Dottir Attorneys Ltd
What law(s) specifically govern personal data / information?
The following list includes the most central laws governing the processing of personal data. In addition, there are several sectoral laws (such as the Act on Early Childhood Education and Care) which include some kind of provisions regarding the processing of personal data.
- The Finnish Data Protection Act 1050/2018
- The Finnish Act on the Protection of Privacy in Working Life 759/2004
- The Finnish Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security 1054/2018
- The Finnish Act on the Secondary Use of Health and Social Data 552/2019
- The Finnish Act on the Processing of Client Data in Healthcare and Social Welfare 703/2023
- The Finnish Credit Information Act 527/2007
- The Finnish Act on the Processing of Personal Data by Customs 650/2019
- The Finnish Act on the Processing of Personal Data by the Police 616/2019
- The Finnish Act on the Processing of Personal Data by the Border Guard 639/2019
- The Finnish Act on the Processing of Personal Data in Immigration Administration 615/2020
- The Finnish Act on the Processing of Personal Data by the Criminal Sanctions Agency 1301/2021
- The Finnish Act on the Processing of Personal Data by the Finnish Defence Forces 332/2019
What are the key data protection principles in this jurisdiction?:
The key principles are the ones set forth in Article 5 of the GDPR and listed below. There are no national deviations.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What is the supervisory authority / regulator in charge of data protection?
The Data Protection Ombudsman (FI: tietosuojavaltuutettu)
Is there a requirement to register with a supervisory authority / regulator?
There is no requirement to register with the supervisory authority to process personal data.
Is there a requirement to notify the supervisory authority / regulator?
There is no general requirement to notify the supervisory authority about the processing of personal data.
If named, the data protection officer must be notified to the data protection authority in accordance with Article 37(7) of the GDPR.
Is it possible to register with / notify the supervisory authority / regulator online?
There is no general requirement to register. The data protection officer may be notified online, and data breach notifications may be submitted online.
What are the key data subject rights under the data protection laws of this jurisdiction?
The key data subject rights are the ones set forth in Chapter III of the GDPR and listed below. There are some sector-specific laws which specify or supplement the GDPR, but such provisions relate to the same general rights.
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right to lodge a complaint with the data protection authority
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, a data protection officer must be appointed in certain cases. The requirements are set forth in Article 37 of the GDPR.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes. In accordance with Article 35(5) of the GDPR, the Finnish data protection authority has established a list of processing operations which require a data protection impact assessment (DPIA). A DPIA is required in the following cases and where additional requirements are met:
- processing of biometric data
- processing of genetic data
- processing of location data
- the processing is subject to the exemption regarding the obligation to inform the data subject in accordance with Article 14(5) of the GDPR.
In addition, the Finnish Data Protection Act includes a provision that provides for additional grounds for the processing of special categories of data. The same provision also mandates that in such cases, the controller and processor must implement appropriate measures to safeguard the rights of the data subjects, one of which is carrying out a data protection impact assessment.
A DPIA is also required when the controller processes special categories of personal data for scientific or historical research purposes or statistical purposes and the exceptions regarding the rights of the data subjects based on Article 89(2) of the GDPR apply.
Does this jurisdiction have any specific data breach notification requirements?
There are no specific requirements on data breach notifications in national law regarding the processing of personal data. The requirements of the GDPR apply.
What restrictions apply to the international transfer of personal data / information?
There are no general restrictions on the transfer of personal data in national law. The requirements of the GDPR apply.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, not besides the extra-territorial characteristics of EU law.
What rules specifically deal with marketing?
The Finnish Consumer Protection Act 38/1978 includes rules on marketing in business-to-consumer context.
The Finnish Unfair Business Practices Act 1061/1978 prohibits unfair business practices between businesses. It also sets standards for marketing to businesses and consumers.
The Finnish Act on Electronic Communications Services regulates electronic direct marketing and the use of cookies
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, marketing rules differ between business-to-business and business-to-consumer contexts.
Finland has specific B2C marketing rules in the Finnish Consumer Protection Act aiming to establish good practises in marketing and prohibiting aggressive, misleading or otherwise unfair commercial practices towards consumers.
The same approach is mirrored in marketing rules in B2B context in the Finnish Unfair Business Practices Act. It prohibits misleading and unfair business practices, but overall is less stringent than the provisions concerning the protection of consumers.
The requirements regarding direct marketing in the Electronic Communications Service Act differ in B2B and B2C contexts. When using automated calling systems or electronic direct marketing, such as email or text messages, a natural person’s prior consent is required. Prior consent is not required for telephone marketing which is not carried out using automated calling systems. In addition, there must always be an opt out possibility through easy, free and clearly communicated means. In contrast, direct marketing to businesses generally does not require prior consent. The Finnish Data Protection Ombudsman has, however, taken the position that direct marketing can been seen as directed to a natural person when a marketing email has been sent to company email account, if the account belongs to a specific individual (i.e. [email protected]).
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The rules of the Electronic Communications Services Act described above apply to electronic marketing.
What rules specifically deal with cookies?
The Finnish Act on Electronic Communications Services regulates the use of cookies and is based on the ePrivacy directive. In summary, the law allows the use of functional cookies or cookies necessary for the provision of a service the user has specifically requested without the consent of the user. Other, non-essential cookies may only be used if the user has given their informed and clear consent.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The relevant authorities may issue an administrative fine and/or issue an order to comply with the applicable law.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
IWhile much of the processing of personal data is governed directly by the GDPR, there are some national laws that go beyond the GDPR. Specifically worth noting is the Act on Protection of Privacy in Working Life (759/2004), which regulates the protection of privacy of employees and applies to all employers in Finland. It for example goes beyond the general principle of purpose limitation included in the GDPR by allowing an employer to only process personal data directly necessary for the employment relationship.
In addition, there are several sectors which include more specific regulations. In this regard, healthcare and social welfare are noteworthy. The Act on the Processing of Client Data in Healthcare and Social Welfare sets strict limitations as to how and when personal data in scope of the act can be processed.
What upcoming data protection developments should multinational organisations be aware of?
The Finnish Data Protection Ombudsman has recently targeted data retention practices and policies as well as cross-border transfers.