Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Where the Personal Data Act applies, the collection, storage and processing of personal data must comply with the act and any relevant special legislation (eg, special obligations apply to the processing of employees' data) – for example:
- processing must be planned in advance;
- processing must have a lawful ground provided in the Personal Data Act or another law;
- processing must be necessary for the lawful purpose for which it was conducted;
- personal data can be processed only in compliance with the purposes for which it was conducted; and
- personal data must be kept accurate and up to date.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Personal data will be retained only for as long as is necessary for the lawful purposes for which it was collected. Employee data must be directly necessary in terms of:
- managing the rights and obligations of the parties to the employment relationship; or
- facilitating the provision of benefits by the employer to the employee or those arising from the special nature of the work concerned.
No general retention periods are provided for by law, although specific retention periods may apply to certain types of data and certain data controllers and processors. For example, minimum retention periods apply to data retained in relation to accounting and data processed by telecoms operators.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals have a right to access the personal data held about them and, on request, receive a copy of the data. The right to access personal data may be limited only where:
- providing access to the data could compromise national security, defence, public order or security, or hinder the prevention or investigation of a crime;
- providing access to the data would cause serious danger to the health or treatment of the data subject or to the rights of someone else;
- the data in the file concerned is used solely for historical or scientific research or statistical purposes; or
- the personal data in the file concerned is used when carrying out monitoring or inspection functions, and not providing access to the information is indispensable in order to safeguard an important economic interest or financing position in Finland or the European Union.
Do individuals have a right to request deletion of their data?
Yes – an individual may request the data controller to correct, erase or supplement personal data that is erroneous, unnecessary, incomplete or obsolete as regards the purpose for which it was processed. However, this right is not absolute. Data must be deleted where it is no longer necessary for the lawful purpose for which it was collected.
Is consent required before processing personal data?
In general, consent is not required, provided that other lawful grounds for processing personal data apply. However, consent may be required for certain specific purposes or processing operations, such as certain processing activities involving the collection of confidential communications data or employee data from sources other than the employee.
If consent is not provided, are there other circumstances in which data processing is permitted?
Personal data can be processed without consent on several grounds – for example, based on:
- a legal obligation or task;
- a customer relationship; or
- an employment or contractual necessity.
A controller may also apply for permission from the Data Protection Board to process personal data where it considers that it has a legitimate interest to do so, but there are no other legal grounds for such processing. Unlike the laws of several other EU member states, the Personal Data Act does not recognise the legitimate interest of the controller or a third party as a direct ground for allowing the processing of personal data.
What information must be provided to individuals when personal data is collected?
At a minimum, the individual must be informed of the respective controller and (where necessary):
- its representative;
- the purpose of the processing;
- the regular destinations of the data; and
- how to proceed in order to exercise his or her rights in relation to the processing.
The data controller must also prepare an index of the personal data file and make it publicly available – for example, on the website where the data is collected. The index must comprise at least the following information:
- the name and address of the controller and, where necessary, the name and address of the controller’s representative;
- the purpose of processing the personal data;
- a description of the group(s) of data subjects and the data or data groups related thereto;
- the regular destinations of the disclosed data and whether data is transferred to countries outside the European Union or the European Economic Area; and
- a description of the principles in accordance with which the data file has been secured.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Transfers of personal data are regulated by the Personal Data Act.
Are there restrictions on the geographic transfer of data?
Similar to the requirements set out in the EU Data Protection Directive (95/46/EC), the transfer of personal data outside the European Union or the European Economic Area requires a lawful ground, as provided for in the Personal Data Act. Transfers should, for example, be based on an adequacy decision from the European Commission or be subject to the European Commission’s standard contractual clauses.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
No specific obligations (eg, conclusion of a written agreement) apply to such situations. However, in practice, where personal data is transferred to a third party to be processed for the data owner's purposes, administrative guidance requires that the transfer be subject to an agreement which complies with applicable laws and the data owner's instructions. Further, where processing of personal data is outsourced to a third party, the processing is subject to the notification obligation.
Where personal data is disclosed to a third party for the third party's own purposes, additional requirements apply and any disclosure must be an inherent part of the processing.
Click here to view the full article.