Finland

Overview

Stage of legislative progress 
Eg. pre-consultation, in consultation

A Working Group set by the Ministry of Justice has given a proposal on a new Data Protection Act. The role of the Working Group was to assess whether there is a need for a general data protection law and to prepare a proposal for such law, if necessary. The proposal is not a formal government proposal.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

The new Data Protection Act will abrogate the current Personal Data Act. It is still unclear how the GDPR will affect several hundred currently applicable special laws on data protection.

Timescale for implementation 
Eg. pre-consultation, in consultation

Consultation phase of the Working Group's proposal ran until 8 September 2017. It is expected that a formal government proposal on the new Data Protection Act will be submitted to the Parliament in autumn 2017 or during early spring 2018. When it comes to special laws on data protection, responsible Ministries will lead the preparation of relevant amendments to currently applicable laws. More detailed information is expected in late 2017.


Areas where Member States must have local laws:

Personal data and freedom of expression 

Currently, only limited provisions of the Personal Data Act apply the processing of personal data for purposes of journalism or artistic or literary expression. The Working Group has proposed that the current approach would be upheld in the new Data Protection Act. This would require some limitations to the rights of data subjects.

Penalties

The Working Group has proposed that administrative fines would be supplemented with criminal sanctions in cases where fines are not available. The Working Group has also proposed establishing a new Sanctions Board under which the Data Protection Authority which would be responsible for imposing administrative fines.


Areas where Member States may have local laws:

Professional secrecy 

The Working Group has proposed that the scope of current secrecy obligations set in the Personal Data Act would be extended to professional secrecy.

Scientific, historical or statistical purposes 

The Working Group proposal includes provisions on processing for scientific, historical or statistical purposes. The proposal provides derogations and safeguards in accordance with Article 89 GDPR. As such, these are not new rules in Finland but mostly already applicable law under Personal Data Act. This means that processing for scientific, historical or statistical purposes is permissible as long as safeguards in Article 89 GDPR and under the new Data Protection Act are met.

Employment

The Working Group proposal does not as such cover privacy in employment. Based on its research, the Working Group considers that the current Act on the Protection of Privacy in Working Life is in line with the GDPR. However, the responsible Ministry may suggest amendments.

Personal data of deceased persons 

The Working Group has proposed that the new Data Protection Act would not be applicable to processing personal data of deceased persons.

Children online (in relation to the offering of information society services)

The Working Group has proposed that the age limit for consent be either 15 or 13 years.

The decision will be based on the comments received during consultation phase. The Working Group will also consider the age limit that the majority of other Member States or Nordic countries decide.

Special rules for special categories of data
The Working Group has proposed a special permission for insurance companies to process special categories of personal data as well as data related to criminal convictions and offences for the purposes of clarifying their liabilities. Insurance companies do not have the right to process genetic data.

Genetic, biometric or health data

Ministry of Social Affairs and Health responsible for this area and has prepared two legislative proposals.

First, there is a proposal on new Act on the Electronic Processing of Client Data in Social and Health Care Services. This proposal is meant to abrogate the current Act. The proposal has taken into consideration the GDPR requirements.

Second, there is a proposal on Secure Utilisation of Client Data in Social and Health Care. The purpose is to set rules and requirements for utilization (processing) of health data for statistical, research and development purposes and to ease permission procedures. The proposal will bring the rules into line with the GDPR.

Designation of a Data Protection Officer

The Working Group has proposed an obligation of secrecy for DPOs to be included in the new Data Protection Act.

National identification numbers/any other identifier of general application

The Working Group has proposed that current provisions concerning processing of Personal Identity Code (PIC) set in the Personal Data Act would be upheld in the Data Protection Act. The Working Group has proposed that PIC may be processed with an explicit consent from the data subject or when it is important to unequivocally identify the data subject for compliance with a legal obligation, carrying out rights and responsibilities of the data subject or the controller, or for the purposes of scientific or historical research or for statistical purposes.


Other:

Any other areas under discussion

n/a