FINLAND

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Tietosuojalaki

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

SPECIFYING REQUIREMENT: The age of consent for a child is 13 years old (Art 5 Finnish Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

SPECIFYING REQUIREMENT: Data concerning health may be processed in certain situations, such as for liability assessments conducted by insurance providers, anti-doping or sports for the disabled, or scientific, historical, or research purposes. In such instances, certain safeguards must be adopted (Art 6 Finnish Act).

Generally, a personal data code (PIC) may only be processed based on a data subject’s consent or if permitted by law. However, the Act provides additional circumstances where a PIC may be processed, such as to perform a task prescribed by law; to fulfill the rights or obligations of a data subject or controller; for historical, scientific, or research purposes; or for employment, debt collection, insurance, or payment purposes (Art 29 Finnish Act). 

CCTV (Art 6)

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

INFORMATION OBLIGATION (ART 13 & 14)

SPECIFYING REQUIREMENT: Art 13 and 14 GDPR may be limited for reasons of national security, defense, public order, and security; for the prevention or detection of criminal offenses; or for fiscal purposes. Art 14 GDPR may also be limited in other instances (Art 33 Finnish Act).

A data subject has no right of access under Art 15 GDPR under certain circumstances, such as if providing the information could harm national security or the information is essential to safeguarding Finland’s or the EU’s financial interests (Art 34 Finnish Act).

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

No Deviation

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

Certification (Art 42)

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING REQUIREMENT: The Act creates an expert board within the SA. This five-member board issues opinions on issues related to the processing of personal data and the application of the Act (Art 12 and 17 Finnish Act).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING REQUIREMENT: Fines are determined by a three-member panel composed of the data protection ombudsman and two deputy ombudsmen. Administrative fines may not be imposed on public authorities or bodies. Enforcement of fines is governed by the Act on the Enforcement of Fines (672/2002) (Art 24 Finnish Act).

PENALTIES (ART 84)

SPECIFYING REQUIREMENT: The Finnish Penal Code has been amended to include provisions on data protection offenses related to the Act (Art 26 Finnish Act).

Freedom of expression and information (Art 85)

SPECIFYING REQUIREMENT: Derogations related to the processing of data for journalistic, academic, literary, or artistic expression purposes are provided (Art 27 Finnish Act).

 

HR PROCESSING (ART 88)

SPECIFYING REQUIREMENT: Processing of personal data in the workplace is governed by the Act on Protection of Privacy at Work (759/2004) (Art 30 Finnish Act).

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

SPECIFYING REQUIREMENT: When processing data for scientific or historical research purposes or statistical purposes, the rights under Art 15, 16, 18, and 21 GDPR may be limited if certain requirements are met (Art 31 Finnish Act).

When processing data for archiving purposes in the public interest, the rights under Art 15, 16, 18, and 21 GDPR may be limited if the conditions under Art 89(3) GDPR are met (Art 32 Finnish Act).

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

LOCAL DPA GUIDANCE & LEGAL SOURCES

Remarks

No Deviation