DLA Piper Intelligence

Data Protection
Laws of the World

Law

Finland
Finland

Finland is a member of the European Union and has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Act 523/1999 (‘Act’) (Henkilötietolaki) in June 1999. 

Other important Finnish laws concerning data privacy and protection are the Code for Information Society and Communications Services 917/2014 ('Information Society Code') (Tietoyhteiskuntakaari) of 1st January 2015, which aims to inter alia ensure the confidentiality of electronic communication and the protection of privacy, and the Act on the Protection of Privacy in Working Life 759/2004 (‘Working Life Act’) (Laki yksityisyyden suojasta työelämässä), which aims to promote the protection of privacy and other rights safeguarding the privacy in working life. 

Information Society Code is an ambitious effort to collect the relevant laws relating to information society under a single statute. The Information Society Code contains mostly the same provisions as the preceding laws, but it combines a large quantity of different provisions under a single law and covers a large area of legislation. 

The Working Life Act includes some specific provisions on privacy issues relating to employment and work environments such as right to monitor employees’ email communication.

Last modified 25 Jan 2017
Law
Finland

Finland is a member of the European Union and has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Act 523/1999 (‘Act’) (Henkilötietolaki) in June 1999. 

Other important Finnish laws concerning data privacy and protection are the Code for Information Society and Communications Services 917/2014 ('Information Society Code') (Tietoyhteiskuntakaari) of 1st January 2015, which aims to inter alia ensure the confidentiality of electronic communication and the protection of privacy, and the Act on the Protection of Privacy in Working Life 759/2004 (‘Working Life Act’) (Laki yksityisyyden suojasta työelämässä), which aims to promote the protection of privacy and other rights safeguarding the privacy in working life. 

Information Society Code is an ambitious effort to collect the relevant laws relating to information society under a single statute. The Information Society Code contains mostly the same provisions as the preceding laws, but it combines a large quantity of different provisions under a single law and covers a large area of legislation. 

The Working Life Act includes some specific provisions on privacy issues relating to employment and work environments such as right to monitor employees’ email communication.

Last modified 25 Jan 2017
Definitions

Definition of personal data

‘Personal data’ means “any information on a private individual and any information on his/her personal characteristics or personal circumstances, where these are identifiable as concerning him/her or the members of his/her family or household”.

Definition of sensitive personal data

Personal data is deemed sensitive “if it relates to or is intended to relate to:

  • race or ethnic origin;

  • the social, political or religious affiliation or trade-union membership of a person;

  • a criminal act, punishment or other criminal sanction;

  • the state of health, illness or handicap of a person or the treatment or other comparable measures directed at the person;

  • the sexual preferences or sex life of a person; or

  • the social welfare needs of a person or the benefits, support or other social welfare assistance received by the person.”

Last modified 25 Jan 2017
Authority

The Data Protection Ombudsman (Tietosuojavaltuutettu) is the local supervisory authority. 

Post address:
P.O. Box 800
00521 Helsinki
Finland

Visiting address:
Ratapihantie 9, 6th floor

T +358 29 56 66700
tietosuoja@om.fi
www.tietosuoja.fi

Last modified 25 Jan 2017
Registration

The Act imposes an obligation for data controllers to make a notification to the Data Protection Ombudsman only in certain limited situations. The data controllers have the obligation to make a notification in case of automated processing of personal data and any other processing of personal data provided that the processed personal data constitutes or is meant to constitute a personal data file. The other situations include e.g. outsourced processing of personal data, direct marketing or survey business activities and certain situations where personal data is transferred outside the European Union or the European Economic Area. The exemptions where notification to the Data Protection Ombudsman is not necessary are further specified in the Act. As the obligation to notify is currently set relatively narrow, the exemptions of the Act cover the majority of the practical situations of data processing. 

The Act, however, includes an obligation to the data controllers to draw up description of their personal data file. According to Section 10 of the Act, the data controller "shall draw up a description of the personal data file, indicating:

  • The name and address of the controller and, where necessary, those of the representative of the controller;

  • The purpose of the processing of the personal data;

  • A description of the group or groups of data subjects and the data or data groups relating to them;

  • The regular destinations of disclosed data and whether data are transferred to countries outside the European Union or the European Economic Area; and

  • A description of the principles in accordance to which the data file has been secured."

    With some minor exceptions, the description must be kept so that anyone may access it.

Last modified 25 Jan 2017
Data Protection Officers

The Act does not currently include a specific obligation for organisations, businesses or other entities to have a special data protection officer appointed, but organisations, businesses and other entities processing personal data should name a specific contact person in the description of the personal data file.

Last modified 25 Jan 2017
Collection & Processing

Data controllers may only collect and process personal data if:

  • the data subject has unambiguously consented to the processing

  • the data subject has given an assignment for the processing, or this is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract

  • processing is necessary, in an individual case, in order to protect the vital interests of the data subject

  • processing is based on the provisions of an Act or it is necessary for compliance with a task or obligation to which the controller is bound by virtue of an Act or an order issued on the basis of an Act

  • there is a relevant connection between the data subject and the operations of the controller, based on the data subject being a client or member of, or in the service of, the controller or on a comparable relationship between the two (connection requirement)

  • the data relate to the clients or employees of a group of companies or another comparable economic grouping, and they are processed within the said grouping

  • processing is necessary for purposes of payment traffic, computing or other comparable tasks undertaken on the assignment of the controller

  • the matter concerns generally available data on the status, duties or performance of a person in a public corporation or business, and the data is processed in order to safeguard the rights and interests of the controller or a third party receiving the data, or

  • the Data Protection Board has issued permission for the processing, as provided in the Act 

In addition to the requirements described above, separate requirements cover the processing of personal identity numbers and sensitive personal data. Processing of sensitive personal data is forbidden except in specific situations described in the Act. 

Purposes for the processing of the personal data as well as where the personal data will be acquired from, and where it will be transferred to, must be defined in advance by the data controller. Personal data must not be used or processed in a manner incompatible with the purposes defined by the data controller. In general, personal data must only be used and processed to the extent necessary and the data controller must follow a duty of care when processing personal data. 

When the data controller collects personal data, the data controller must ensure that the data subject can have information on the controller and, where necessary, the representative of the controller and on how to proceed in order to make use of the rights of the data subject in respect to the processing of the personal data.

Last modified 25 Jan 2017
Transfer

Personal data may be transferred outside the European Union and the European Economic Area only if the level of data protection in such country is sufficiently guaranteed. The sufficiently guaranteed level of protection in third countries is defined according to the decisions made by the European Commission pursuant to the Data Protection Directive. 

In other situations personal data may be transferred outside the European Union and the European Economic Area if any of the below mentioned conditions are met:

  • The data subject has unambiguously consented to the transfer

  • The data subject has given an assignment for the transfer, or this is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract

  • The transfer is necessary in order to make or perform an agreement between the controller and a third party and in the interest of the data subject

  • The transfer is necessary in order to protect the vital interests of the data subject

  • The transfer is necessary or called for by law for securing an important public interest or

  • For purposes of drafting or filing a lawsuit or for responding to or deciding such a lawsuit

  • The transfer is made from a file, the disclosure of data from which, either generally of for special reasons, has been specifically provided in an Act

  • The controller, by means of contractual terms or otherwise, gives adequate guarantees of the protection of the privacy and the rights of individuals, and the Commission has not found, pursuant to Articles 3 and 26(3) of the Data Protection Directive, that the guarantees are inadequate, or

  • The transfer is made by using standard contractual clauses as adopted by the Commission in accordance with Article 26(4) of the Data Protection Directive. 

Prior to the Court of Justice of the European Union’s judgment in the Schrems case (C-362/14), transfer of personal data from Finland to the United States was allowed in compliance with the US/EU Safe Harbour principles. Currently data transfers from Finland to the United States are only allowed following the instructions and directions given by the European Commission as the safe harbour regime is no longer regarded as valid. The current instructions concern transfers on basis of alternative data transfer methods, such as contractual solutions using the European Commission’s model standard clauses and binding corporate rules for intra-group transfers. 

The European Commission is currently negotiating with the United States authorities to find new solutions for data transfers. However, the Article 29 Working Party stressed that an appropriate solution needs to be found by the end of January 2016 or the Data Protection Authorities will have to take necessary actions. The Article 29 Working Party is currently also assessing the acceptability of the above mentioned alternative data transfer methods.

Last modified 25 Jan 2017
Security

The data controller is obligated to implement the necessary technical and organisational measures to protect and secure personal data against any unauthorised access as well as against any unlawful or accidental disclosure, manipulation, destruction, or other unlawful processing. The available techniques, associated costs, the quality, quantity and age of the data, as well as the significance of the processing to the protection of privacy should be considered when the data controller carries out the measures. 

Anyone operating on behalf of the data controller shall, before starting to process data, provide the controller with appropriate clearances and commitments as well as any other adequate guarantees of the security of the data as provided in the Act.

Last modified 25 Jan 2017
Breach Notification

The Act does not include any mandatory requirement to report breaches of data security or losses of data to the data subject or the data protection authorities. Even though the Act does not currently include any such mandatory obligation, the Data Protection Ombudsman may give instructions to the data controller to take necessary measures (in data breach or loss situations), which may include an obligation to notify the data subjects of the breach.

Last modified 25 Jan 2017
Enforcement

The Data Protection Ombudsman directs and supervises the enforcement of the Act together with the Data Protection Board. The Data Protection Ombudsman provides guidelines and advice on processing and transfer of data according to the applicable legislation, and may also refer data protection related matters to the Data Protection Board or report it to prosecution. 

The Data Protection Board has the power of decision in data processing matters referred to it by the Data Protection Ombudsman. The Data Protection Board may:

  • Prohibit processing of personal data which is contrary to the provisions of this Act or the rules and regulations issued on the basis of this Act

  • Compel the person concerned to remedy an instance of unlawful conduct or neglect

  • Order that the operations pertaining to the file be ceased, if the unlawful conduct or neglect seriously compromise the protection of the privacy of the data subject or his/her interests or rights, provided that the file is not set up under a statutory scheme, and

  • Revoke permission for the processing of personal data granted by the Data Protection Board, where the prerequisites for the permission are no longer fulfilled or the controller acts against the permission or the rules attached to it. 

The Data Protection Board as well as the Data Protection Ombudsman may impose a penalty payment to ensure the compliance with the Act and/or the decisions of the Data Protection Ombudsman and the Data Protection Board. Criminal liability may also ensue from the failure to comply with the Act under the Finnish Penal Code 38/1889 (Rikoslaki) or the Act. According the Finnish Penal Code, the failure to comply with the Act may be punished with fines or even up to one year of imprisonment.

Last modified 25 Jan 2017
Electronic Marketing

The Information Society Code regulates direct marketing by electronic means in Finland. The Data Protection Ombudsman is the supervising authority also in compliance issues with the Information Society Code’s provisions concerning direct marketing. 

Direct marketing to natural persons is only allowed by means of automated calling systems, facsimile machines, or email, text, voice, sound or image messages and only if the natural person has given his/her prior consent to it. Direct marketing using other means is allowed if the natural person has not specifically forbidden it. If, however, a service provider receives an email address, number or other contact information in relation to the sale of product or service, the service provider may normally use this contact information to directly market the service providers own products or services belonging to the same product group or that are otherwise similar to the natural person in question. The natural person must be able to easily and at no charge forbid any direct marketing and the service provider must clearly inform the natural person of that possibility. 

A service provider may use direct marketing with legal persons unless they have specifically forbidden it. As with natural persons, legal persons must also be able to easily and at no charge forbid any direct marketing and the service provider must clearly inform the legal person of that possibility. In addition, telecommunications operators and corporate or association subscribers are entitled, at a user’s request, to prevent the reception of direct marketing. 

The Data Protection Ombudsman and the Finnish Customer Marketing Association have given their interpretations on B2B direct marketing using a legal person’s general contact information, such as an email address (e.g. info@company.com). If the B2B direct marketing is sent to a legal person’s employee’s personal work email (fistname.lastname@company.com), the person’s prior consent is required unless the marketed product or service is substantially related to the person’s work duties based on the person’s job description. 

Email, text, voice, sound or image message sent for the purpose of direct marketing must be clearly and unmistakably be recognised as direct marketing. It is forbidden to send such a direct marketing message that:

  • Disguises or conceals the identity of the sender on whose behalf the communication is made

  • Is without a valid address to which the recipient may send a request that such communications be ended

  • Solicits recipients to visit websites that contravene with the provisions of the Consumer Protection Act 20.1.1978/38 (Kuluttajansuojalaki). 

If any processing of personal data is involved in the electronic direct marketing, the provisions of the Act will also apply. This means that the data subject may prohibit the use of his/her personal data for advertising or marketing purposes, and that the personal data may only be collected into a data file in accordance with the provisions of the Act.

Last modified 25 Jan 2017
Online Privacy

The Information Society Code regulates online privacy matters such as the use of cookies and location data.

Cookies

A service provider is allowed to save cookies and other data in a user’s terminal device, as well as use such data, only with the consent of the user. The consent can be given via web browser or other applicable settings. The service provider must also give the user clear and complete information on the purposes of use of cookies. 

However, the above restrictions do not apply to use of cookies only for the purpose of enabling the transmission of messages in communications networks or which is necessary for the service provider to provide a service that the subscriber or user has specifically requested.

Location Data

The location data associated with a natural person can be processed for the purpose of offering and using added value services, if:

  • The user or subscriber, whose data is in question, has given his/her consent

  • If the consent is otherwise clear from the context, or

  • Is otherwise provided by law. 

In general, location data may only be processed to the extent necessary for the purpose of processing and it may not limit the privacy any more than absolutely necessary. 

The value added service provided shall ensure that: 

  • The user or subscriber located has easy and constant access to specific and accurate information on his/her location data processed, purpose and duration of its use and if the location data will be disclosed to a third party for the purpose of providing the services

  • The above mentioned information is available and accessible to the user or subscriber prior him/her giving his/her consent

  • The user or subscriber has the possibility to easily and at no separate charge cancel the consent and ban the processing of his/her location data (if technically feasible). 

The user or subscriber is entitled to receive the location data and other traffic data showing the location of his/her terminal device from the value added service provider or the communications provider at any time.

Last modified 25 Jan 2017
Contacts
Markus Oksanen
Markus Oksanen
Partner
T +358 9 4176 0431
Last modified 25 Jan 2017