Data Protection & Privacy in Finland

Finland applies the General Data Protection Regulation (GDPR) directly as EU law, supplemented by the national Data Protection Act (Tietosuojalaki, Act 1050/2018), which fills gaps and adapts certain provisions to the Finnish context. For international businesses operating in Finland - whether through a local entity, a digital service targeting Finnish users, or cross-border data flows - the compliance burden is concrete and enforceable. The Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) has demonstrated a clear willingness to investigate complaints and impose administrative fines. This article covers the legal framework, key obligations, enforcement mechanics, cross-border transfer rules, and practical risk management strategies that any business with a Finnish data footprint needs to understand.

The GDPR is the primary instrument governing personal data processing in Finland. It applies directly to any controller or processor established in Finland, and to organisations outside the EU that target Finnish residents or monitor their behaviour. The Data Protection Act (Act 1050/2018) supplements the GDPR in areas where member states retain discretion - most notably in relation to the processing of special categories of data, the age of digital consent, and the powers of the supervisory authority.

Under Section 5 of the Data Protection Act, the age at which a child can independently consent to information society services is set at 13 years. This is lower than the GDPR's default of 16, but controllers must still implement age-verification mechanisms that are proportionate and technically reliable. A common mistake among international platforms is assuming that a simple self-declaration of age satisfies Finnish requirements - in practice, the Ombudsman expects a documented assessment of the verification method's adequacy.

Sector-specific rules layer additional obligations on top of the GDPR baseline. The Act on Electronic Communications Services (Sähköisen viestinnän palvelulaki, Act 917/2014) governs cookies, electronic marketing, and confidentiality of communications. The Act on the Openness of Government Activities (Julkisuuslaki, Act 621/1999) creates specific transparency obligations for public-sector controllers. Healthcare data is subject to the Act on the Status and Rights of Patients (Potilaslaki, Act 785/1992) and the Act on Electronic Processing of Client Data in Healthcare (Act 784/2021), both of which impose strict access-logging and retention requirements.

Employment data processing is addressed in the Act on the Protection of Privacy in Working Life (Työelämän tietosuojalaki, Act 759/2004). This act restricts employers from collecting health, financial, and personal background data on employees and job applicants beyond what is strictly necessary. International employers frequently underestimate the scope of this restriction, particularly when deploying global HR platforms that collect broad employee profiles by default.

The interplay between these instruments means that a Finnish compliance programme cannot rely on a generic EU GDPR policy alone. Each processing activity must be mapped against the relevant sector act to identify whether additional conditions, restrictions, or procedural requirements apply.

The Tietosuojavaltuutettu (Finnish Data Protection Ombudsman) is the independent supervisory authority established under Article 51 of the GDPR and Section 8 of the Data Protection Act. It operates within the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) and has the full range of investigative and corrective powers granted by Article 58 of the GDPR.

The Ombudsman can initiate investigations on its own initiative or following a complaint. Complaints from data subjects are processed without charge. The authority has the power to order controllers to bring processing into compliance, to impose temporary or permanent bans on processing, and to impose administrative fines. Fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher, for the most serious infringements under Article 83(5) of the GDPR.

In practice, the Ombudsman's investigation process typically begins with a written request for information. Controllers are given a deadline - usually 30 to 60 days - to submit documentation, including records of processing activities, data protection impact assessments, and evidence of technical and organisational measures. Failure to respond adequately within the deadline is itself treated as an aggravating factor. A non-obvious risk is that many international businesses route their Finnish operations through a parent company's legal team, which introduces delays and inconsistencies in responses that the Ombudsman interprets negatively.

The authority also handles prior consultation requests under Article 36 of the GDPR, where a data protection impact assessment (DPIA) indicates high residual risk. Controllers must submit the DPIA and await the Ombudsman's written opinion before commencing the processing activity. The Ombudsman has up to eight weeks to respond, extendable by a further six weeks for complex cases.

Finland participates in the GDPR's one-stop-shop mechanism. Where a controller's main establishment is in another EU member state, the lead supervisory authority of that state handles cross-border cases, with the Finnish Ombudsman acting as a concerned authority. However, where the Finnish Ombudsman identifies a local infringement affecting Finnish residents, it can act independently under Article 56(2) of the GDPR, particularly for complaints that relate solely to Finnish processing activities.

To receive a checklist for GDPR compliance documentation in Finland, send a request to info@vlolawfirm.com.

Every processing activity must rest on one of the six lawful bases listed in Article 6 of the GDPR. In Finland, consent (Article 6(1)(a)) and legitimate interests (Article 6(1)(f)) are the most frequently relied upon by private-sector controllers, but each carries distinct obligations and risks.

Consent under Finnish practice must meet the GDPR's standard of being freely given, specific, informed, and unambiguous. The Finnish Ombudsman has consistently taken the position that pre-ticked boxes, bundled consent, and consent obtained as a condition of service do not satisfy this standard. For cookie consent specifically, the authority aligns with the guidance of the European Data Protection Board (EDPB): a cookie wall that denies access to users who refuse non-essential cookies is not valid consent. Controllers operating Finnish websites must implement a consent management platform that records the timestamp, version of the privacy notice presented, and the specific purposes consented to.

Legitimate interests as a lawful basis requires a three-part balancing test: identifying the legitimate interest, demonstrating necessity, and confirming that the interest is not overridden by the data subject's rights. Finnish courts and the Ombudsman apply this test rigorously. A common mistake is treating legitimate interests as a catch-all basis when consent is difficult to obtain - the Ombudsman has rejected this approach in several published decisions involving direct marketing and employee monitoring.

Records of processing activities (RoPA) are mandatory under Article 30 of the GDPR for organisations with 250 or more employees, and for smaller organisations where processing is likely to result in a risk to data subjects, is not occasional, or involves special categories of data. In Finland, the Ombudsman expects RoPA to be maintained in a structured, up-to-date format and to be produced within a short timeframe upon request - typically within a few days. Controllers that maintain RoPA only at group level, without Finnish-specific entries, regularly fail this requirement.

Special categories of data - including health, biometric, genetic, trade union membership, and ethnic origin data - require an additional condition under Article 9 of the GDPR and, in Finland, under Section 6 of the Data Protection Act. Processing health data for employment purposes, for example, requires explicit consent or a specific legal obligation, and must be limited to what is strictly necessary. The Data Protection Act does not permit a general legitimate-interests basis for special category data.

Three practical scenarios illustrate the stakes:

• A Finnish e-commerce company collects browsing data for personalised advertising. Without a valid consent mechanism and a documented legitimate-interests assessment for analytics, it faces an investigation risk and potential fines in the low to mid hundreds of thousands of euros.
• A multinational employer deploys a global HR platform that collects health and financial data on Finnish employees by default. Without a Finnish-law review and configuration of data minimisation settings, it violates the Act on the Protection of Privacy in Working Life and the GDPR simultaneously.
• A SaaS provider established in Ireland targets Finnish business customers. Under the one-stop-shop mechanism, the Irish Data Protection Commission leads, but the Finnish Ombudsman can raise objections and, if unresolved, escalate to the EDPB dispute resolution process.

A personal data breach is defined in Article 4(12) of the GDPR as a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In Finland, the notification obligations follow the GDPR's two-track structure: notification to the supervisory authority and, where required, notification to affected data subjects.

Controllers must notify the Finnish Data Protection Ombudsman of a breach without undue delay and, where feasible, within 72 hours of becoming aware of it, under Article 33 of the GDPR. If the notification cannot be made within 72 hours, the controller must provide the notification with a reasoned explanation for the delay. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also notify affected data subjects directly under Article 34 of the GDPR. The threshold - 'high risk' - is assessed on a case-by-case basis. Breaches involving health data, financial credentials, or data that could enable identity theft typically meet this threshold. The Finnish Ombudsman has published guidance indicating that encryption of breached data can, in some circumstances, remove the obligation to notify data subjects, provided the encryption key was not also compromised.

Processors operating in Finland must notify the controller without undue delay upon becoming aware of a breach, under Article 33(2) of the GDPR. The processor's notification to the controller is a contractual and legal obligation, but the controller retains primary responsibility for notifying the Ombudsman. Data processing agreements (DPAs) governed by Finnish law must specify the processor's breach notification obligations, including a maximum internal notification deadline - typically 24 to 48 hours - to allow the controller to meet the 72-hour window.

The risk of inaction is significant. A controller that fails to notify the Ombudsman of a notifiable breach, or that notifies late without adequate justification, faces an administrative fine that can reach EUR 10 million or 2% of global turnover under Article 83(4) of the GDPR. In addition, the failure to notify data subjects of a high-risk breach can give rise to civil liability claims under Article 82 of the GDPR, which allows data subjects to seek compensation for material and non-material damage.

A non-obvious risk in Finland is the intersection of breach notification with the Act on Electronic Communications Services. Where a breach involves communications data - for example, a breach of an email service or messaging platform - the controller may have parallel notification obligations to the Finnish Transport and Communications Agency (Traficom) under that act, in addition to the GDPR notification to the Ombudsman. Missing the Traficom notification can result in separate administrative sanctions.

To receive a checklist for data breach response procedures in Finland, send a request to info@vlolawfirm.com.

Transferring personal data from Finland - or from any EU member state - to a third country outside the European Economic Area (EEA) requires a valid transfer mechanism under Chapter V of the GDPR. Finland does not maintain a separate national list of adequate countries; the European Commission's adequacy decisions apply directly.

Where an adequacy decision exists - currently covering countries including Japan, the United Kingdom, Canada (commercial organisations), and a small number of others - transfers can proceed without additional safeguards. Where no adequacy decision applies, controllers must rely on one of the appropriate safeguards listed in Article 46 of the GDPR. The most widely used mechanism for commercial transfers is the Standard Contractual Clauses (SCCs) adopted by the European Commission in June 2021.

The SCCs require a transfer impact assessment (TIA) before use. The TIA evaluates whether the legal framework of the destination country provides essentially equivalent protection to EU law, taking into account the laws governing government access to data, the availability of effective redress, and the practical enforcement record. In Finland, the Ombudsman expects controllers to document TIAs and to update them when the legal situation in the destination country changes materially. A common mistake is treating SCCs as a one-time administrative step rather than an ongoing compliance obligation.

Binding Corporate Rules (BCRs) are available for intra-group transfers and require approval by a lead supervisory authority. For a Finnish group, the Ombudsman can act as lead authority for BCR approval. The process is lengthy - typically 12 to 18 months - and involves detailed documentation of the group's data flows, governance structure, and enforcement mechanisms. BCRs are most cost-effective for large multinational groups with high volumes of intra-group transfers.

Derogations under Article 49 of the GDPR - such as explicit consent, necessity for contract performance, or important reasons of public interest - are available but are interpreted narrowly by the Finnish Ombudsman and the EDPB. They are not a substitute for SCCs or BCRs in the context of systematic, repetitive transfers.

Three scenarios illustrate the transfer compliance landscape:

• A Finnish company uses a US-based cloud provider for HR data. It must execute SCCs with the provider, conduct a TIA covering US surveillance law, and implement supplementary measures - such as encryption with keys held in the EEA - if the TIA reveals gaps.
• A Finnish subsidiary of a non-EEA group transfers customer data to the parent for global CRM purposes. Without BCRs or SCCs in place, this transfer is unlawful regardless of the group's internal data governance policies.
• A Finnish research institution transfers pseudonymised health data to a collaborating institution in a country without an adequacy decision. It must rely on SCCs, document the TIA, and consider whether additional technical safeguards are needed given the sensitivity of health data.

The cost of non-compliance with transfer rules is not limited to fines. Where a transfer is found to be unlawful, the Ombudsman can order the controller to suspend the transfer, which can disrupt business operations significantly - particularly where the transfer underpins a core IT or HR system.

The Data Protection Officer (DPO) is a mandatory role under Article 37 of the GDPR for public authorities, organisations that carry out large-scale systematic monitoring of data subjects, and organisations that process special categories of data on a large scale. In Finland, the Data Protection Act does not extend the mandatory DPO requirement beyond the GDPR's baseline, but the Ombudsman has encouraged voluntary appointment for organisations that process significant volumes of personal data.

The DPO must have expert knowledge of data protection law and practice, must be provided with the resources necessary to carry out their tasks, and must not receive instructions regarding the exercise of their tasks. Under Article 38(3) of the GDPR, the DPO cannot be dismissed or penalised for performing their duties. In Finland, this provision has been interpreted in employment disputes to mean that a DPO who is also an employee enjoys a degree of protection against dismissal that is additional to the general protections under the Employment Contracts Act (Työsopimuslaki, Act 55/2001).

A common mistake among international businesses is appointing a DPO who lacks genuine independence - for example, a legal counsel or IT manager who also has decision-making authority over data processing. The Finnish Ombudsman treats this as a structural compliance failure, not merely a formality. Where the DPO is based outside Finland, the controller must ensure that the DPO is accessible to Finnish data subjects and the Ombudsman, and that language barriers do not impede effective communication.

Data Protection Impact Assessments (DPIAs) are required under Article 35 of the GDPR before commencing processing that is likely to result in a high risk to data subjects. The Finnish Ombudsman has published a list of processing types that require a DPIA, which includes systematic profiling, large-scale processing of special categories of data, and the use of new technologies. The DPIA must describe the processing, assess necessity and proportionality, and identify and mitigate risks. Where residual risk remains high after mitigation, prior consultation with the Ombudsman is mandatory.

Privacy by design and by default, required under Article 25 of the GDPR, means that data protection must be integrated into the design of processing systems and business processes from the outset, not added as an afterthought. In Finland, the Ombudsman has used Article 25 as a basis for findings against controllers who deployed systems with privacy-invasive default settings - for example, analytics platforms configured to collect maximum data by default, requiring users to opt out. The cost of retrofitting privacy controls into an existing system is typically far higher than building them in from the start.

Many underappreciate the practical implications of privacy by design for procurement decisions. When a Finnish company purchases a software product or cloud service, it must assess whether the product's default configuration meets GDPR requirements. If it does not, the company must either configure it appropriately or seek a different solution. This assessment should be part of the procurement process, not a post-implementation review.

To receive a checklist for DPO appointment and DPIA procedures in Finland, send a request to info@vlolawfirm.com.

What are the most significant practical risks for a foreign company processing Finnish residents' data without a local legal entity?

A foreign company that targets Finnish residents or monitors their behaviour falls within the GDPR's territorial scope under Article 3(2), regardless of where it is established. It must designate a representative in the EU under Article 27 of the GDPR unless it qualifies for an exemption - which is narrow and limited to occasional, low-risk processing. Without a representative, the Finnish Ombudsman can still investigate and impose fines, but enforcement of payment against a non-EEA entity requires separate legal proceedings. The practical risk is that non-compliance is discovered through a complaint from a Finnish data subject, triggering an investigation that the company is poorly positioned to respond to without local legal support. Appointing a representative and establishing a basic compliance framework before entering the Finnish market is significantly less costly than responding to an enforcement action.

How long does a Finnish data protection investigation typically take, and what are the financial consequences of an adverse finding?

The duration of an investigation by the Finnish Data Protection Ombudsman varies considerably depending on complexity. Straightforward complaint-based investigations can conclude within three to six months. Complex cases involving large organisations, multiple processing activities, or cross-border elements can take one to two years. During this period, the controller must respond to information requests, produce documentation, and potentially engage in consultations with the authority. Legal costs for responding to an investigation typically start from the low tens of thousands of euros for a simple case and can reach the mid to high hundreds of thousands for complex matters. Administrative fines, if imposed, are separate from legal costs. The Ombudsman considers the controller's cooperation, the steps taken to remediate the breach, and the financial capacity of the organisation when setting the fine amount.

When should a business choose to rely on legitimate interests rather than consent as a lawful basis for processing in Finland?

Legitimate interests is appropriate where the processing is genuinely necessary for a purpose that a reasonable person would expect, and where the controller's interest is not overridden by the data subject's rights. It is well-suited to fraud prevention, network security, and certain direct marketing activities directed at existing customers. It is not appropriate where the processing involves special categories of data, where the data subject would not reasonably anticipate the processing, or where the power imbalance between controller and data subject - such as in an employment context - makes it difficult to argue that interests are balanced. In Finland, the Ombudsman scrutinises legitimate-interests assessments carefully and expects them to be documented in writing before the processing commences. Where there is genuine uncertainty about which basis applies, consent provides a cleaner audit trail, but it introduces the risk that withdrawal of consent disrupts the processing activity.

Data protection compliance in Finland requires a layered approach: the GDPR sets the baseline, the Data Protection Act and sector-specific legislation add Finnish-specific requirements, and the Ombudsman enforces both with increasing rigour. For international businesses, the key risks are inadequate consent mechanisms, undocumented transfer safeguards, missing or ineffective DPO arrangements, and slow breach response. Each of these risks carries a concrete financial and operational cost that is disproportionate to the investment required for proactive compliance. A structured compliance programme, reviewed regularly against the Ombudsman's published guidance and EDPB opinions, is the most cost-effective approach.

Our law firm VLO Law Firm has experience supporting clients in Finland on data protection and privacy matters. We can assist with GDPR compliance audits, DPO advisory, data breach response, cross-border transfer structuring, and representation before the Finnish Data Protection Ombudsman. To receive a consultation, contact: info@vlolawfirm.com.