Finland - National Data Protection Law
The reason for the delay in passing the Act is partly due to the complexity of the Finnish legislative process, where several committees submitted detailed statements on the government draft proposal. The delay is also partly due to the extensive substantial debates concerning (e.g.) the jurisdiction of the Finnish Data Protection Ombudsman in imposing administrative sanctions; and, the relevant target groups who will be subject to administrative and criminal sanctions.
The aim of this general Act is to implement the GDPR, and – much like the other EU Member States – to include specific provisions concerning (a) the processing of sensitive data in particular circumstances; (b) their own threshold for consenting minors regarding Internet Society Services; (c) the Finish supervisory authority; (d) balance opposing rights such as freedom of expression and the protection of personal data; and (e) judicial remedies, fines and possibly criminal offences.
Although there is no news yet on the DPA website, the Helsinki Times has reported (based on a recent statement from government attorneys) that the Act is strongly focused on protecting the data of minors, which — pursuant to Article 8(1) of the GDPR — has been set to 13 years of age.
In addition, the powers of the DPA have been extended to enable the authority to carry out enforcement actions against non-compliant organisations. On the flipside though, public authorities have been granted increased powers to access personal data for matters of public interest. Moreover, some authorities are out of the scope of enforcement actions from the DPA (i.e. certain Law Enforcement Agencies are not liable for breaches to the Act or the GDPR and cannot be fined). This differential treatment of private and public sector entities fuelled much of the debate during the Parliamentary sessions preceding the adoption of the Act.
More detailed information about the derogations and opening clauses will be available shortly.
In Finland, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.
Is it Mandatory to Notify Individuals?
Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.
Is it Mandatory to Notify Regulator?
Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.
The Office of the Data Protection Ombudsman
P.O. Box 315
Breach Notification Format
Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Finnish regulator advises to notify the breach using its online breach notification interface and advises to use separate safe communication portal for any sensitive or personal information in the notification.
Finland - National Data Protection Law
HE 9/2018 vp
This Law was passed by the Finnish Parliament on 13 November 2018 and it was enacted on 1 January 2019. This new Act has repealed both the current general Personal Data Act (1999/523) and the Act on the Data Protection Board and Data Protection Authority (1994/389).
Last Updated: July 24, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.