2.3. Material scope

The Data Protection Act is applied in accordance with the scope of Article 2 of the GDPR. The Data Protection Act also provides that it shall apply together with the GDPR but with the exception of Article 56 (Competence of the Lead Supervisory Authority) and Chapter VII (Cooperation and Consistency), in Finland and also to activities that fall outside the scope of EU law and to processing of personal data by the EU Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU, unless specified otherwise elsewhere in the law.

The Data Protection Act is not applied to sessions of the Parliament of Finland, nor to the processing of personal data that is governed by the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018) ('the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security Act').

The processing of applicants' and employees' personal data is further governed by the Act of Privacy in Working Life.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Ombudsman acts as the Finnish supervisory authority with regards to the GDPR and its supplementing legislation. As such, excluding the power to impose administrative fines, the powers and tasks of a supervisory authority are allocated to a single governmental official.

The Ombudsman has an office, which consists of a data protection ombudsman, two deputy data protection ombudsmen, a necessary amount of referendaries, as well as other personnel. The Ombudsman's office also includes an internal expert board, which consists of a chairperson, deputy chairperson, and three other members with personal deputies. The board members are experts independent of the Ombudsman. The board may also consult with other experts if required. The board was appointed at the end of 2020 for a term of three years. The board has not yet been appointed for the following period. The Ombudsman also includes the sanctions board with the power to impose administrative fines in accordance with the GDPR. The sanctions board consists of the ombudsman and the deputy ombudsmen.

The Ombudsman shall process a complaint based on Article 77 of the GDPR within three months of its initiation or alternatively inform the data subject of the estimated time of the decision. The decisions of the supervisory authority and the sanctions board can be appealed to an administrative court in accordance with the GDPR and as further specified in the Data Protection Act. If the Ombudsman fails to comply with the time period of three months, the data subject shall have the right to lodge a complaint before an administrative court.

3.2. Main powers, duties and responsibilities

The power to impose administrative fines is vested in the sanctions board (see the section on the main regulator for data protection above).

The other main powers of the Ombudsman are based on Articles 55 to 59 of the GDPR. Additionally, under the Data Protection Act the Ombudsman has been granted a right to access any information necessary to exercise its duties with no cost and even when such information is covered by confidentiality provisions. However, the inspections to be carried out in a space for permanent residency are restricted to suspected infringements punishable by administrative fines or sanctions under the Criminal Code. The Ombudsman may also request executive assistance from the Finnish Police when exercising its powers. Furthermore, the Ombudsman has certain additional duties and powers based on the Finnish legislation. Furthermore, the deputy ombudsmen have equivalent powers with the Ombudsman.

If requested to do so, the expert board shall provide the Ombudsman with statements on significant questions concerning the application of data protection law. However, the expert board does not directly participate in the imposition of administrative fines.

4. Key Definitions

In Finland, the definitions laid down by Article 4 of GDPR are applied as such. Finnish data protection law does not contain any specifications to these definitions.

Data controller: There is no national variation to this definition.

Data processor: There is no national variation to this definition.

Personal data: There is no national variation to this definition.

Sensitive data: There is no national variation to this definition.

Health data: There is no national variation to this definition.

Biometric data: There is no national variation to this definition.

Pseudonymization: There is no national variation to this definition.

5. Legal Bases

All legal bases laid down by Article 6 of the GDPR are applicable in Finland. The Data Protection Act contains certain elaboration on the application of some of these legal bases. These are listed below under the relevant legal basis.

5.1. Consent

According to the Data Protection Act, the applicable age of consent in relation to information society services offered directly to a child is 13 years. This subject is further discussed in the section on children's data below.

The Act on the Protection of Privacy in Working Life states that the employer is only allowed to process personal data directly necessary for the employee's employment relationship, which is connected with managing the rights and obligations of the parties to the employment relationship or with the benefits provided by the employer for the employee or which arises from the special nature of the work concerned. No exceptions can be made to this necessity requirement, even with the employee's consent.

5.2. Contract with the data subject

There is no national variation to the GDPR.

5.3. Legal obligations

There is no national variation to the GDPR.

5.4. Interests of the data subject

There is no national variation to the GDPR.

5.5. Public interest

According to the Data Protection Act, personal data may be processed when it is necessary for the performance of a task carried out in the public interest as laid down by Article 6(1)(e) of the GDPR; for example, if the data describes the position of a person, their duties, or the performance of these duties in a public sector entity, business and industry, activities of civil society organizations, or other corresponding activities, insofar as the objective of the processing is of public interest and the processing is proportionate to the legitimate aim pursued.

Further, the data may be processed if the processing is proportionate and necessary for the performance of the task carried out in the public interest by an authority, the processing is necessary for scientific or historical research purposes or statistical purposes and it is proportionate to the aim of public interest pursued or the processing of research material and cultural heritage material containing personal data and the processing of personal data included in their metadata for archiving purposes is necessary and proportionate to the aim of public interest pursued and to the rights of the data subject.

5.6. Legitimate interests of the data controller

There is no national variation to the GDPR.

5.7. Legal bases in other instances

According to the Data Protection Act, the legal bases laid down by Article 6 of the GDPR are not applied to the processing of personal data performed solely for journalistic purposes or for the purposes of academic, artistic, or literary expression.

Further, the Data Protection Act contains special provisions regarding the processing of personal identity codes, which may only be processed where identification of an individual is important, and in such context only with consent of an individual or alternatively if the processing is stipulated by the law. Additionally, personal identity codes may be processed in a limited number of other cases that are specified in the Data Protection Act. It is also stipulated in the Data Protection Act that a personal identity code may not be included in printed documents or documents that are drafted based on information contained within a filing system when it is unnecessary. Pursuant to the recent amendments of the Data Protection Act, the identification of the data subject cannot be based solely on their name and personal identity code, or the combination of those.

In addition, the Data Protection Act has specific provisions regarding the processing of special categories of personal data. These are further discussed in the section on special categories of personal data below.

6. Principles

All principles of Article 5 of the GDPR are applied as such in Finland. With respect to the principle of accountability, the Ombudsman has stated that accountability also includes a documentation obligation, which involves recording the measures taken to fulfil the requirements of accountability, including internal and external guidelines for e.g., exercising the rights of the data subjects.

In addition, the principle of openness of government activities is applied in Finland and referred to in the Data Protection Act. According to this principle, the documents of the public authorities shall be public, unless otherwise provided in law.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no general obligation to notify regulators of any processing under the GDPR other than the requirement to notify the Ombudsman of the details of a data protection officer ('DPO') (further discussed in the section on DPO appointment below). However, under the GDPR, the controller shall consult the Ombudsman prior to processing where a Data Protection Impact Assessment ('DPIA') under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The Ombudsman must also be provided with a DPIA, regardless of the level of risk present, prior to the processing of special categories of personal data or criminal convictions data for scientific or historical research purposes or statistical purposes under the derogations of the Data Protection Act, and where the basis of such processing is a DPIA in accordance with the procedure.

The Act 917/2014 requires that a corporate subscriber, i.e., a legal person who is a party to an agreement concerning the provision of a communications service or an added value service for a purpose other than telecommunications operations, inform the Ombudsman in advance of processing data traffic for certain purposes.

7.2. Data transfers

Transferring personal data outside the European Economic Area ('EEA') requires an appropriate basis and compliance with specific requirements laid down by data protection legislation. The transfer of the personal data must always fulfil the conditions provided for in Chapter V of the GDPR.

7.3. Data processing records

The obligation to maintain records of processing activities is laid down by Article 30 of the GDPR and the Data Protection Act does not contain any further obligations in this regard. According to GDPR Article 30, the obligation to draw up a record of processing activities applies to all organizations with more than 250 employees. Smaller organizations are also required to draw up the record in certain situations as specified in the Article.

7.4. Data protection impact assessment

Article 35 of the GDPR requires a DPIA to be made whenever the personal data processing is likely to result in a high risk to the rights and freedoms of natural persons. Said Article further contains a non-exhaustive list of types of processing activities that require a DPIA and a requirement according to which the supervisory authorities shall establish and make public a list of the kind of processing operations which are subject to the requirement for a DPIA. The Ombudsman has published detailed DPIA Guidance (see the section on guidelines above).

In Finland the Ombudsman requires a DPIA to be conducted for certain processing operations in line with the DPIA List:

  • when biometric data is processed for the purpose of uniquely identifying a natural person in conjunction with at least one other criterion as specified in the DPIA List and the Working Party 29 DPIA Guidelines:
    • such as when the processing of biometric data is used in systematic monitoring of data subjects;
    • biometric data is processed for evaluation or scoring of the data subject;
    • processing of biometric data is aimed at automated decision making with legal or similar significant effect;
    • biometric data is processed on a large scale;
    • processing of biometric data includes matching or combining datasets;
    • processed biometric data is concerning vulnerable data subjects;
    • biometric data is processed in innovative use or applying new technological or organizational solutions; or
    • processing of biometric data prevents data subjects from exercising a right or using a service or a contract;
  • when genetic data is processed in conjunction with at least one other criterion as specified in the DPIA List and the Working Party 29 DPIA Guidelines:
    • such as when genetic data is processed on a large scale;
    • genetic data is processed to evaluate or score a person;
    • genetic data is processed in automated decision making which has legal or similar significant effects on the data subject;
    • genetic data is processed in the context of systematic monitoring of data subjects;
    • genetic data includes matching or combining datasets;
    • processing the genetic data of vulnerable data subjects;
    • in connection with the innovative use or application of new technical and organizational solutions; or
    • processing of genetic data to prevent data subjects from using a service or contract;
  • when location data is processed in conjunction with at least one other criterion as specified in the DPIA List and the Working Party 29 DPIA Guidelines:
    • such as when location data processed reveals sensitive data or data of a highly personal nature and;
    • location data is processed for evaluation or scoring;
    • location data is processed for automated decision making with legal or similar significant implications;
    • location data is processed in the context of systematic monitoring;
    • location data is processed on a large scale;
    • location data includes matching or combining datasets;
    • location data of vulnerable data subjects;
    • location data is processed in innovative use or applying new technological or organizational solutions; or
    • processing of location data prevents data subjects from exercising a right or using a service or contract;
  • when personal data is collected from a source other than the individual without providing them with a privacy notice because of application of Article 14(5)(b) of the GDPR in conjunction with at least one other criteria as specified in the DPIA List and the Working Party 29 DPIA Guidelines,
    • such as when personal data concerns vulnerable data subjects;
    • personal data is processed for evaluation or scoring a person;
    • personal data is processed for automated decision making with legal or similar significant effects;
    • personal data is processed in the context of systematic monitoring;
    • personal data is processed on a large scale;
    • processing personal data includes matching or combining datasets;
    • personal data of vulnerable data subjects;
    • personal data is processed for an innovative use or applying new technological or organizational solutions; or
    • processing of personal data prevents data subjects from exercising a right or using a service or contract; and
  • when personal data is processed in whistleblower systems.

The Ombudsman has not specified any exceptions to the requirement for a DPIA.

National activities subject to prior consultation/authorization

When processing special categories of personal data as specified in Article 9 of the GDPR, restricting the rights of a data subject specified in Articles 15, 16, 18, and 21 of the GDPR may require that a DPIA is provided to the Ombudsman before commencing with the envisaged processing.

National activities not subject to prior consultation/authorization

There are no such derogations under the Data Protection Act.

The Ombudsman has published a DPIA Tool (only available to download in Finnish here) intended to support data controllers in carrying out DPIAs.

In addition, the form to submit a request for prior consultation is available here.

7.5. Data protection officer appointment

According to the GDPR, a DPO should be designated if an organization processes sensitive data on a large scale, monitors individuals regularly, systematically, and on a large scale, or is a public authority (with the exception of courts). There are no supplementary provisions on this matter in the Data Protection Act.

A DPO needs to be appointed by the controller/processor where special categories of personal data are processed in one of the circumstances listed in Section 6(1) of the Act (Section 6(2)(3) of the Act).

Organizations can appoint a DPO even if it is not required under the GDPR and the Act. If the organization appoints a DPO on a voluntary basis, the appointment, role, and tasks of the DPO are subject to the requirements of the GDPR in the same way as when the appointment is mandatory (the DPO Guidance and the Q&As).

The appointment of a DPO may be notified to the Ombudsman either via a dedicated portal (available here), or by contacting the Ombudsman in any other manner, in line with the Ombudsman's privacy policy (available here) ('the Privacy Policy').

The Privacy Policy further specifies that data controllers or data processors must inform the Ombudsman in case information regarding the DPO changes, which may be done through the DPO change form on the Ombudsman's website (available here). Data relating to an organization's DPO appointment history are retained by the Ombudsman.

7.6. Data breach notification

Variation/exemptions on breach notification obligation

According to the Data Protection Act, when processing is performed for purposes of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes, notification of a personal data breach to the data subject is not mandatory unless required by the supervisory authority.

Sectoral obligations

Specific notice of breach rules applies to the electronic communications sector under Act 917/2014.

7.7. Data retention

Neither the GDPR nor the Data Protection Act specifies any precise storage times for personal data. According to the principle of storage limitation laid down by Article 5 of the GDPR personal data may only be stored for as long as necessary for the purposes of processing.

However, data retention is also affected by national legislation, which contains various statutory data retention obligations. For example, the period of retention for accounting material is regulated in the Accounting Act (1336/1997).

7.8. Children's data

The applicable age of consent in relation to information society services offered directly to a child is 13 years.

Please note that the age limit above applies only for consent given in relation to information society services offered directly to a child. Should the consent be obtained for any other kind of processing (such as the use of photographs or direct marketing purposes), the age applicable for consent is determined in accordance with the general rules of the Act on Child Custody and Right of Access (361/1983). The general rule is that the person having custody of a child represents the child in matters concerning their person unless otherwise provided by law. Custody ends when the child attains the age of 18 years. However, a child can represent themselves (i.e., give consent) in matters where it is appropriate considering the child's age, level of development, and the quality of the matter. As a rule of thumb, it has been considered that in 'ordinary matters' a 15-year-old child may represent themselves. Even a younger child can give consent in matters appropriate considering their age and level of development, but this should be evaluated on a case-by-case basis.

7.9. Special categories of personal data

The Data Protection Act restricts the application of Article 9 of the GDPR concerning special categories of personal data and Article 10 concerning criminal conviction data where such data is processed solely for journalistic purposes or academic, artistic, and literary expression purposes.

Furthermore, the Data Protection Act restricts the application of Article 9(1) of the GDPR in several other cases, such as when processed by an insurance company where the data processed relates to health, sickness, or disability of treatment received by a data subject, and such data is necessary to verify the responsibility of the insurance company. When special categories of personal data are processed under derogations referred to in this paragraph, the controller and the processor shall implement appropriate and special measures to protect the rights of the data subject, which include, for example, the appointment of a DPO and encryption of the personal data.

Processing of special categories of personal data and criminal conviction data is also allowed under derogations from rights of the data subjects in the context of scientific or historical research purposes or statistical purposes, provided that the preconditions.

The Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security Act implements the Law Enforcement (Directive (EU) 2016/680) and also provides more detailed rules for processing information on criminal offences by authorities.

7.10. Controller and processor contracts

According to Article 28 of the GDPR, processing by a processor shall be governed by a contract or other legal act under Union or Member State law. The contract shall be binding and set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. There are no supplementary provisions on this matter in the Data Protection Act.

8. Data Subject Rights

8.1. Right to be informed

In Finland, there is no language requirement for privacy notices, but they must be easy to understand, and the language must be clear and plain. It is recommended that privacy notices are provided in Finnish, but if it is reasonable to presume that all potential data subjects understand another language well enough, e.g., English or Swedish, the information may be provided in that language.

The Data Protection Act provides several derogations with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes. In such case, the GDPR's provisions on data subject's rights, including informing the data subject, shall not apply.

In addition, under the Data Protection Act, the data subject's right to receive information on the processing may be restricted, if such restriction is necessary for reasons of national safety or defense, public order or safety, preventing or solving crimes, or it is necessary for a surveillance assignment relating to taxation or public finances. Furthermore, certain aspects of the right to receive information may be restricted where information has not been collected from a data subject, providing such information may cause significant damage or harm to the data subject, and the collected information is not used in decision-making regarding the data subject. In case the right to receive information is restricted in accordance with the above-mentioned derogations, the controller shall, as specified in the Data Protection Act, implement appropriate measures to safeguard the rights of the data subjects, which include e.g., keeping the information on processing available to everyone, provided that it does not compromise the purpose of the derogation in question.

8.2. Right to access

According to the Data Protection Act, the GDPR's provisions on data subject's rights, including on the access right, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

In addition, under the Data Protection Act, the right may be restricted when personal data are processed for scientific or historical research purposes, where necessary, and provided that the preconditions laid down in the Data Protection Act are met, for example, the processing is based on an appropriate research plan and it is ensured that information of a specific person is not disclosed to third parties.

In addition, the right of access may be restricted when personal data is processed for statistical purposes, where necessary and provided that the preconditions laid down in the Data Protection Act are met, for example that the statistics may not be produced or the requirement for information may not be fulfilled without processing personal data and the information is not made available in a way where a specific person is identifiable from the information, unless it is disclosed for public statistics produced by the authorities.

In addition, under the Data Protection Act, the right of access may be restricted, if:

  • providing the information could cause harm to national safety or defense, public order and safety, or preventing or solving crimes;
  • providing the information could severely threaten the health or treatment of data subjects or the rights of data subjects or someone else; or
  • personal data is used for surveillance and inspection tasks, and not providing the information is necessary for an important economic or financial interest of Finland or of the EU.

Data subjects shall be informed of the reasons for the restrictions unless this endangers the purpose of the restriction. If the restriction covers only a part of the data relating to the data subject, they still have a right to access the remaining information concerning them. If the data subject does not have the right to access their personal data, such information shall be provided to the Ombudsman on the data subject's request.

Also, the national special legislation may restrict the access right, such as the Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017), according to which the data subject does not have a right to access the information gathered by those entities (e.g. credit institutions and insurance companies) that have an obligation to report any suspicious business activities. However, the Ombudsman may inspect the legality of the processing of such data pursuant to the data subject's request.

8.3. Right to rectification

According to the Data Protection Act, the GDPR's provisions on the data subject's rights, including on right to rectification, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

In addition, right to rectification may be restricted when personal data is processed for scientific or historical research purposes, where necessary, and provided that the preconditions laid down in the Data Protection Act are met, for example that the processing is based on an appropriate research plan and it is ensured that the information of a specific person is not disclosed to third parties.

In addition, the right to rectification may be restricted when personal data is processed for statistical purposes, where necessary and provided that the preconditions laid down in the Data Protection Act are met, for example that the statistics may not be produced or the requirement for information may not be fulfilled without processing personal data and the information is not made available in a way where a specific person is identifiable from the information, unless it is disclosed for public statistics produced by the authorities.

8.4. Right to erasure

According to the Data Protection Act, the GDPR's provisions on the data subject's rights, including on the right to erasure, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

8.5. Right to object/opt-out

According to the Data Protection Act, the GDPR's provisions on data subject's rights, including on right to object, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

In addition, the right to object may be restricted when personal data is processed for scientific or historical research purposes, where necessary, and provided that the preconditions laid down in the Data Protection Act are met, for example, that the processing is based on an appropriate research plan and it is ensured that the information of a specific person is not disclosed to third parties.

In addition, the right to object may be restricted when personal data is processed for statistical purposes, where necessary and provided that the preconditions laid down in the Data Protection Act are met, for example, that the statistics may not be produced or the requirement for information may not be fulfilled without processing personal data and the information is not made available in a way where a specific person is identifiable from the information unless it is disclosed for public statistics produced by the authorities.

8.6. Right to data portability

According to the Data Protection Act, the GDPR's provisions on data subject's rights, including on right to data portability, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

8.7. Right not to be subject to automated decision-making

According to the Data Protection Act, the GDPR's provisions on the data subject's rights, including on the rights regarding automated individual decision-making, including profiling, shall not apply with respect to the processing of personal data solely for journalistic purposes or academic, artistic, and literary expression purposes.

There are no other variations in the Data Protection Act concerning data subjects' rights regarding automated individual decision-making, including profiling. However, special legislation may contain provisions, such as the rules of the Act of Privacy in Working Life regarding the assessment of employees, which shall be taken into account in the context of automated individual decision-making and/or profiling.

8.8. Other rights

The GDPR also provides for the right to restrict processing.

9. Penalties

As provided above, in Finland administrative fines are imposed by the sanctions board comprised by the Ombudsman and the deputy ombudsmen.

Administrative fines may not be imposed on public authorities or bodies, including e.g., the church and universities. Moreover, administrative fines may not be imposed if more than ten years have passed since the offense or wrongdoing. To enforce its use of correctional powers under Articles 58(2)(c) to 58(2)(g) and 58(2)(j) of the GDPR as well as its decisions concerning access to information under Section 18 of the Data Protection Act, the supervisory authority has also been granted the power to impose conditional fines under the Data Protection Act.

Criminal law



Unlawful processing of personal data by persons other than a controller or a processor, such as employees of a company acting as data processor or controller, may be punished under the Criminal Code as a data protection crime by fine or imprisonment up to one year.

9.1 Enforcement decisions

As of January 2024, the following GDPR enforcement decisions published by the Ombudsman have led to administrative fines:

  • in the case 9707/152/19, September 4, 2023 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €1,600 (approx. $1,940) on a company offering psychotherapy services. The company had not provided its client with a reason for why it could not deliver the patient records for the client's psychotherapy sessions;
  • in the case 8422/161/21, July 6, 2023 (available in Finnish here and a summary in English here) the sanctions board of the Ombudsman has imposed an administrative fine of €23,000 (approx. $24,790) on Suomen Yritysrekisteri, a business directory operator. The company had not provided telephone call recordings to individuals who had asked for them in accordance with data protection legislation. Furthermore, the company had failed to comply with the Deputy Data Protection Ombudsman's prior order to bring their operations into compliance with the law;
  • in the case 310/161/23, February 17, 2023 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €440,000 (approx. $474,180) on Suomen Asiakastieto Oy for failing to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The sanctions board stressed that the processing of payment default information has a significant impact on the rights and freedoms of individuals;
  • in the case 1198/161/22, December 27, 2022 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €122,000 (approx. $131,480) as the company had not asked the users of the service for their specific consent to the processing of health-related personal data. The processing of health data is part of the company's core business. Further, the Data Protection Ombudsman ordered the company to rectify its practices for requesting consent;
  • in the cases 633/182/2018, 6707/154/2018, and 7685/152/2020, December 13, 2022 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €750,000 (approx. $808,260) on Alektum Oy as it had not responded to requests to exercise the rights of the data subject. Moreover, the company also obstructed and delayed the investigation by avoiding the supervisory authorities;
  • in the case 8492/163/20, December 9, 2022 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €230,000 (approx. $247,870) on Viking Line Oy Abp for violations related to the processing of its employees' health data. The company, inter alia, stored health data of its employees unlawfully in an HRM-system and deficiencies were also identified in the fulfilment of the company's information obligation to its employees;
  • in the case 6097/161/21, May 9, 2022 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €85,000 (approx. $91,600) on Otavamedia Oy for not adequately fulfilling data subject's rights concerning access to and erasure of data as well as for requesting unnecessary information for the identification of the data subjects;
  • in the case 10587/161/21, April 29, 2022 (available only in Finnish here), the sanctions board of the Ombudsman imposed an administrative fine of €8,300 (approx. $8,940) on a telemarketing company for not complying with an order from the supervisory authority regarding a requested access to a recording of a sales call;
  • in the case 8493/161/21, December 16, 2021 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €5,000 (approx. $5,390) on a medical clinic for deficiently implementing the customer's right to inspect their patient records in an appropriate manner as well as for not adequately informing customers about the processing of personal data;
  • in the case 4431/161/21, December 16, 2021 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €52,000 (approx. $56,040) on the Finnish Motor Insurer's Centre for excessively requesting patient records from health care providers for the purpose of processing claims, although the data was largely not necessary for said purposes. This was deemed to constitute violations of the principles of fairness as well as data minimization;
  • in the case 4282/161/21, December 16, 2021 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €6,500 (approx. $7,000) on a small travel agency group for deficiencies in its operations related to secure data processing and realizing the rights of the data subject. The travel agency had, inter alia, used an unencrypted network connection for its visa application forms and stored personal data on a public web server;
  • in the case 1150/161/2021, December 7, 2021 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €608,000 (approx. $655,230) on a Finnish psychotherapy center. The deputy data protection ombudsman found that personal data had not been appropriately protected against unauthorized and illegal processing or accidental disappearance, destruction, or damage. The company had also neglected its duties related to reporting a personal data breach;
  • in the case 3843/163/20, July 5, 2021 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €25,000 (approx. $26,940) on a university of applied sciences for processing employee location data unnecessarily and without legal grounds using a mobile application intended for recording working hours;
  • in the case 2890/161/2021, June 24, 2021 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €8,500 (approx. $9,160) on a magazine publisher due to data protection violations related to direct marketing. The company carried out direct marketing with an automated calling system without valid consent of the call recipients. In addition, the company had not drawn up a data processing agreement with the subcontracting company that carried out direct marketing calls on its behalf;
  • in the case 2477/161/21, April 21, 2021 (available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €75,000 (approx. $80,820) on a parking control management company. Several violations concerned a failure to realize the rights of the data subject, shortcomings in limiting the storage period of data, and practices related to identifying data subjects;
  • in the case published on July 23, 2020 combining several document numbers (for example 3425/157/2019, available in Finnish here and a summary in English here), the sanctions board of the Ombudsman imposed an administrative fine of €7,000 (approx. $7,540) on a consulting firm for sending electronic direct marketing messages without prior consent. In addition, the company did not respond to the requests of the data subjects without undue delay and within one month of receiving the request at latest, as required by the GDPR;
  • in the case 8393/161/2019, May 26, 2020 (available in Finnish here and a summary in English here), the sanctions board imposed an administrative fine of €72,000 (approx. $77,590) on a taxi company, which was later reduced to €60,000 (approx. $64,660) by the Helsinki Administrative Court. The company adopted a camera surveillance system for its taxis but neglected its obligation to conduct a DPIA before starting this personal data processing. In addition, the company did not inform the data subjects of the processing of their personal data in the manner required by data protection legislation;
  • in the case 137/161/2020, May 18, 2020 (available in Finnish here and a summary in English here), job applicants' personal data was collected unnecessarily. The collected information included for example information on religious beliefs, state of health and possible pregnancy. An administrative fine of €12,500 (approx. $13,470) was imposed on the company; and
  • in the case 531/161/2020, May 18, 2020 (available in Finnish here and a summary in English here), a water supply company processed the location data of its employees by tracking vehicles with a vehicle information system. The company had neglected its obligation to conduct a DPIA before starting this personal data processing. An administrative fine of €16,000 (approx. $17,240) was imposed on the company.