Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data can be processed (including collection and storing the data) only if one of the prerequisites listed exhaustively in the Personal Data Act are met. Personal data may be processed for example if:

  • the data subject has consented to the processing;
  • the data subject has given an assignment for the processing or it is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
  • processing is necessary to protect the vital interest of the data subject, in order to ensure compliance with a task or obligation of the controller set out by law;
  • there is a relevant connection between the data subject and the operations of the controller based on the data subject being a client or member of the controller or subject to a comparable relationship between the data subject and the controller; or
  • the Data Protection Board has granted a permission.

The EU General Data Protection Regulation (GDPR) sets out similar prerequisites. Most importantly, the permission of the data protection authorities will no longer be a prerequisite, but the data may be processed based on the legitimate interest pursued by the controller or by a third party. Under GDPR, the rights of the data subject (eg, right to erasure) differ, to some extent, based on the prerequisite for the processing. Therefore, especially with the main processing prerequisites (consent, connection requirement and legitimate interest), the controller should determine the most suitable lawful basis with due care.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Personal data may be processed only if it is necessary for the purpose to which it was collected. Therefore, personal data must be deleted when it is no longer necessary. This same principle is set forth in GDPR. Accordingly, the retention period must always be determined on a case-by-case basis.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes. Data subjects have the right to request access to the data that is stored about them. This right is provided in GDPR. Additionally, under GDPR controllers must provide data subjects, upon request, with a copy of their personal data (processed by the controllers).

Do individuals have a right to request deletion of their data?

The Personal Data Act does not grant data subjects with a general right to request that their data is deleted. However, controllers must, at their own initiative or the request of the data subjects, rectify, erase or supplement any erroneous, unnecessary, incomplete or obsolete personal data.

GDPR will provide data subjects with a new right to request data deletion. However, this so-called ‘right to be forgotten’ does not provide data subjects with a general right to get all their personal data deleted. The data must be erased if one of the grounds set forth in the GPDR applies. This includes situations where personal data is no longer necessary for the purposes to which it was collected, and situations where the data subject withdraws his or her consent.

Consent obligations

Is consent required before processing personal data?

While consent is one of the prerequisites for processing under the current Finnish law, the GPDR will not require that consent be obtained before processing personal data. That said, some processing activities (eg, automated decision making and processing of sensitive personal data) are subject to stricter requirements than other data groups. Consent is not the only processing prerequisite even in such cases, but may be the most suitable one.

The processing of location data is covered by the Information Society Code rather than the Personal Data Act. Under the code, location data on an identifiable natural person may be processed if that natural person has given consent or if it is otherwise provided by law.

Furthermore, the processing of employees' personal data is subject to specific requirements. Some activities, such as collecting data from a source other than the employees in question, are lawful only with the employees’ consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes. There are a number of other legal bases for the processing of personal data, as consent is only one of the prerequisites for processing.

What information must be provided to individuals when personal data is collected?

The Personal Data Act and GDPR set out the requirements for the information that controllers must provide to data subjects when data is collected. Under the Personal Data Act, controllers must provide data subjects with general information regarding the processing, including the controllers’ contact details, the purpose of the processing, the locations where the data is frequently being transferred, and information that is necessary for the data subjects to exercise their rights in the processing of their personal data. In addition controllers must draw up a description of the personal data file (indicating the information set out in the Personal Data Act) and make it available to the data subjects. All the required information is commonly included in a privacy notice or privacy policy.

GDPR sets out requirements for the information provided to the data subject. Therefore, all privacy policies should be drafted in accordance with the requirements set forth in GDPR. As the information content that the controller must provide under GDPR is wider than under the Personal Data Act, all existing privacy policies and descriptions of files need to be amended. As privacy notice drafted in accordance with GDPR fulfils the requirements set forth in the Personal Data Act, all privacy notices should already be drafted in accordance with GDPR.

Click here to view the full article.