GDPR Guide to National Implementation: Finland - A practical guide to national GDPR compliance requirements across the EEA

White & Case LLP
Contact

White & Case LLP[author: Johanna Lilja, Roschier]

Finland

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

  • Finnish Data Protection Act (1050/2018) (the “Data Protection Act”)
    • Date in force: 1 January 2019
    • Link: In Finnish: see here
  • Act on Protection of Privacy in Working Life (759/2004) (the “Workplace Privacy Act”)
    • Date in force: 1 April 2019
    • Link: In Finnish: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full.

———

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

There are no specific rules governing this issue.

———

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

When processing personal data on the basis of Art. 6(1)(c) GDPR, exemptions can be made to the rights of the data subjects (Arts. 15-16 & 18-21 GDPR) in accordance with the requirements of Art. 89(3) GDPR.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

Personal data may be processed on the basis of Art. 6(1)(e) GDPR if:

  • it concerns information on the data subject’s position, assignments and the carrying out of such assignments in a public entity, business, third-sector organisation or comparable activity, insofar as the processing is in the public interest and is proportionate to the legitimate aim pursued;
  • the processing is necessary and proportionate for carrying out an authority’s task which is in the public interest;
  • the processing is necessary for scientific or historical research purposes or for statistical purposes, and it is proportionate to the public interest pursued; or
  • the processing is for archiving purposes of scientific data, material of cultural heritage or other such material containing personal data, and processing for such purposes is necessary and proportionate in relation to public interest pursued and to the data subject’s rights.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

See Q3(b) above.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

13 years of age.

———

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

The Workplace Privacy Act sets extensive restrictions on the processing of personal data in the context of employment. Unnecessary personal data of employees cannot be processed even with the employee’s consent. This includes data that constitutes or can be combined to constitute sensitive personal data.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Art. 9(1) GDPR is not applicable to:

  • the processing of information regarding membership of a labour union where such information is needed by the controller to comply with its specific rights and obligations under labour laws; or
  • when a provider of social services processes personal data that it has received as part of its operations in arranging or producing services or granting benefits, where such information concerns the health or disability status of the data subject, or the healthcare or rehabilitation services the data subject has received, or other information which is necessary for providing the service or granting benefits to the data subject.

In such cases, the Data Protection Act sets out certain safeguards that the controller must implement when processing such personal data.

(ii) Substantial public interest

There are no specific rules on processing this category of data.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

See Q5(b)(i) above.

(iv) Public interest in the area of public health

See Q5(b)(i) above.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

See Q5(b)(i) above.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

See Q5(b)(i) above. In addition, the Act on the Secondary Use of Health and Social Data sets out further requirements for the use of such data, and was accepted by the Finnish Parliament on 13 March 2019 and by the President of Finland on 26 April 2019.

———

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

The processing of personal data relating to criminal convictions and offences or related security measures is permitted in the following situations:

  • where the processing is necessary for establishment, exercise or defence of legal claims or by courts deciding on such claims;
  • where the processing is for scientific, historical or statistical research purposes and for insurance companies to define liability; and
  • where another statute or law permits such processing.

Criminal data of an employee may be processed on the grounds of the Security Clearance Act, the Act on Checking the Criminal Backgrounds of Persons Working with Children and the Act on Criminal Records.

———

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

The Data Protection Act provides exemptions with respect to the data subjects’ rights for the purposes of archiving in the public interest and scientific or historical purposes.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

Exemptions to a data subject’s right to be provided information may be permitted if:

  • it is necessary for the protection of national security, defence or public order or security;
  • it is necessary for the prevention or investigation of crime;
  • it is necessary for carrying out the monitoring function pertaining to taxation or the public finances; or
  • if providing the information would cause material detriment or damage to the data subject, and such data is not used in decision-making related to the data subject.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The following rules apply to a data subject’s right of access:

  • The data subject’s right to access may be restricted if:
    • providing access to the data could compromise national security, defence or public order or security, or hinder the prevention or investigation of crime;
    • providing access to the data would cause serious danger to the health or treatment of the data subject or to the rights of someone else; or
    • the personal data is used to carry out monitoring or inspection functions, and restricting access to the information is indispensable in order to safeguard an important economic interest of Finland or the EU.

If only a part of the data concerning the data subject is such that it falls within the restriction on the right of access provided in the first sub-section mentioned above, the data subject will have the right of access to the remainder of the data provided that:

  • the data subject must be informed of the reasons for restricting the access, unless it would compromise the purpose of the restriction; and
  • if the data subject is not provided with access to information that has been collected from them, information in accordance with Art. 15(1) GDPR must be provided to the relevant DPA upon the data subject’s request.

———

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

When processing sensitive personal data, certain safeguards must be in place, including an Impact Assessment, for the following purposes:

  • processing health data when an insurance company determines its liability;
  • processing on the grounds of another statute or due to a controller’s obligations being laid down in another statute;
  • processing data concerning trade union memberships as an employer in order to meet obligations and exercise its rights regarding employment;
  • processing of patients’ health data or other data related to a patient’s treatment when a health care service provider provides or produces health care services;
  • processing customers’ health data or other necessary data when a service provider of social welfare provides services;
  • processing of genetic and health data for purposes of antidoping or in connection to passports;
  • processing for scientific and historical research and
  • statistical purposes; or
  • processing of research and cultural heritage data for archiving purposes in the public interest, excluding genetic data.

———

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

When processing sensitive personal data for the purposes set out in Q11 above, certain safeguards must be in place, including the appointment of a DPO.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

The general secrecy obligations set out in the Data Protection Act apply to DPOs and information relating to characteristics, personal circumstances, economic situations and trade secrets.

———

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: Tietosuojavaltuutettu

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

The DPA has certain additional powers and tasks, giving it a broad general competence regarding data protection.

As an addition to investigative powers set out in Art. 58 GDPR, the DPA is entitled to obtain information which is necessary for the performance of its duties, irrespective of the obligations of secrecy.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Decisions of the DPA are subject to an appeal in the Administrative Court in accordance with provisions of the Administrative Judicial Procedure Act.

The Administrative Court’s decision is subject to appeal only if permission is granted by the Supreme Administrative Court.

The DPA’s decision may order compliance regardless of appeal, unless otherwise ordered by the appellate authority.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

The DPA can obtain information necessary for the performance of its duties, irrespective of obligations of secrecy.

———

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

Administrative fines may not be imposed on Finnish public authorities, any other public body, the Evangelical Lutheran Church or the Orthodox Church of Finland.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

For those infringements of the GDPR or the Data Protection Act that are not subject to administrative fines, the Data Protection Act refers to the Criminal Code of Finland. Under the Criminal Code, certain breaches of the GDPR or Finnish national law may constitute a data protection offence, which is punishable by a fine or a maximum prison sentence of one year.

Further, under the Workplace Privacy Act, if an employer or a representative of the employer breaches an obligation or a restriction regarding processing personal data in the context of employment, a fine will be imposed on the employer, unless a more severe penalty is provided for in another statute.

———

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

The Data Protection Act includes derogations for processing of personal data for the purpose of journalism or academic, artistic or literary expression.

See Q18(b) below for specific examples of derogations.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

Only a limited number of provisions of the GDPR apply to the processing of personal data for the purposes of journalism or academic, artistic or literary expression. Thus, when processing personal data solely for these purposes, Arts. 5(1)(c)-(e), 6-7, 9-10, 11(2), 12-22, 30, 34(1)-(3), 35-36, 56, 58(2)(f), 60-63 & 65-67 GDPR do not apply.

Further, Art. 27 GDPR does not apply to the processing of personal data which is within the meaning of “activities” in the Act on Freedom of Expression in Mass Media. Further, Arts. 44-50 GDPR do not apply if their application would infringe the right to freedom of expression and information.

When processing data for the purpose of journalism or for academic, artistic or literary expression, Arts. 5(1)(a)-(b), 5(2), 24-26, 39, 40, 42, 57-58, 64 & 70 GDPR only apply where appropriate.

———

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

A personal identity number:

  • may be processed when the unambiguous consent of the data subject has been obtained, or when it is necessary to unambiguously identify the data subject:
    • in order to carry out a task set out in a statute;
    • in order to carry out the rights and duties of the data subject or the controller; or
    • for purposes of historical or scientific research or for statistical purposes;
  • may be processed in activities relating to the granting of credit and the collection of debt in the insurance, credit, renting and lending businesses, in credit data operations, in health care, in social welfare activities or other social services, and in matters relating to the civil service, employment and other service relationships and benefits relating to the same;
  • may be disclosed for the purposes of updating address information and preventing redundant postal traffic, provided that the personal identity number is already available to the recipient; and
  • the controller will ensure that the personal identity number is not unnecessarily included in hard copies, printed or drawn up from the personal data file.

———

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

Under the Workplace Privacy Act, an employer is only permitted to process personal data which is directly necessary for the employee’s employment relationship in the following situations:

  • where it relates to the management of rights and obligations of the parties to the relationship;
  • where it relates to the benefits provided by the employer to the employee; or
  • where it arises from the special nature of the work concerned.

There are no exceptions to the necessity requirement, even with the employee’s consent.

Further, specific types of data and employee monitoring are subject to strict restrictions, for example, health data, employee emails, CCTV, and data relating to previous criminal convictions and offences.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

See Q20(a) above.

———

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

The most significant derogations concern processing personal data in the context of employment. See Q20(a) above.

———

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA has yet to take any material enforcement action for breaches of the GDPR.

———

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has yet to issue any significant guidance.

———

[View source.]

Written by:

White & Case LLP
Contact
more
less

White & Case LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide