Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate Would you consider your national data protection laws to be ahead or behind of the international curve? Finnish data protection laws are based on the EU Data Protection Directive (95/46/EC) and are therefore similar to data protection laws in other EU member states. Certain laws (eg, laws on privacy in employment and processing of credit data) go beyond the common European standard and introduce stricter rules in this regard. The enforcement of data protection laws in Finland is moderate and risk based.
Are any changes to existing data protection legislation proposed or expected in the near future? The EU General Data Protection Regulation will enter into force on May 25 2018 and replace the Finnish Personal Data Act as the general data protection law. National laws will be reviewed and updated where required. Certain Finland-specific rules in the existing legislation may remain. The Ministry of Justice has established a working group to assess the implications of the regulation and prepare any required changes.
Legislation What legislation governs the collection, storage and use of personal data? The Personal Data Act (523/1999, as amended) regulates the collection, storage, use and processing of personal data. Special legislation applies to certain types of data and certain types of entity which process personal data – for example:
- the processing of employment data is governed by the Act on Privacy in Employment (759/2004, as amended);
- the processing of credit data is governed by the Credit Data Act (527/2007, as amended); and
- the processing of health data is subject to a number of healthcare-specific laws.
Finally, separate rules may apply to registers and data maintained by public authorities.
Scope and jurisdiction Who falls within the scope of the legislation? Data protection laws primarily apply to data controllers (eg, persons, corporations, public authorities, institutions or foundations) which determine the use of personal data files or which have been designated as a controller by law. Separate limited obligations for data processors which process personal data on behalf of data controllers are set out in law.
What kind of data falls within the scope of the legislation? Scope of Personal Data Act The Personal Data Act applies to automatic and other processing of personal data where the data constitutes, or is intended to constitute, a personal data file or part thereof. The Personal Data Act does not apply to the processing of personal data by a private individual for purely personal purposes or for comparable ordinary and private purposes. Further, most obligations under the Personal Data Act do not apply to the processing of personal data for purposes of journalism or artistic or literary expression.
Definition of ‘personal data’ The definition of ‘personal data’ is broad and thus the scope of Personal Data Act is also broad. ‘Personal data’ is defined as any information on a private individual or his or her personal characteristics or personal circumstances that identifies him or her or his or her family members or household. For example, device identifiers and IP addresses may qualify as personal data, as will names and contact information.
Territorial scope The Personal Data Act applies to the processing of personal data where the data controller is established in Finland or otherwise subject to Finnish law. Further, the Personal Data Act applies if the controller is not established in an EU member state, but uses equipment located in Finland while processing personal data, except where the equipment is used solely for the transfer of data through the territory. In this case, the controller must designate a representative in Finland.
Are data owners required to register with the relevant authority before processing data? No general obligation requires all data owners to register with an authority. Data controllers and processors must file a notification with the Data Protection Ombudsman under certain circumstances before commencing the processing of personal data and, for example, when the processing of personal data is outsourced. Filing a notification is a statutory obligation, but it is not an acceptance procedure.
Is information regarding registered data owners publicly available? Similar to many other documents held by public officials in Finland, notifications filed with the Data Protection Ombudsman are public and can be accessed by anyone, unless they are classified as secret at the request of the respective data controller or processor (eg, due to trade secrets contained in the filing). However, the Data Protection Ombudsman does not proactively publish such information on its website or otherwise.
Is there a requirement to appoint a data protection officer? No general requirement to appoint a data protection officer exists. However, an obligation to appoint a data protection officer applies in the field of healthcare.
Enforcement Which body is responsible for enforcing data protection legislation and what are its powers? The Data Protection Ombudsman supervises compliance with the Personal Data Act as well as other related laws. The ombudsman issues guidance and consultations on compliance with the data protection laws and may also issue decisions and conditional fines in limited situations relating to, for example, the protection of data subjects' rights. The ombudsman may not prohibit the processing of personal data or impose other penalties (eg, fines).
The Data Protection Board is an independent body which grants permission to process personal data. The board may also, at the request of the ombudsman:
- prohibit processing of personal data;
- compel parties to remedy unlawful processing activities; and
- order data processing operations to be ceased.
Collection and storage of data
Collection and management In what circumstances can personal data be collected, stored and processed? Where the Personal Data Act applies, the collection, storage and processing of personal data must comply with the act and any relevant special legislation (eg, special obligations apply to the processing of employees' data) – for example:
- processing must be planned in advance;
- processing must have a lawful ground provided in the Personal Data Act or another law;
- processing must be necessary for the lawful purpose for which it was conducted;
- personal data can be processed only in compliance with the purposes for which it was conducted; and
- personal data must be kept accurate and up to date.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records? Personal data will be retained only for as long as is necessary for the lawful purposes for which it was collected. Employee data must be directly necessary in terms of:
- managing the rights and obligations of the parties to the employment relationship; or
- facilitating the provision of benefits by the employer to the employee or those arising from the special nature of the work concerned.
No general retention periods are provided for by law, although specific retention periods may apply to certain types of data and certain data controllers and processors. For example, minimum retention periods apply to data retained in relation to accounting and data processed by telecoms operators.
Do individuals have a right to access personal information about them that is held by an organisation? Individuals have a right to access the personal data held about them and, on request, receive a copy of the data. The right to access personal data may be limited only where:
- providing access to the data could compromise national security, defence, public order or security, or hinder the prevention or investigation of a crime;
- providing access to the data would cause serious danger to the health or treatment of the data subject or to the rights of someone else;
- the data in the file concerned is used solely for historical or scientific research or statistical purposes; or
- the personal data in the file concerned is used when carrying out monitoring or inspection functions, and not providing access to the information is indispensable in order to safeguard an important economic interest or financing position in Finland or the European Union.
Do individuals have a right to request deletion of their data? Yes – an individual may request the data controller to correct, erase or supplement personal data that is erroneous, unnecessary, incomplete or obsolete as regards the purpose for which it was processed. However, this right is not absolute. Data must be deleted where it is no longer necessary for the lawful purpose for which it was collected.
Consent obligations Is consent required before processing personal data? In general, consent is not required, provided that other lawful grounds for processing personal data apply. However, consent may be required for certain specific purposes or processing operations, such as certain processing activities involving the collection of confidential communications data or employee data from sources other than the employee.
If consent is not provided, are there other circumstances in which data processing is permitted? Personal data can be processed without consent on several grounds – for example, based on:
- a legal obligation or task;
- a customer relationship; or
- an employment or contractual necessity.
A controller may also apply for permission from the Data Protection Board to process personal data where it considers that it has a legitimate interest to do so, but there are no other legal grounds for such processing. Unlike the laws of several other EU member states, the Personal Data Act does not recognise the legitimate interest of the controller or a third party as a direct ground for allowing the processing of personal data.
What information must be provided to individuals when personal data is collected? At a minimum, the individual must be informed of the respective controller and (where necessary):
- its representative;
- the purpose of the processing;
- the regular destinations of the data; and
- how to proceed in order to exercise his or her rights in relation to the processing.
The data controller must also prepare an index of the personal data file and make it publicly available – for example, on the website where the data is collected. The index must comprise at least the following information:
- the name and address of the controller and, where necessary, the name and address of the controller’s representative;
- the purpose of processing the personal data;
- a description of the group(s) of data subjects and the data or data groups related thereto;
- the regular destinations of the disclosed data and whether data is transferred to countries outside the European Union or the European Economic Area; and
- a description of the principles in accordance with which the data file has been secured.
Data security and breach notification
Security obligations Are there specific security obligations that must be complied with? Finland has no general data security law and no specific security obligations.
The Personal Data Act includes a general obligation requiring the controller to carry out technical and organisational measures which are necessary to secure personal data against:
- unauthorised access, accidental or unlawful destruction, manipulation, disclosure or transfer; and
- other unlawful processing.
In general, the data security obligations set out by Finnish law are technology neutral (ie, they do not define technical or organisational measures specifically).
Pursuant to the Information Society Code (917/2014, as amended), telecoms operators and communication intermediaries are subject to general data security obligations.
Breach notification Are data owners/processors required to notify individuals in the event of a breach? No general obligation to notify individuals of data breaches exists. Sector-specific obligations to notify individuals apply to telecoms operators, as set out in the Information Society Code.
Are data owners/processors required to notify the regulator in the event of a breach? No general obligation to notify the regulator of data breaches exists. Sector-specific obligations to notify the Finnish Communications Regulatory Authority of data breaches apply to telecoms operators, as set out in the Information Society Code.
Electronic marketing and internet use
Electronic marketing Are there rules specifically governing unsolicited electronic marketing (spam)? Electronic direct marketing is regulated by the Information Society Code. Direct marketing by means of automated calling systems, fax, email or text, voice, sound or image messages may be directed only at natural persons who have given their prior consent to the marketing (opt-in). Direct marketing to companies and other legal persons is allowed if the recipient has not specifically prohibited it (opt-out).
Data transfer and third parties
Cross-border data transfer What rules govern the transfer of data outside your jurisdiction? Transfers of personal data are regulated by the Personal Data Act.
Are there restrictions on the geographic transfer of data? Similar to the requirements set out in the EU Data Protection Directive (95/46/EC), the transfer of personal data outside the European Union or the European Economic Area requires a lawful ground, as provided for in the Personal Data Act. Transfers should, for example, be based on an adequacy decision from the European Commission or be subject to the European Commission’s standard contractual clauses.
Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing? No specific obligations (eg, conclusion of a written agreement) apply to such situations. However, in practice, where personal data is transferred to a third party to be processed for the data owner's purposes, administrative guidance requires that the transfer be subject to an agreement which complies with applicable laws and the data owner's instructions. Further, where processing of personal data is outsourced to a third party, the processing is subject to the notification obligation.
Where personal data is disclosed to a third party for the third party's own purposes, additional requirements apply and any disclosure must be an inherent part of the processing.
Penalties and compensation
Penalties What are the potential penalties for non-compliance with data protection provisions? Penalties for non-compliance with the Personal Data Act range from fines to imprisonment for up to one year. Special legislation may impose additional penalties.
Compensation Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner? Yes – the data controller is liable to provide compensation for any economic loss or other loss suffered by the data subject or another person caused by processing personal data in breach of the Personal Data Act. The liability is strict (ie, it applies regardless of lack of negligence or intent).
Cybersecurity legislation, regulation and enforcement Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity? No specific legislation concerning cybercrime or cybersecurity exists. However, the Criminal Code includes provisions concerning identity theft, message interception, interference with communications and information systems, security breaches and offences involving a system for accessing protected services.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)? No other material considerations exist. However, the Ministry of Interior, Ministry of Defence and Ministry of Justice have been preparing an initiative regarding cybersecurity and intelligence-gathering laws that would update the existing legislation and provide military and national security authorities with new legal tools to acquire intelligence, among other things.
Which cyber activities are criminalised in your jurisdiction? The Criminal Code includes provisions concerning identity theft, message interception, interference with communications and information systems, security breaches and offences involving a system for accessing protected services.
Which authorities are responsible for enforcing cybersecurity rules? The Communications Regulatory Authority is responsible for supervising compliance with the data security-related obligations set out in the Information Society Code.
The Data Protection Ombudsman is responsible for supervising the data security obligations set out in the Personal Data Act.
Cybersecurity best practice and reporting Can companies obtain insurance for cybersecurity breaches and is it common to do so? This depends on the insurer. The market for cybersecurity insurance is developing.
Are companies required to keep records of cybercrime threats, attacks and breaches? No general requirement for keeping records of cybercrime threats, attacks or breaches exists. However, these requirements are common in commercial contracts.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities? No general obligation to report cybercrime threats exists. Sector-specific obligations to notify the Communications Regulatory Authority of data breaches or data security threats apply to telecoms operators, as set out in the Information Society Code.
Are companies required to report cybercrime threats, attacks and breaches publicly? No.
Criminal sanctions and penalties What are the potential criminal sanctions for cybercrime? This depends on the offence concerned. The Criminal Code includes provisions concerning, for example, identity theft, message interception, interference with communications and information systems, security breaches and offences involving a system for accessing protected services.
What penalties may be imposed for failure to comply with cybersecurity regulations? The penalties depend on the crime concerned and generally range from fines to imprisonment for up to two years.