Finland

The Finnish Parliament approved the Data Protection Act on November 13th 2018. The Act came into force on January 1st 2019.

The Data Protection Act abrogates the previous Personal Data Act. 

The impact that the GDPR has on several hundred sectoral laws, including specific rules on data protection, are still under review or being prepared.

Originally, the Data Protection Act was intended to come into force on the same day as the GDPR, on May 25th 2018. On May 9th 2018, the Parliament's Constitutional Law Committee stated that this deadline was too tight and the parliamentary process would need more time. After several discussions in various Parliamentary committees, the Parliament plenary meeting approved the Data Protection Act on November 13th 2018. The Act came into force on January 1st 2019 after approval by the President and publication in the Official Gazette.

Areas where Member States must have local laws:

According to Section 27 of the Data Protection Act only limited provisions of the GDPR apply to the processing of personal data for the purposes of journalism or academic, artistic or literary expression.

This approach upholds the situation as it was under the abrogated Personal Data Act. 

Regarding infringements of the GPDR and the Data Protection Act, which are not subject to GDPR administrative fines, the Act refers to the Criminal Code. The Criminal Code includes provisions on data protection offences, message interceptions, aggravated message interceptions, computer break-ins, aggravated computer break-ins, secrecy offences and secrecy violations. 

Additionally, the Data Protection Act states that administrative fines pursuant to Article 83 of the GDPR will be imposed by a three-member board consisting of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. Administrative fines may also be imposed for the breach of Article 10 of the GDPR.

The Act also limits the imposing of administrative fines so that they may not be imposed if more than 10 years have passed from the breach or the failure to adhere. Administrative fines cannot be imposed on a state authority, a state-owned company, a municipal authority, the entities of the Evangelical Lutheran or Orthodox church, independent public law service providers (such as universities), government agencies or the office of the president of the republic of Finland.

Areas where Member States may have local laws:

The scope of the secrecy obligations set in the Data Protection Act includes information regarding characteristics of a person, personal circumstances, economic situation and trade secrets. Any person, who has obtained this kind of information while performing data processing activities, shall not unlawfully disclose such information to a third party, nor use it for his/her own benefit or for benefit or detriment of another person.

According to the Data Protection Act, the Data Protection Ombudsman has free access to the information necessary for the performance of his duties, irrespective of the obligations of secrecy.

The Data Protection Act includes derogations and safeguards in accordance with Article 89 of the GDPR. These mostly carry forward rules which already applied under the Personal Data Act. Processing for scientific, historical or statistical purposes is permissible as long as the safeguards in the Data Protection Act are met.

Section 30 of the Data Protection Act states that privacy in the employment context is covered by the Act on the Protection of Privacy at Work. The Ministry of Economic Affairs and Employment suggested a few changes to the current act for it to comply with the GDPR. The government proposals for the changes of the Act on the Protection of Privacy at Work and the Act on Checking the Criminal Background of Persons Working with Children were presented to the Parliament on July 13th 2018 and the Parliament approved the changes on February 7th 2019. The changes came into force on April 1st 2019. 

The Data Protection Act does not apply to the processing of personal data of deceased persons.

The age of consent for offering information society services, such as social media services, has been set at 13 years in the Data Protection Act. 

Sections 6 and 7 of the Data Protection Act provide exceptions where Article 9(1) of the GDPR is not applicable. There are three particularly relevant special permissions:

1. Special permission to process special categories of personal data for insurance companies for the purposes of clarifying their liabilities.

2. Special permission for processing of data related to criminal convictions and offences for the purposes of legal proceedings.

3. Special permission to process special categories of personal data for the purposes of historical or scientific research and statistical purposes.

According to the Data Protection Act, when processing special categories of data, the controller and the processor must take appropriate and specific steps to ensure the protection of the rights of the data subject. A few of these steps have been singled out in the Section 6, such as pseudonymisation and encryption. The list of appropriate steps is, however, not exhaustive or mandatory, but the entity processing the data must evaluate for itself, what is reasonable.

The Ministry of Social Affairs and Health is responsible for this area and prepared two legislative proposals:

1. Government proposal for the new Act on the Electronic Processing of Customer Data in Social and Health Care Services. This is meant to abrogate the current Act. The proposal has taken into consideration the GDPR requirements. The government proposal was presented to the Parliament on December 5th 2018 and is currently under review in the Parliamentary committees.

2. Government proposal for the Act on Secondary Use of Health and Social Data was presented to the Parliament on October 26th 2017 and the Parliament approved the Act on March 13th 2019. It has not yet been confirmed when the Act will come into force. The Act sets rules and requirements for use (processing) of health data for statistical, research and development purposes and to ease permission procedures. The proposal brought the rules in line with the GDPR.

There are obligations to appoint a Data Protection Officer under the Act on Electronic Prescription and the current Act on the Electronic Processing of Customer Data in Social and Health Care Services. This obligation applies, inter alia, to pharmacies, health care service providers and the Social Insurance Institution of Finland.

An obligation of secrecy for DPOs is included in the Data Protection Act.

Under the Data Protection Act, a Personal Identification Code (PIC) may be processed with the explicit consent of the data subject or when it is important to unequivocally identify the data subject for the purposes provided by law or for carrying out an assignment prescribed by law. Processing is also allowed for carrying out rights and responsibilities of the data subject or the controller, or for  purposes of scientific or historical research or for statistical purposes. The PIC may also be processed for certain additional purposes listed in the Data Protection Act such as granting credit or collecting receivables in insurance, credit, payment service, loan and rental activities as well as for the purposes of providing health care and social welfare services.

Other:

Under the Data Protection Act, the Data Protection Ombudsman remains as the national data protection authority and supervises the entire field of data protection in Finland.

The former Data Protection Board is abolished by the Data Protection Act. In the future, an expert board shall be active in connection with the Data Protection Ombudsman's office and shall give expert opinions on matters relating to data protection legislation at the request of the Ombudsman, but the board will not have decision-making powers.