Hanes snellman attorneys Ltd
Eteläranta 8/P.o. box 333, 00130 Helsinki, Finland
A member of the European Union, Finland implemented the EU Data Protection Directive
95/46/EC in June 1999 with the Personal Data Act 523/1999 (“Act”).
Definition of Personal Data
Pursuant to the Act, “personal data” means any information on a private individual and any information on his or her personal characteristics or personal circumstances where these are identifiable as concerning him or her or the members of his or her family or household.
Definition of Sensitive Personal Data
Pursuant to the Act, “sensitive personal data” means personal data that relates to or is intended to relate to (a) race or ethnic origin; (b) the social, political or religious affiliation or trade union membership of a person; (c) criminal act, punishment or other criminal sanction; (d) the state of health, illness or handicap of a person or the treatment or other comparable measures directed at the person; (e) the sexual preferences or sex life of a person; or (f ) the social welfare needs of a person or the benefits, support or other social welfare assistance received by the person.
National Data Protection Authority
The Data Protection ombudsman
P.o. box 315
Albertinkatu 25 A, 3rd floor
There is no general obligation to register as a data controller under the Act. However, the data controllers shall make a notification to the Data Protection Ombudsman in certain situations. The notification shall be made if the processing of personal data is automated or the exemptions provided in the Act do not apply. Generally, the exemptions cover the majority of the general grounds for data processing. The duty of notification would concern e.g. the cases where the processing of personal data is outsourced or certain cases where personal data is transferred to outside the European Union or the European Economic Area or where the direct marketing is carried out.
However, pursuant to the Act, the data controller shall draw up a description of the personal data file, including the following information: (a) the name and address of the controller and, where necessary, those of the representative of the controller; (b) the purpose of processing
the personal data; (c) a description of the group or groups of data subjects and the data or data groups relating to them; (d) the regular destinations of disclosed data and whether data is transferred to countries outside the European Union or the European Economic Area; and
(e) a description of the principles in accordance to which the data file is secured.
The data controller shall keep the description of the file available to anyone apart from a few exceptions as set forth in the Act.
Data Protection Officers
There is no specific requirement in the Act for organizations to appoint a data protection officer. However, entities processing personal data should appoint a contact person in the description of the personal data file.
Collection and Processing
Data controllers may collect and process personal data when any of the following conditions are met:
■ The data subject has given his or her unambiguous consent for processing;
■ the data subject has given an assignment for processing, or this is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
■ processing is necessary, in an individual case, in order to protect the vital interests of the data
■ processing is based on the provisions of an Act, or it is necessary for compliance with a task or obligation to which the data controller is bound by virtue of an Act, or an order issued on the basis of an Act;
■ There is a relevant connection between the data subject and the operations of the controller, because the data subject is a client or a member of, or in the service of, the controller or there is a comparable relationship between the two (connection requirement);
■ The data relates to the clients or the employees of a group of companies or another comparable economic group, and they are processed within the said group;
■ processing is necessary for purposes of payment traffic, computing or other comparable tasks
Undertaken on the assignment of the data controller;
■ the matter concerns generally available data on the status, duties or performance of a person in a public corporation or business, and the data is processed in order to safeguard the rights and interests of the data controller or a third party receiving the data; or
■ The Data Protection Board has granted a permission for the processing of personal data in accordance with the Act.
There are separate requirements in the Act for the processing of sensitive personal data and the personal identity number. Further, in addition to these grounds, there are some specific purposes where the personal data may be processed such as historical, scientific or statistical purposes.
The purposes for the processing of personal data shall be defined in advance and personal data must not be processed in a manner incompatible with the defined purposes. Personal data shall only be processed to the extent necessary for the purposes of processing.
When collecting personal data, the data controller shall ensure that the data subject can have information on the data controller, on the purpose of the processing of the personal data, on the regular destinations of disclosed data, as well as on how to proceed in order to make use of the rights of the data subject in respect to the processing operation in question.
The data controllers may transfer personal data out of the European Union and the European
Economic Area if any of the following conditions are met:
■ the data subject has given his or her unambiguous consent to the transfer;
■ the data subject has given an assignment for the transfer, or it is necessary in order to perform a contract to which the data subject is a party or in order to take steps at the request
of the data subject before entering into a contract;
■ the transfer is necessary in order to make or perform an agreement between the data controller and a third party and in the interest of the data subject;
■ the transfer is necessary in order to protect the vital interests of the data subject;
■ the transfer is necessary or required by law in order to secure an important public interest or for purposes of drafting or filing a lawsuit or for responding to or deciding such a lawsuit;
■ the transfer is made from a file, from which data may be disclosed either generally of for special reasons as expressly prescribed by law;
■ the data controller, by means of contractual terms or otherwise, gives adequate guarantees of the protection of the privacy and the rights of individuals, and the European Commission has not found, pursuant to Articles 3 and 26(3) of the Data Protection Directive, that the guarantees are inadequate; or
■ the transfer is made by using standard contractual clauses as adopted by the European
Commission in accordance with Article 26(4) of the Data Protection Directive.
Transfer of a data subject’s personal data to non EU/European Economic Area countries is also allowed if the countries provide adequate levels of data protection as found by the European Commission, or if the level of data protection is sufficiently guaranteed by the data controller which are to be reviewed by the Data Protection Ombudsman.
For transfer of data to the United States, compliance with the US/EU Safe Harbor principles satisfies the requirements of the Finnish transfer provisions.
The controller shall carry out the technical and organizational measures necessary for securing personal data against unauthorized access, against accidental or unlawful destruction, manipulation, disclosure and transfer and against other unlawful processing. The techniques available, the associated costs, the quality, quantity and age of the data, as well as the significance of the processing to the protection of privacy shall be taken into account when carrying out the measures.
Anyone who operates on behalf of the data controller shall, before starting the processing of data, provide the data controller with appropriate commitments and other adequate guarantees of the data security.
There is no mandatory requirement in the Act to report data security breaches or losses to
The data subject or the data protection authorities (however, such obligations may be imposed on an entity elsewhere in legislation). However, the Data Protection Ombudsman or the Data Protection Board may instruct the data controller to take necessary actions and these may include informing the data subjects on the breach.
The Data Protection Ombudsman and the Data Protection Board are responsible for the enforcement of the Act.
The Data Protection Ombudsman provides direction and guidance on the processing of personal data and supervises the data processing. It also issues directions, advice and guidelines in order to cease and prevent unlawful conduct. Where necessary, the Data Protection Ombudsman shall refer the matter to be dealt with by the Data Protection Board, or report it for prosecution.
The Data Protection Board may, upon request made by the Data Protection Ombudsman (a) prohibit processing of personal data which is contrary to the Act or the rules and regulations issued on the basis of the Act; (b) compel the person concerned to remedy an instance of unlawful conduct or neglect; (c) order that the operations concerning processing of personal data be ceased if the unlawful conduct or neglect seriously compromise the protection of the privacy of the data subject or his or her interests or rights, provided that the personal data file is not set up under a statutory scheme; and (d) revoke a permission to process personal data which it has granted and where the prerequisites for processing are no longer fulfilled or the controller has failed to comply with the permission or the rules attached to it.
Failure to comply with the Act may result in criminal liability under the Finnish Penal Code
(38/1889) or the Act and be punished with fines or imprisonment in the maximum of one year.
Direct marketing by electronic means is regulated by the Finnish Act on the Protection of
Privacy in Electronic Communications 2004/516 (the “ECA”), which came into force on
1 September 2004. The Data Protection Ombudsman shall have the power to supervise the compliance with the provisions on direct marketing.
Pursuant to the ECA, direct marketing may only be directed to natural persons by means of automated calling systems, facsimile machines, or e-mail, text, voice, sound or image messages if they have given their prior consent. Direct marketing other than by electronic means is allowed if a natural person has not specifically prohibited it. However, where a service provider has obtained contact information of a natural person in the context of the sale of a product or service, that service provider may generally use this information for direct marketing of his/
Her own products of the same product group and of other similar products or services, unless
Prohibited by the natural person in question.
Direct marketing to legal persons is allowed if the recipient has not specifically prohibited it. Both natural persons and legal persons must be allowed to prohibit all direct marketing referred to above easily and at no charge. Telecommunications operators and corporate or association subscribers are entitled, at a user’s request, to prevent the reception of such direct marketing.
Under the ECA, there are additional requirements concerning the identification of direct marketing. Firstly, the recipient of an e-mail, text, voice, sound or image message sent for the purpose of direct marketing must be able to recognize such a message as marketing clearly and
Unambiguously. Secondly, it is prohibited to send such message intended for marketing that either conceals the identity of the sender, is without a valid address or solicits recipients to visit websites that contravene the provisions of the Consumer Protection Act.
Moreover, as there is likely to be processing of personal data involved in the electronic marketing, the provisions of the Personal Data Act (the “Act”) will be applicable. Generally, a data subject shall have a right to prohibit the controller from processing his/her personal data for direct advertising and other direct marketing. If such processing has not been prohibited by
the data subject, personal data may be collected into a personal data file kept for the purposes of direct marketing, if other requirements of the Act are met.
Online Privacy (Including Cookies and Location Data)
Online privacy matters such as cookies and location data are regulated by the Finnish Act on the Protection of Privacy in Electronic Communications 2004/516 (the “ECA”).
Cookies – The service provider may save cookies or other data in the user’s terminal device, if the user has given his/her consent thereto. The term “consent” is interpreted in the preliminary works of the law so that it may be given via browser or other application settings. Moreover, ECA requires that the service provider gives the user comprehensible and complete information on the purposes of saving or using such data. The saving and use of data is allowed only to the extent required for the service, and it may not limit the protection or privacy any more than is necessary.
However, the above mentioned provisions regarding saving and using of cookies do not apply to any processing of data which is intended solely for the purposes of enabling the transmission of messages or which is necessary for the service provider to be able to provide a service that has been specifically requested by the subscriber or user.
Location Data – Pursuant to the ECA, all messages, identification data and location data are confidential unless otherwise provided. Location data may be processed by telecom operators, value added service providers or corporate or association subscribers for the purpose of providing and using value added services. Such processing is allowed only to the extent required for the purpose of the processing, and it shall not limit the protection of privacy any more than is necessary.
Before beginning the processing of location data, the value added service provider or the corporate or association subscriber shall request service-specific consent from the party to be located, unless such consent is implied from the context or otherwise provided by law. It shall be ensured that the party to be located has both easy and continuous access to information on the location of the data processed and at no separate charge to cancel the consent.
A telecommunications operator shall have the right to process location data if the subscriber has
Not forbidden it. Before disclosing location data to a value added service provider or corporate
or association subscriber, the telecommunications operator shall take appropriate steps to
Ensure that the provision of such a value added service is based on the consent from the party to be located as stated above.