DLA Piper Intelligence

Data Protection
Laws of the World

Law

Finland
Finland

The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.

The Finnish Government has issued a draft proposal for the general national GDPR implementation Act, i.e the Data Protection Act (HE 9/2018 vp, available in Finnish and in Swedish. Unfortunately, Government draft proposals are not usually available in English, only the finalized Acts that has been passed through the Parliament. The original goal was and still is to have the new Act effective on 25th May 2018.

The new Personal Data Act would repeal the current general Personal Data Act (1999/523) and the Act on Data Protection Board and Data Protection Authority (1994/389).
The Act for Information and Communications Services (2014/917, ‘Information Society Code’) and The Act on Protecting Privacy in Working Life (2004/759, ‘Laki yksityisyyden suojasta työelämässä’) shall still be in force unchangeable. However, the upcoming ePrivacy-regulation shall probably lead to changes to these Acts.

Government draft proposal HE 9/2018 vp for new general legislation i.e Data Protection Act to implement GDPR has been submitted into a normal national legislative process on 1 March 2018, where different Committees of the Parliament (Committee for Constitutional Law (always) and Law Committee (always) will issue their statements on the draft proposal to the Administration Committee after having organized various hearings for different experts and interest groups. The Administration Committee will also have hearings and issue a final committee report on the matter to the Parliament plenary session.

Subsequently, the draft proposal will be submitted to a vote in the plenary session of the Parliament and it will either pass or be rejected (highly unlikely at this point).

As per today 10th may 2018, the Committee for Constitutional Law and Law Committee has ceased the hearings and should provide a statement to the Administration Committee during the following days. It remains, however, to be seen whether the new Data Protection Act will become effective on 25th May 2018, since the legislative work is still in progress.

The purpose of the new national general Personal Data Act is to: a) regulate nationally any issue that is mandatory under GDPR and b) use at least some of the national leeway provided by GDPR.

Please bear in mind that Finland also has a lot of special national legislation concerning data protection which can be divided into two main categories:

  1. Independent acts and regulations that concern purely data protection issues:
    1. Person registers that are meaningful for the society (e.g population information registers, student registers and different public administration registers concerning various sectors)
    2. Acts concerning comprehensively certain industries (e.g Act on Privacy in Working Life (2004/759), Credit Information Act (2007/527), Act on Electronic Processing of Client Information in Social Welfare and Healthcare (2007/159).
  2. Acts that contain some sections related to personal data (e.g sections on the disclosure, confidentiality, processed data types and data retention periods)

The Ministry of Justice has placed a working group with a mandate to give proposals and notifications regarding the use of national leeway under GDPR (the new Data Protection Act is mostly based on this report “Ministry of Justice reports and statements, 35/2017) which can be found here in Finnish.

The above-mentioned working group has also provided a final statement (“Ministry of Justice reports and statements, 8/2018) which can be found here in Finnish. It entails a general review the special national legislation in order to identify Acts and regulations that are not in compliance with GDPR and to identify areas in which special national legislation should be added/amended/repealed.

Last modified 16 Oct 2018
Law
Finland

The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.

The Finnish Government has issued a draft proposal for the general national GDPR implementation Act, i.e the Data Protection Act (HE 9/2018 vp, available in Finnish and in Swedish. Unfortunately, Government draft proposals are not usually available in English, only the finalized Acts that has been passed through the Parliament. The original goal was and still is to have the new Act effective on 25th May 2018.

The new Personal Data Act would repeal the current general Personal Data Act (1999/523) and the Act on Data Protection Board and Data Protection Authority (1994/389).
The Act for Information and Communications Services (2014/917, ‘Information Society Code’) and The Act on Protecting Privacy in Working Life (2004/759, ‘Laki yksityisyyden suojasta työelämässä’) shall still be in force unchangeable. However, the upcoming ePrivacy-regulation shall probably lead to changes to these Acts.

Government draft proposal HE 9/2018 vp for new general legislation i.e Data Protection Act to implement GDPR has been submitted into a normal national legislative process on 1 March 2018, where different Committees of the Parliament (Committee for Constitutional Law (always) and Law Committee (always) will issue their statements on the draft proposal to the Administration Committee after having organized various hearings for different experts and interest groups. The Administration Committee will also have hearings and issue a final committee report on the matter to the Parliament plenary session.

Subsequently, the draft proposal will be submitted to a vote in the plenary session of the Parliament and it will either pass or be rejected (highly unlikely at this point).

As per today 10th may 2018, the Committee for Constitutional Law and Law Committee has ceased the hearings and should provide a statement to the Administration Committee during the following days. It remains, however, to be seen whether the new Data Protection Act will become effective on 25th May 2018, since the legislative work is still in progress.

The purpose of the new national general Personal Data Act is to: a) regulate nationally any issue that is mandatory under GDPR and b) use at least some of the national leeway provided by GDPR.

Please bear in mind that Finland also has a lot of special national legislation concerning data protection which can be divided into two main categories:

  1. Independent acts and regulations that concern purely data protection issues:
    1. Person registers that are meaningful for the society (e.g population information registers, student registers and different public administration registers concerning various sectors)
    2. Acts concerning comprehensively certain industries (e.g Act on Privacy in Working Life (2004/759), Credit Information Act (2007/527), Act on Electronic Processing of Client Information in Social Welfare and Healthcare (2007/159).
  2. Acts that contain some sections related to personal data (e.g sections on the disclosure, confidentiality, processed data types and data retention periods)

The Ministry of Justice has placed a working group with a mandate to give proposals and notifications regarding the use of national leeway under GDPR (the new Data Protection Act is mostly based on this report “Ministry of Justice reports and statements, 35/2017) which can be found here in Finnish.

The above-mentioned working group has also provided a final statement (“Ministry of Justice reports and statements, 8/2018) which can be found here in Finnish. It entails a general review the special national legislation in order to identify Acts and regulations that are not in compliance with GDPR and to identify areas in which special national legislation should be added/amended/repealed.

Last modified 16 Oct 2018
Definitions

"Personal data" is defined as "any information relating to an identified or identifiable natural person" (Article 4). A low bar is set for "identifiable" – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The GDPR creates more restrictive rules for the processing of "special categories" (Article 9) of personal data (including data relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions and offences (Article 10).

The GDPR is concerned with the "processing" of personal data. Processing has an extremely wide meaning, and includes any set of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a "controller" or a "processor". The controller is the decision maker, the person who "alone or jointly with others, determines the purposes and means of the processing of personal data" (Article 4). The processor "processes personal data on behalf of the controller", acting on the instructions of the controller. In contrast to the previous law, the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The "data subject" is a living, natural person whose personal data are processed by either a controller or a processor.

There is a possibility that Finland shall somehow use the national leeway provided in GDPR 4(1) article sub-section 7 related to the specific criteria for the controller’s nomination, but it cannot be done in general national implementation legislation, i.e the Data Protection Act but rather in special national legislation. However, nothing concrete has surfaced as per today.

Please note, however, that there are few instances in the national special legislation in which the controller has been designated in advance: Act on Electronic Prescriptions section 18 §  The Finnish Social Insurance Institution is the controller for the recipe centre and the recipe archive  Act on Electronic Processing of Client Information in Social Welfare and Healthcare section 14 a §: The Finnish Social Insurance Institution is the controller of the national patient data management system.

Last modified 16 Oct 2018
Authority

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of "lead supervisory authority". Where there is cross-border processing of personal data (i.e. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other "concerned" authorities, and a supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Contact details remain the same.

In accordance with the draft proposal of the new Data Protection Act chapter 3 section 8 and 9 §:

The independent Supervisory Authority will (still) be the Data Protection Ombudsman (in Finnish “Tietosuojavaltuutettu”) and the Office of the Ombudsman for Data Protection (in Finnish “Tietosuojavaltuutetun toimisto”) contains at least one Assistance Data Protection Ombudsman as well as various data protection experts and secretaries as public servants. The Data Protection Ombudsman shall nominate the public servants himself.

The independency will be guaranteed by an obligation to give a detailed account of the engagements under section 8 a § of the Finnish Public Servant Act (1994/750). This obligation concerns the Data Protection Ombudsman and Assistance Data Protection Ombudsman (chapter 3 section 13 §).

The division of labour between the Data Protection Ombudsman and the Assistance Data Protection Ombudsman shall be governed by the Rules of Procedure of the Office of the Ombudsman for Data Protection approved by the Data Protection Ombudsman. the Assistance Data Protection Ombudsman shall the same jurisdiction as the Data Protection Ombudsman while conducting his duties. (chapter 3 section 16 §).

The Data Protection Ombudsman shall be nominated by the Council of State for a term of 5 years. The Ombudsman or the Assistance Ombudsman may not hold another post during the term. The formal requirement for these positions is a higher law degree and have the ability to conduct international assignments. (chapter 3 sections 10 and 11 §).

The Office of the Ombudsman for Data Protection shall contain an Expert Committee (president, vice president, 3 normal members, each will have a deputy member). The Committee shall be nominated by the Council of State for a term of 3 years. The president and vice president must hold a higher law degree. (chapter 3 section 12 §).

Duties of the Data Protection Ombudsman:

  • Shall accredit the certification bodies under GDPR 43 article (chapter 3 section 14 §)
  • provide the annual report under GDPR 59 article only to the Parliament and the Government (chapter 3 section 14 §).
  • Shall represent Finland at the European Data Protection Board (chapter 3 section 14 §).
    Duties of the Expert Committee:
  • To provide statements upon the request by the Data Protection Ombudsman on significant questions relating to the application of legislation concerning processing of personal data.

The Committee may, under its own discretion, hear

3. party experts relating to its duties. The secretary of the Committee shall be a rapporteur of the Office of the Ombudsman for Data Protection (chapter 3 section 17 §).

The Data Protection Ombudsman audit rights and the right to obtain information:

  • In addition to GDPR 58(1) article, The Data Protection Ombudsman shall be entitled to receive, free of charge, all the necessary information required for the performance of his duties regardless of the Confidentiality Requirement in chapter 6 section 35 §. (chapter 3 section 18 §).
  • Audits conducted in a space used for permanent private housing are only permissible if it is necessary for untangling the issues relating to the subject of the audit and there is a grounded and specified reason to suspect that the rules relating the processing of personal data have been violated in a way that may be attributable to administrative fines or a crime stipulated under the Finnish Criminal Code.(chapter 3 section 18 §
  • The Data Protection Ombudsman may use 3.party experts while conducting an audit under his jurisdiction. The 3.party expert shall act under the legislation concerning criminal public liability.(chapter 3 section 19 §).

Executive Assistance

  • The Data Protection Ombudsman shall be entitled to receive executive assistance from the police while conducting his duties. (chapter 3 section 20 §).
Last modified 16 Oct 2018
Registration

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.

The draft proposal of the Data Protection Act does not contain any provisions related to registration. and the old requirements under the current Personal Data Act shall be repealed when the new Data Protection Act becomes effective.
Last modified 16 Oct 2018
Data Protection Officers

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

  • it is a public authority;
  • its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
  • its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

  • to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
  • to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
  • to advise and monitor data protection impact assessments where requested; and
  • to cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.

Pursuant to GDPR 37(4) article, there are currently two (2) special national Acts that stipulate mandatory DPO’s (i.e Act on Electronic Processing of Client Information in Social Welfare and Healthcare, 2007/159 and Act on Electronic Prescriptions, 2007/61). However, due to GDPR 37(1) sub-section a) every functional unit of the public social welfare and healthcare sector as well as the Finnish Social Insurance Institution (KELA) would have the obligation to nominate a DPO anyways, but the obligation also applies to Pharmacies under the Act on Electronic Prescriptions.

The DPO shall be bound by the general confidentiality requirement stipulated under section 35 § of the new proposed Data Protection Act pursuant to GDPR 38(5) article. The new draft proposal does not entail further sections on DPO.

Last modified 16 Oct 2018
Collection & Processing

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

  • processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
  • adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
  • accurate and where necessary kept up to date (the "accuracy principle");
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
  • processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

  • with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
  • where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
  • where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
  • where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
  • where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
  • where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

  • with the explicit consent of the data subject;
  • where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
  • where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
  • in limited circumstances by certain not-for-profit bodies;
  • where processing relates to the personal data which are manifestly made public by the data subject;
  • where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
  • where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
  • where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
  • where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
  • where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

  • any link between the original purpose and the new purpose
  • the context in which the data have been collected
  • the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
  • the possible consequences of the new processing for the data subjects
  • the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

  • the identity and contact details of the controller;
  • the data protection officer's contact details (if there is one);
  • both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
  • the recipients or categories of recipients of the personal data;
  • details of international transfers;
  • the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
  • the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
  • where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
  • the consequences of failing to provide data necessary to enter into a contract;
  • the existence of any automated decision making and profiling and the consequences for the data subject; and
  • in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances.   Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision taking, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

  1. necessary for entering into or performing a contract;
  2. authorised by EU or Member State law; or 
  3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

  1. The draft proposal of the Data Protection Act entails a section (4 §) that specifies GDPR 6(1) subsection e). Under this section the processing is lawful if:
    1. it relates to a person’s status, position or tasks in the public sector, economic life or the 3. sector and the purpose of the processing rests on public interest grounds in accordance with the principle of proportionality,
    2. processing is necessary for scientific or historical research or statistical purposes and rests on public interest grounds in accordance with the principle of proportionality,
    3. the processing of research material, cultural heritage material and any description information thereof for archiving purposes is necessary on public interests grounds and complies with the principle of proportionality.
    4. the processing is necessary for the operation of Authorities relating to public interest grounds and complies with the principle of proportionality.
  2. The draft proposal of the Data Protection Act entails a section (6.1 §) that specifies the national leeway provided in GDPR article 9(2) subsections b), g), h), i), j). These include:
    1. processing of personal data of the insured or claimant within the operation of Insurance Companies in order to settle the Insurance Company’s liability
    2. processing of trade union membership information to comply with the Controller’s obligations in the field of employment law
    3. processing of health and medical data in connection to operation of Healthcare Service Provider
    4. processing of health and medical data in connection to operation of Social Welfare Service Provides
    5. processing of genetic and health data related to antidoping-work and sports of the disabled, when processing is necessary in order to enable antidoping-work or sports of the disabled
    6. processing relates to scientific or historical research or statistics
    7. processing of research and cultural heritage material for non-profit archiving purposes, excluding genetic data

For the purpose of respecting the essence of the right to data protection and the provision of suitable and specific measures to safeguard the fundamental rights and interests of data subject, The draft proposal of the Data Protection Act entails a section (6.2 §) relating to suitable and specific measures:

  • measures that enable to verify by whom the personal data has been stored, altered or transferred
  • measures to enhance the competence of those who process personal data
  • the nomination of DPO under GDPR 37(1) sub-section c).
  • pseudonymization of personal data
  • encryption of personal data
  • Internal measures of the controller and processor to prevent access to personal data
  • process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measure for ensuring the security of processing
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services in fault situations
  • performing a DPIA under GDPR 35 article
  • specific rules of procedure to ensure compliance with the GDPR and the Data Protection Act concerning data transfers or the processing of personal data for purposes other than the original purpose
  • other technical and organisational measures
  1. The draft proposal of the Data Protection Act entails a section 7 § that specifies the national leeway provided in GDPR article 10:
    1. processing personal data relating to criminal convictions and offences is allowed where the processing is necessary for the establishment, exercise, defence and deciding legal claims
    2. processing relates to:
      • processing of personal data of the insured or claimant within the operation of Insurance Companies in order to settle the Insurance Company’s liability
      • processing is necessary for the fulfilment of controller’s direct obligation under the law
      • processing relates to scientific or historical research or statistics

- The above-mentioned Data Protection Act section (6.2 §) on suitable and specific measures also applies to this section 7 §.

Last modified 16 Oct 2018
Transfer

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU - U.S. Privacy Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

  1. explicit informed consent has been obtained;
  2. the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
  4. the transfer is necessary for important reasons of public interest;
  5. the transfer is necessary for the establishment, exercise or defence of legal claims;
  6. the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
  7. the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no other legal basis for transfer will infringe the GDPR.

The draft proposal of the Data Protection Act is silent on the matters relating to transfers of personal data, i.e Finland has decided not to use the marginal national leeway provided in GDPR 46 and 49 articles as per now.

Note: The current national general Personal Data Act (which will be repealed by the Data Protection Act) does, however, entails an obligation to notify the international transfer to the Data Protection Authority (“Tietosuojavaltuutettu”) in certain circumstances.

Last modified 16 Oct 2018
Security

Security

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Apart from the above-mentioned section (6.2 §) of the draft proposal of the Data Protection Act relating to suitable and specific measures, the new Data Protection Act does not cover any direct additional requirements for processing security in the meaning of GDPR article 32.

However, the new draft proposal of the Data Protection Act does entail indirect sections concerning security in general, such as section 35 § on Confidentiality Requirement and the amendment of the Finnish Criminal Code (1889/39) chapter 38 section 9 introducing a new “data protection crime” punishable by fines or max. 1 year of imprisonment. This data protection crime is not overlapping with the administrative sanctions under GDPR. The prosecutor must also consult the Data Protection Ombudsman before filing a charge for data protection crime.

Last modified 16 Oct 2018
Breach Notification

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects. A "personal data breach" is a wide concept, defined as any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4).

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits of the record by the supervisory authority.

As per now, Finland has opted not to use the national leeway provided in GDPR article 34 in the draft proposal of the Data Protection Act.

However, the national special legislation entails some data breach notification obligations. For instance, a TeleCom company is under the Finnish Information Society Code (2014/917) sections 274-275 § obliged to inform Finnish Communications Regulatory Authority (FICORA), the subscribers and users without undue delay of any significant data breach that prevents or significantly interferes communication services. In addition, the Act Strong Electronic Identification and Electronic Signatures (2009/617) section 16 § stipulates that The identification service provider shall notify, without any undue delay, service providers using its services, identification device holders and the Finnish
Communications Regulatory Authority of severe risks and threats to its data security.

Last modified 16 Oct 2018
Enforcement

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories. 
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

  • the basic principles for processing including conditions for consent;
  • data subjects’ rights;
  • international transfer restrictions;
  • any obligations imposed by Member State law for special cases such as processing employee data; and
  • certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

  • obligations of controllers and processors, including security and data breach notification obligations;
  • obligations of certification bodies; and
  • obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

  • any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
  • data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77). 

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Note: the national Data Protection Board under the current Personal Data Act will cease to exist and will be replaced by an Expert Committee that has smaller jurisdiction. It only provides statements upon the request from the Data Protection Ombudsman for significant questions related to data processing.

Penalty payment

  • The Data Protection Ombudsman may issue a penalty payment as an intensifier of any decision taken under GDPR 58(2) article subsections c)-g) and j) or based on the Ombudsmans right to receive, free of charge, all the necessary information required for the performance of his duties regardless of the Confidentiality Requirement in chapter 6 section 35 §. (chapter 3 section 18 §). The issuing and convicting a penalty payment shall be governed by the Act on Penalty Payment (1900/1113).
    Appeal
  • The decision of the Data Protection Ombudsman is eligible for appeal to Administrative Court as stipulated in the Act on Administration of Administrative Law (1996/586). (chapter 4 section 23 §).
  • The decision of the Administrative Court is eligible for appeal only if the Supreme Administrative Court grants a leave to appeal. The Data Protection Ombudsman shall also have the right for appeal to the Supreme Administrative Court. (chapter 4 section 23 §).
  • Any decision of the Data Protection Ombudsman (other than one concerning administrative fines) may entail a decree stating that the decision must be obeyed regardless of any appeal process, unless the appellate authority rule otherwise. (chapter 4 section 23 §).
    Commission decisions
  • If the Data Protection Ombudsman deems necessary to, concerning a pending issue, settle whether the EU commissions adequacy decision under GDPR article 45 is in accordance with the GDPR, The Ombudsman may file a petition to the Helsinki Administrative Court. The decision of the Helsinki Administrative Court may be appealed, if the Supreme Administrative Court grants a leave to appeal. (chapter 4 section 24 §)
    Administrative Fines (chapter 4 section 25 §)
  • An administrative fine in accordance with GDPR 83 article can be issued for violations of GDPR 10 article pursuant to GDPR 83(5) and this (Data Protection) Act
  • Administrative fines cannot be issued to the Office of the President of the Republic, State Authorities, state-owned businesses/state-owned companies, local authorities, independent institutions under public law or Parliament offices.
  • Administrative fines cannot be issued after 10 years has passed since the offence or neglect has occurred
  • The Enforcement of the Administrative Fines shall be governed by the Act on Enforcement of Fines (2002/672)
    Penal Provisions (chapter 4 section 26 §)
  • The penalty for Data Protection Crime (completely new section that shall be incorporated to the Finnish Criminal Code due to the draft proposal of the Data Protection Act) will be governed by chapter 38 section 9 § of the Criminal Code.
  • The penalty for Message Interception and Aggravated Message Interception shall (still) be governed by chapter 38 section 3 and 4 § of the Criminal Code.
  • The penalty for Computer Break-In and Aggravated Computer Break-In shall (still) be governed by chapter 38 sections 8 and 8 a § of the Criminal Code.
  • The penalty for the breach of the Confidentiality Requirement under sections 35 § and 36 § (“protection of the “whistleblower”) of this Data Protection Act shall be governed by chapter 38 sections 1 and 2 § of the Criminal Code (secrecy offence and secrecy violation)
  • The Prosecutor shall be obliged to hear the Data Protection Ombudsman before pressing charges for the crimes mentioned above. The Court shall also be obliged to reserve the Data Protection Ombudsman an opportunity to be heard
Last modified 16 Oct 2018
Electronic Marketing

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47).   Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced by a Regulation, a change which is currently forecast for Spring 2019. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

The Information Society Code regulates direct marketing by electronic means in Finland. The Data Protection Ombudsman is the supervising authority also in compliance issues with the Information Society Code’s provisions concerning direct marketing. 

Direct marketing to natural persons is only allowed by means of automated calling systems, facsimile machines, or email, text, voice, sound or image messages and only if the natural person has given his/her prior consent to it. Direct marketing using other means is allowed if the natural person has not specifically forbidden it. If, however, a service provider receives an email address, number or other contact information in relation to the sale of product or service, the service provider may normally use this contact information to directly market the service providers own products or services belonging to the same product group or that are otherwise similar to the natural person in question. The natural person must be able to easily and at no charge forbid any direct marketing and the service provider must clearly inform the natural person of that possibility. 

A service provider may use direct marketing with legal persons unless they have specifically forbidden it. As with natural persons, legal persons must also be able to easily and at no charge forbid any direct marketing and the service provider must clearly inform the legal person of that possibility. In addition, telecommunications operators and corporate or association subscribers are entitled, at a user’s request, to prevent the reception of direct marketing. 

The Data Protection Ombudsman and the Finnish Customer Marketing Association have given their interpretations on B2B direct marketing using a legal person’s general contact information, such as an email address (e.g. info@company.com). If the B2B direct marketing is sent to a legal person’s employee’s personal work email (fistname.lastname@company.com), the person’s prior consent is required unless the marketed product or service is substantially related to the person’s work duties based on the person’s job description. 

Email, text, voice, sound or image message sent for the purpose of direct marketing must be clearly and unmistakably be recognised as direct marketing. It is forbidden to send such a direct marketing message that:

  • Disguises or conceals the identity of the sender on whose behalf the communication is made

  • Is without a valid address to which the recipient may send a request that such communications be ended

  • Solicits recipients to visit websites that contravene with the provisions of the Consumer Protection Act 20.1.1978/38 (Kuluttajansuojalaki). 

If any processing of personal data is involved in the electronic direct marketing, the provisions of the Act will also apply. This means that the data subject may prohibit the use of his/her personal data for advertising or marketing purposes, and that the personal data may only be collected into a data file in accordance with the provisions of the Act.

Last modified 16 Oct 2018
Online Privacy

The Information Society Code regulates online privacy matters such as the use of cookies and location data.

Cookies

A service provider is allowed to save cookies and other data in a user’s terminal device, as well as use such data, only with the consent of the user. The consent can be given via web browser or other applicable settings. The service provider must also give the user clear and complete information on the purposes of use of cookies. 

However, the above restrictions do not apply to use of cookies only for the purpose of enabling the transmission of messages in communications networks or which is necessary for the service provider to provide a service that the subscriber or user has specifically requested.

Location Data

The location data associated with a natural person can be processed for the purpose of offering and using added value services, if:

  • The user or subscriber, whose data is in question, has given his/her consent

  • If the consent is otherwise clear from the context, or

  • Is otherwise provided by law. 

In general, location data may only be processed to the extent necessary for the purpose of processing and it may not limit the privacy any more than absolutely necessary. 

The value added service provided shall ensure that: 

  • The user or subscriber located has easy and constant access to specific and accurate information on his/her location data processed, purpose and duration of its use and if the location data will be disclosed to a third party for the purpose of providing the services

  • The above mentioned information is available and accessible to the user or subscriber prior him/her giving his/her consent

  • The user or subscriber has the possibility to easily and at no separate charge cancel the consent and ban the processing of his/her location data (if technically feasible). 

The user or subscriber is entitled to receive the location data and other traffic data showing the location of his/her terminal device from the value added service provider or the communications provider at any time.

Last modified 16 Oct 2018
Contacts
Markus Oksanen
Markus Oksanen
Partner
T +358 9 4176 0431
Last modified 16 Oct 2018