Data Privacy and GDPR Implementation in Finland

Finland’s Data Protection Act (1050/2018) is a Finnish data protection law that was recently passed in 2018. As Finland is a member of the European Union or EU, the Data Protection Act (1050/2018) was passed for the purposes of implementing the General Data Protection Regulation or GDPR into Finnish law, in accordance with a provision in the EU’s GDPR law that allows for member states to enact their own data protection legislation. To this end, the Data Protection Act (1050/2018) in conjunction with the EU’s GDPR law set forth the legal grounds upon which personal data may be collected and processed within the country of Finland, as well as the potential punishments that data controllers and processors can face should they fail to comply with the law.

What are the differences between Finland’s Data Protection Act (1050/2018) and the EU’s GDPR law?

With respect to the requirements of data controllers and processors and the rights of data subjects, as well as the scope and application of the law, the provisions of the EU’s GDPR law when compared with Finland’s Data Protection Act (1050/2018) remain largely unchanged. However, there are some differences between the two laws as it relates to the legal basis for the processing of personal data in certain cases. As stated in Finland’s Data Protection Act (1050/2018), “Personal data may be processed in accordance with point (e) of Article 6(1) of the Data Protection Regulation if:”

• The data describe the position of a person, his or her duties or the performance of these duties in a public sector entity, business, and industry, activities of civil society organizations, or other corresponding activities, in so far as the objective of the processing is of public interest and the processing is proportionate to the legitimate aim pursued;
• The processing is proportionate and necessary for the performance of a task carried out in the public interest by an authority;
• The processing is necessary for scientific or historical research purposes or statistical purposes and it is proportionate to the aim of public interest pursued; or
• The processing of research material and cultural heritage material containing personal data and the processing of personal data included in their metadata for archiving purposes is necessary and proportionate to the aim of public interest pursued and to the rights of the data subject.

Additionally, the Data Protection Act (1050/2018) also does not apply to the processing of special categories of personal data under certain circumstances. Such circumstances include data processing carried out concerning healthcare services, “the processing of data for scientific or historical research purposes or for statistical purposes”, and “the processing of data concerning health and of genetic data in the context of anti-doping work and sports for persons with disabilities, in so far as the processing of these data is necessary to enable anti-doping work or sports for persons with disabilities or long-term illness.” Conversely, personal data that is processed in the context of the offering of insurance-related services is also exempt from the provisions of the Data Protection Act (1050/2018).

Furthermore, the Data Protection Act (1050/2018) also varies from the EU’s GDPR law as it concerns the collection and processing of the personal data of children. Under the General Data Protection Regulation, the age of consent as it relates to the processing of children’s data is 18. Alternatively, Finland’s Data Protection Act (1050/2018) states that “the processing of the personal data of the child is lawful where the child is at least 13 years old.” Subsequently, while the processing of personal for a child under the age of 18 would be considered to be unlawful in many other EU member states, the Data Protection Act (1050/2018) establishes a younger age for consent and as such, different requirements as it pertains to compliance.

What are the punishments for violating Finland’s Data Protection Act (1050/2018)?

Finland’s Data Protection Act (1050/2018) is enforced by the Data Protection Ombudsman. To this point, data controllers and processors who operate within the country of Ireland face a number of sanctions and penalties should they violate the rights of Finnish citizens under the law. What’s more, the European Data Protection Board also has the authority to impose punishments against data controllers and processors operating within Finland, in accordance with the EU’s GPDR Law. As such, the punishments that data controllers and processors within Finland stand to face should they violate either law include:

• A fine of up to 2% of global revenue for less serious offenses.
• A fine of up to 4% of global revenue for more serious offenses.
• Administrative fines issued by Finland’s Data Protection Ombudsman.
• Criminal liability.

Through the passing of Finland’s Data Protection Act (1050/2018) in accordance with the EU’s GDPR law, the country of Finland was able to effectively guarantee the data protection and personal privacy rights of their respective citizens. These pieces of legislation ensure that data controllers and processors operating within Finland face steep punishments should they violate the right of Finnish citizens under said laws. In this way, the European Union continues to serve as an international standard for the protection of personal data, as the legal framework of the General Data Protection Regulation ensures that personal data and privacy are protected at the highest level.