Finnish Data Protection Act
Finnish Data Protection Act (Tietosuojalaki 1050/2018)
Tietosuojalaki (1050/2018)
Finland
RET-FI-NA-1050201-2018
The Finnish Data Protection Act (Tietosuojalaki 1050/2018) complements and specifies the EU General Data Protection Regulation (GDPR) in Finland. It entered into force on January 1, 2019, replacing the previous Personal Data Act. The law outlines national provisions concerning the processing of personal data, including the establishment and powers of the Data Protection Ombudsman, specific rules for certain categories of data, data subject rights, and administrative penalties. It aims to ensure a high level of protection for individuals' fundamental rights and freedoms, particularly their right to privacy, in the context of personal data processing. The Act addresses areas where the GDPR allows for national derogations or specifications, such as the age limit for consent in information society services and the processing of personal identification numbers.
Overview
The Finnish Data Protection Act, officially known as Tietosuojalaki (1050/2018), serves as the national legislative framework that complements and specifies the application of the European Union's General Data Protection Regulation (GDPR) within Finland. Enacted by the Finnish Parliament, this law came into force on January 1, 2019, marking a significant update to Finland's data protection landscape by replacing the outdated Personal Data Act (523/1999) and the Act on the Data Protection Board and Data Protection Ombudsman (389/1994). Its primary purpose is to ensure the effective protection of natural persons with regard to the processing of their personal data and the free movement of such data, aligning Finnish national law with the comprehensive standards set by the GDPR. This Act was a crucial step in Finland's legislative process to adapt to the new EU-wide data protection regime, ensuring that national specificities and derogations permitted by the GDPR were properly integrated into Finnish law.
Historically, Finland has had robust data protection legislation, but the advent of the GDPR necessitated a new national law to integrate the directly applicable EU regulation while also exercising the national flexibilities and derogations permitted by the GDPR. The Tietosuojalaki (1050/2018) was thus designed to fill these gaps, providing specific national provisions on matters such as the appointment and organization of the national supervisory authority, the Data Protection Ombudsman, and detailing its powers. It also addresses specific national contexts, including the processing of personal data for journalistic, academic, artistic, or literary expression, the handling of personal identification numbers, and the age limit for children's consent in relation to information society services. These national specifications ensure that the GDPR's principles are applied effectively within the unique Finnish legal and societal context.
Key innovations of the Tietosuojalaki include clarifying the legal basis for processing personal data in certain situations, particularly where public interest or the exercise of official authority is involved, which is common in Finland's public sector. It also sets out the framework for administrative fines and other corrective powers of the supervisory authority, ensuring robust enforcement mechanisms. The law's comprehensive nature ensures that while the GDPR provides the overarching principles and many direct obligations, the Finnish Act provides the necessary national specificities to create a coherent and effective data protection regime tailored to the Finnish legal system and societal needs. This dual framework ensures that individuals in Finland benefit from the high standards of data protection established at the EU level, reinforced by clear national implementation and oversight by the Data Protection Ombudsman.
Definitions
The Tietosuojalaki (1050/2018) operates in conjunction with the GDPR, meaning that many fundamental definitions are derived directly from the GDPR. However, the Finnish Act provides specific clarifications or national interpretations where the GDPR allows. Central to both legislations is the concept of Personal Data (Henkilötieto), defined as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This broad definition ensures comprehensive coverage of various types of information that can be linked to an individual.
Another crucial term is the Data Subject (Rekisteröity), which refers to the identified or identifiable natural person whose personal data is being processed. The rights and protections afforded by the Tietosuojalaki and GDPR are primarily centered around the data subject, empowering individuals with control over their personal information. The law also defines the roles of the Controller (Rekisterinpitäjä) and the Processor (Henkilötietojen käsittelijä). A controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In contrast, a processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. The distinction between these roles is critical for assigning responsibilities and liabilities under the law, particularly concerning data security and compliance.
The Act also addresses specific categories of personal data, such as 'special categories of personal data' (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation), which are subject to stricter processing conditions due to their sensitive nature. Furthermore, the law provides specific provisions for the processing of personal identification numbers (henkilötunnus), recognizing their sensitive nature and the need for careful regulation in the Finnish context. The concept of 'processing' itself is broadly defined to encompass any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, covering the entire lifecycle of data.
Covered Employers
The Tietosuojalaki (1050/2018) applies broadly to the processing of personal data, in line with Article 2 of the GDPR. This means it covers both wholly or partly automated processing of personal data and non-automated processing of personal data which forms part of a filing system or is intended to form part of a filing system. The geographical scope extends to controllers and processors established in the European Union, including Finland. Furthermore, it applies to entities not established in the EU if their processing activities relate to offering goods or services to data subjects in the Union or to monitoring their behavior within the Union, ensuring that foreign entities targeting Finnish residents are also subject to the Act.
While the law has a wide reach, it also specifies certain exemptions and limitations. For instance, it does not apply to the activities of the Finnish Parliament (Eduskunta) in its parliamentary work, acknowledging the unique constitutional role of the legislative body. Similarly, personal data processing related to criminal matters and national security is primarily governed by a separate, specialized law, the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018), although the Data Protection Ombudsman still oversees compliance with this separate act. This delineation ensures that sensitive areas with specific operational requirements are addressed through tailored legislation while maintaining overall data protection oversight.
The Act covers a diverse range of entities, from public authorities and government agencies to private companies and non-profit organizations, whenever they engage in the processing of personal data. For example, the Social Insurance Institution of Finland (Kela) processes personal data of its customers and employees as a controller, and its operations are subject to the Tietosuojalaki. Educational institutions, such as the National Agency for Education (Opetushallitus) and Jyväskylä University of Applied Sciences, also fall under its purview, with specific guidance on their obligations as controllers. The law also addresses situations where public administration tasks are outsourced to private actors, clarifying that administrative fines can be imposed on private entities even when performing public duties, unlike public authorities themselves for certain measures, thereby ensuring accountability across both public and private sectors.
Employee Rights
The Tietosuojalaki (1050/2018) reinforces and, in some cases, specifies the comprehensive rights granted to data subjects under the GDPR, which are fundamental to empowering individuals to control their personal data. Key among these is the right to information regarding the processing of their personal data, which includes knowing the purposes of processing, the categories of data concerned, and the recipients to whom the data has been or will be disclosed. Data subjects also have the right of access to their personal data, allowing them to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and certain information, typically within one month of the request.
Further rights include the right to rectification, enabling data subjects to have inaccurate personal data corrected without undue delay, and the right to erasure ('right to be forgotten'), which allows them to request the deletion of their personal data under specific circumstances, such as when the data is no longer necessary for the purposes for which it was collected or if consent is withdrawn. The right to restriction of processing provides data subjects with the ability to limit how their data is used, for example, while the accuracy of the data is being verified or if the processing is unlawful. The right to data portability allows individuals to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance, promoting interoperability and individual control.
Data subjects also possess the right to object to the processing of their personal data, particularly when the processing is based on legitimate interests or for direct marketing purposes. They also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless specific safeguards are in place. However, the Tietosuojalaki, in conjunction with the GDPR, acknowledges that not all rights can be exercised in all situations, as the applicability of these rights can depend on the legal basis for processing and specific provisions in other laws, such as those related to scientific or historical research, where certain derogations may apply to ensure the integrity of research while still upholding data protection principles. Employees, in particular, benefit from these rights in the context of their employment data, as further specified by the Act on the Protection of Privacy in Working Life.
Pay Transparency Requirements
While the Finnish Data Protection Act (Tietosuojalaki 1050/2018) does not directly mandate pay transparency in the sense of salary range disclosures in job postings or public pay gap reporting, it fundamentally underpins the principles of transparency in the processing of all personal data, including data related to remuneration. The Act, in conjunction with the GDPR, requires that any processing of personal data, including salary, benefits, and other compensation details, must be conducted in a transparent manner. This means data subjects (employees) must be informed about how their pay-related data is collected, stored, used, and shared, and for what specific purposes.
Controllers (employers) are obligated to provide clear, concise, and easily accessible information to employees regarding the processing of their personal data. This includes details about the identity and contact details of the controller, the purposes of processing pay data (e.g., payroll, tax, benefits administration, performance management), the legal basis for such processing (e.g., contract, legal obligation, legitimate interest), the recipients or categories of recipients of this data (e.g., tax authorities, pension funds, internal departments), and the period for which the personal data will be stored. This transparency ensures that employees are aware of how their sensitive financial information is handled within the organization.
Furthermore, the general data subject rights under the Tietosuojalaki, such as the right to access one's personal data, apply to pay information. Employees have the right to request access to their own pay data, to rectify any inaccuracies, and to understand the logic involved in any automated decision-making that might affect their remuneration. Although the Act does not compel employers to disclose salary ranges to all employees or in job advertisements, it ensures that individual employees have comprehensive insight into how their personal pay data is managed and processed, thereby fostering a form of individual data transparency that can indirectly support broader discussions around fair remuneration practices, particularly when combined with other employment laws.
Reporting & Audit Obligations
The Tietosuojalaki (1050/2018) reinforces the reporting and audit obligations established by the GDPR, which are crucial for maintaining accountability and ensuring compliance within the data processing ecosystem. A key obligation for controllers is the notification of personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This rapid reporting mechanism ensures that the Data Protection Ombudsman can promptly assess the situation and provide guidance. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate the breach to the data subject without undue delay, enabling individuals to take necessary protective measures.
Another significant obligation is the requirement to conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. The Tietosuojalaki supports the GDPR's framework for DPIAs, which involve a systematic assessment of the necessity and proportionality of processing operations in relation to the purposes, and an assessment of the risks to the rights and freedoms of data subjects. This proactive risk management tool helps organizations identify and mitigate data protection risks before processing begins. If a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller must consult the supervisory authority prior to processing, allowing the Ombudsman to provide expert advice and potentially require further safeguards.
Controllers and processors are also subject to the accountability principle, which requires them to be able to demonstrate compliance with data protection principles. This includes maintaining records of processing activities, implementing appropriate technical and organizational measures, and, where applicable, cooperating with the supervisory authority. The Data Protection Ombudsman has the authority to conduct inspections and audits to verify compliance, including requesting necessary information and carrying out on-site inspections. These audit powers ensure that organizations are not only aware of their obligations but are also actively implementing and documenting their data protection practices, fostering a proactive approach to data governance. The Ombudsman's office provides templates and guidance to assist organizations in fulfilling these rigorous reporting and audit requirements, emphasizing a culture of continuous compliance and improvement.
Governance & Enforcement Bodies
In Finland, the primary supervisory authority responsible for monitoring the application of the Tietosuojalaki (1050/2018) and the GDPR is the Data Protection Ombudsman (Tietosuojavaltuutettu). The Data Protection Ombudsman operates within the Data Protection Office (Tietosuojavaltuutetun toimisto), which is an independent and impartial authority established to ensure the effective protection of personal data. The Ombudsman and Deputy Data Protection Ombudsmen are appointed by the Government for a five-year term, ensuring their independence from political influence and enabling them to carry out their duties without undue interference. Their mandate is broad, encompassing the promotion of general awareness of data protection, providing advice to data subjects and controllers, and handling complaints related to personal data processing.
The Data Protection Ombudsman's office is equipped with significant powers to investigate and enforce data protection laws. These powers include the right to obtain necessary information free of charge, even if subject to secrecy provisions, and the right to conduct inspections. Inspections can be carried out at the premises of controllers and processors to verify compliance. Inspections in premises used for permanent residence are permitted only if strictly necessary to clarify the matters under inspection and if there is a justified and specific reason to suspect a violation of personal data processing regulations that could lead to an administrative fine or criminal penalty. This ensures a careful balance between robust enforcement and the protection of individual privacy and property rights.
For the imposition of administrative fines, a dedicated Sanctions Board (Seuraamuskollegio), composed of the Data Protection Ombudsman and Deputy Data Protection Ombudsmen, is responsible for determining the amount of the fine based on the severity, intentionality, and duration of the infringement. This collegiate body ensures a consistent and fair application of penalties across different cases. Data subjects have the right to lodge a complaint with the Data Protection Ombudsman if they believe their personal data has been processed in violation of the law, initiating an investigation process. The Ombudsman's office also engages in international cooperation with supervisory authorities of other EU member states and third countries to ensure effective cross-border enforcement, particularly in line with the Council of Europe Convention 108, highlighting Finland's commitment to a global data protection framework.
Monitoring & Evaluation
The Data Protection Ombudsman's office, as the national supervisory authority, plays a central role in the monitoring, investigation, and evaluation of compliance with the Tietosuojalaki (1050/2018) and the GDPR. The Ombudsman has broad powers of investigation, including the right to access all information necessary for the performance of their duties, regardless of any secrecy provisions. This extensive access ensures that the supervisory authority can thoroughly examine data processing practices and identify potential non-compliance across various sectors, from public administration to private enterprises. These powers are crucial for effective oversight, allowing the Ombudsman to proactively address data protection risks and respond to complaints from data subjects efficiently.
Investigations can be initiated based on complaints received from data subjects, referrals from other authorities (such as other sectoral regulators), or on the Ombudsman's own initiative, particularly when systemic issues or high-risk processing activities are identified. When a complaint is lodged, the Ombudsman's office assesses the merits of the case and may initiate a formal investigation into the alleged infringement. The process involves gathering evidence, requesting detailed explanations and documentation from controllers or processors, and, if necessary, conducting on-site inspections. The law specifies stringent conditions for inspections in sensitive locations, such as permanent residences, requiring a strong suspicion of serious violations that could lead to administrative fines or criminal charges, thereby balancing investigative powers with fundamental privacy rights.
Beyond individual investigations, the Data Protection Ombudsman is also involved in broader monitoring and evaluation activities. This includes issuing comprehensive guidelines and recommendations to controllers and processors on various data protection topics, conducting sector-specific audits to assess general compliance levels, and publishing annual activity reports. These reports, submitted to the Parliament and the Government, provide an overview of data protection trends, significant enforcement actions, and areas requiring further legislative or policy attention, contributing to the continuous improvement of data protection practices and policy in Finland. The Ombudsman's role extends to promoting public awareness through educational campaigns and providing expert opinions on legislative matters related to data protection, ensuring a comprehensive and proactive approach to safeguarding personal data in the digital age.
Enforcement & Penalties
The Tietosuojalaki (1050/2018), in conjunction with the GDPR, establishes a robust framework for enforcement and penalties to ensure compliance with data protection regulations. The Data Protection Ombudsman, through its Sanctions Board (Seuraamuskollegio), has the authority to impose administrative fines (seuraamusmaksu) on organizations that violate the provisions of the law. The severity of these fines is determined based on several factors, including the nature, gravity, and duration of the infringement, its intentional or negligent character, any actions taken to mitigate damage, the categories of personal data affected, and any previous infringements by the controller or processor. This nuanced approach ensures that penalties are proportionate to the breach.
A notable aspect of the Finnish enforcement regime is that administrative fines cannot be imposed on public authorities or public administration bodies for certain corrective measures, reflecting the distinct legal framework governing public sector operations. However, a private entity performing a public administrative task can still be subject to fines, ensuring accountability even when public duties are outsourced. The maximum administrative fines align with the GDPR, which can be up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for the most serious infringements, such as violations of data subject rights or fundamental principles for processing. For less severe infringements, fines can be up to €10 million or 2% of worldwide annual turnover.
In addition to administrative fines, the Data Protection Ombudsman has a range of other corrective powers, including issuing warnings, reprimands, orders to bring processing operations into compliance, temporary or definitive limitations on processing, and orders to rectify or erase personal data. Data subjects who have suffered material or non-material damage as a result of an infringement of the law also have the right to receive compensation from the controller or processor, providing a direct remedy for individuals. The law also outlines the appeals process, allowing decisions made by the Data Protection Ombudsman, including the imposition of administrative fines, to be appealed to the administrative court, ensuring due process and the right to a fair hearing for all parties involved. This multi-layered enforcement mechanism aims to deter non-compliance and provide effective redress.
Relationship to Other Laws
The Tietosuojalaki (1050/2018) is explicitly designed to complement and specify the EU General Data Protection Regulation (GDPR), which is directly applicable law across all EU member states. The Finnish Act fills in the areas where the GDPR allows for national derogations or provides flexibility for member states to introduce their own specific provisions. This includes, for example, national rules on the processing of personal identification numbers, the age of consent for information society services (set at 13 years in Finland, as opposed to the GDPR's default of 16 with national flexibility), and specific conditions for processing special categories of personal data, particularly in areas like health and social care, where national legislation often provides more detailed requirements.
Beyond the GDPR, the Tietosuojalaki interacts with several other significant national laws, creating a complex but coherent legal landscape for data protection. A crucial relationship exists with the Act on the Protection of Privacy in Working Life (759/2004), often referred to as the Working Life Data Protection Act. This specialized law governs the processing of employee personal data, setting out specific requirements for employers regarding data collection, monitoring, and employee rights in the workplace. The Tietosuojalaki acts as a general law, while the Working Life Data Protection Act provides more specific rules for the employment context, with the latter taking precedence in its specific area of application, ensuring tailored protection for employees.
Another important interaction is with the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018). This law provides the framework for personal data processing by law enforcement and national security authorities, which are largely outside the direct scope of the GDPR's general rules (Article 2(2)(d)). The Tietosuojalaki also relates to the Act on the Openness of Government Activities (621/1999), which governs public access to official documents, and the Act on Information Management in Public Administration (906/2019), which sets standards for data management in the public sector. These interdependencies ensure a comprehensive and coherent legal framework for data protection across various sectors and activities in Finland, balancing transparency, security, and individual rights.
International Context
The Tietosuojalaki (1050/2018) is deeply embedded within a broader international data protection context, primarily driven by the European Union's General Data Protection Regulation (GDPR). As a national law complementing the GDPR, it ensures that Finland adheres to the high standards of data protection established across the EU. The GDPR itself represents a significant global trend towards stronger privacy rights and increased accountability for organizations handling personal data, influencing legislation in numerous countries outside the EU that seek to achieve 'adequacy' status for data transfers or adopt similar regulatory frameworks. Finland's participation in the EU's data protection ecosystem means it actively contributes to and benefits from the harmonized approach to data protection across the single market.
Beyond the EU framework, the Finnish Data Protection Act also acknowledges and facilitates cooperation with international bodies and third-country supervisory authorities. Specifically, the Data Protection Ombudsman has the right to take necessary measures to ensure effective cooperation with authorities monitoring compliance with the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). Convention 108, and its modernized version, Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS 223), is the only binding international instrument in the field of data protection, providing a common framework for its 55 member states and serving as a benchmark for data protection legislation worldwide. Finland's adherence to this convention underscores its commitment to international data protection norms.
This international dimension is crucial for addressing cross-border data flows and ensuring consistent protection for individuals' data, regardless of where it is processed. The Tietosuojalaki's provisions for international cooperation, including the exchange of information with foreign supervisory authorities and participation in the European Data Protection Board (EDPB), underscore Finland's commitment to a global approach to data protection. This aligns with the broader trend of harmonizing data protection standards to facilitate secure international data transfers while safeguarding fundamental rights in an increasingly interconnected digital world. The Act ensures that Finnish organizations engaging in international data transfers comply with both national and international obligations, protecting data subjects both within and outside Finland's borders.
Implementation Timeline
| Date | Milestone | Status |
|---|---|---|
| 2018-12-05 | Act passed by Parliament | Adopted |
| 2018-12-10 | Act published in the Official Gazette (Suomen säädöskokoelma) | Published |
| 2019-01-01 | Tietosuojalaki (1050/2018) enters into force, replacing the Personal Data Act (523/1999) and the Act on the Data Protection Board and Data Protection Ombudsman (389/1994) | In Force |
| 2020-11-27 | Amendments (869/2020 and 902/2020) passed, entering into force on 2020-12-01 and 2020-12-10 respectively | In Force (Amended) |
| 2023-12-21 | Amendment (1225/2023) passed, entering into force on 2024-01-01 | In Force (Amended) |
| 2024-01-12 | Amendment (29/2024) passed, entering into force on 2025-01-01 | Awaiting Entry |
| 2025-06-27 | Amendment (437/2025) passed, entering into force on 2026-01-01 | Awaiting Entry |
Compliance Checklist
| Requirement | Action Required | Deadline |
|---|---|---|
| Understand GDPR and Tietosuojalaki | Familiarize with both the GDPR and the specific provisions of the Finnish Data Protection Act (1050/2018) to ensure a comprehensive understanding of obligations. | Ongoing |
| Identify Legal Basis for Processing | Ensure all personal data processing activities have a valid legal basis as per GDPR Article 6 and 9, and any specific provisions in Tietosuojalaki (e.g., public interest, consent). | Prior to processing |
| Implement Data Protection Principles | Ensure data is processed lawfully, fairly, transparently, for specific purposes, minimized, accurate, stored for limited periods, and secured (accountability principle). | Ongoing |
| Inform Data Subjects | Provide clear and comprehensive information to data subjects about data processing, including purposes, legal basis, recipients, and their rights (Articles 12-14 GDPR). | At data collection or within one month |
| Facilitate Data Subject Rights | Establish procedures to respond to requests for access, rectification, erasure, restriction, data portability, and objection within statutory timeframes (typically 1 month). | Upon request |
| Appoint Data Protection Officer (DPO) | If required by GDPR (e.g., public authority, large-scale systematic monitoring, special categories of data), appoint and ensure the DPO's independence and resources. | As applicable |
| Maintain Records of Processing Activities | Document all personal data processing activities, including purposes, categories of data subjects and data, recipients, retention periods, and security measures. | Ongoing |
| Conduct Data Protection Impact Assessments (DPIAs) | Perform DPIAs for high-risk processing operations and consult the Data Protection Ombudsman if residual high risks remain. | Prior to high-risk processing |
| Implement Security Measures | Adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, pseudonymization, and regular testing. | Ongoing |
| Manage Data Breaches | Establish a data breach response plan, including procedures for detection, assessment, and notification to the Data Protection Ombudsman (within 72 hours) and affected data subjects. | Immediately upon discovery |
| Review Data Processing Agreements | Ensure written agreements with data processors clearly define roles, responsibilities, and data protection obligations. | Prior to engaging a processor |
| Address Specific National Provisions | Comply with Finnish specific rules, such as those concerning personal identification numbers, the age limit for information society services (13 years), and processing for journalistic/academic purposes. | Ongoing |
| Cooperate with Supervisory Authority | Respond promptly and fully to requests from the Data Protection Ombudsman and cooperate with investigations and audits. | Upon request |
Sources and References
© RewardsET.com / Smitteck GmbH — created on 22-Jan-2026 using Gemini 2.5 Flash