Finland

Overview

Stage of legislative progress 
Eg. pre-consultation, in consultation

The Finnish government proposal for a Data Protection Act was submitted to the Parliament of Finland on 1st March 2018. The government proposal is currently under discussion in the Parliament Committees.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

The new Data Protection Act will abrogate the current Personal Data Act. It is still unclear how the GDPR will affect several hundred laws that currently include specific rules on data protection.

Timescale for implementation 
Eg. pre-consultation, in consultation

Originally, the proposed Data Protection Act was intended to come into force on the same day as the GDPR, on 25th May 2018. On 9th May 2018, the Parliament's Constitutional Law Committee stated that the above mentioned schedule was too tight and they needed more time for the parliamentary process. A new date is not confirmed yet.


Areas where Member States must have local laws:

Personal data and freedom of expression 

Currently, only limited provisions of the Personal Data Act apply to the processing of personal data for purposes of journalism or academic, artistic or literary expression. The current approach is upheld in section 27 of the proposed Data Protection Act which defines the GDPR articles where the GDPR is not applicable for the purposes of journalism or academic, artistic or literary expression.

Penalties

The administrative fines pursuant to Article 83 may also be imposed for the breach of Article 10. The penalties cannot be imposed on Finnish public authorities.


Areas where Member States may have local laws:

Professional secrecy 

The current scope of the secrecy obligations set in the Personal Data Act is extended to professional secrecy according to the current proposal.

According to the proposed Data Protection Act, the Data Protection Ombudsman has, regardless of the obligations of secrecy, free access to the information necessary for the performance of his duties.

Scientific, historical or statistical purposes 

Proposed Data Protection Act includes derogations and safeguards in accordance with Article 89 GDPR.  These mostly carry forward rules which already apply under the current Personal Data Act.  Processing for scientific, historical or statistical purposes is permissible as long as the safeguards in Article 89 GDPR and the proposed Data Protection Act are met.

Employment

Section 30 of the proposed Data Protection Act states that privacy in the employment context is covered by the current Act on the Protection of Privacy in Working Life. The Ministry of Economic Affairs and Employment has suggested only a few changes to the current act for it to comply with the GDPR. The governmental proposal for the changes has not yet been submitted to the Parliament.

Personal data of deceased persons 

The proposed Data Protection Act would not apply to the processing of personal data of deceased persons.

Children online (in relation to the offering of information society services)

According to the proposed Data Protection Act, the age limit for consent is 13 years. Both options, the age limits of 13 and 15 years, were considered, but in the end the decision was based on the comments received during the consultation phase as well as on the decisions made by other Nordic countries.

Special rules for special categories of data

Sections 6 and 7 of the proposedf Data Protection Act define exceptions where Article 9(1) of the GDPR is not applicable. There are two relevant special permissions: First, a special permission to process special categories of personal data for insurance companies for the purposes of clarifying their liabilities.

Further, the new Data Protection Act includes a special permission for processing of data related to criminal convictions and offences for the purposes of legal proceedings.

Genetic, biometric or health data

"The Ministry of Social Affairs and Health is responsible for this area and has prepared two legislative proposals. 

  1. governmental draft on new Act on the Electronic Processing of Customer Data in Social and Health Care Services. This is meant to abrogate the current Act. The proposal has taken into consideration the GDPR requirements, but has not yet been submitted to the Parliament.
  2. proposal on Secondary Use of Health and Social Data. The purpose is to set rules and requirements for use (processing) of health data for statistical, research and development purposes and to ease permission procedures. The proposal will bring the rules into line with the GDPR. Proposal  submitted to  Parliament in October 2017 and  now under discussion in the Parliament Committees.  Intended to enter into force on 1st July 2018.
Designation of a Data Protection Officer

The current Personal Data Act does not include any additional obligations to designate a Data Protection Officer. However, there are obligations to appoint a Data Protection Officer under the Act on Electronic Prescription and under the Act on the Electronic Processing of Customer Data in Social and Health Care Services. This obligation applies, inter alia, to pharmacies, health care service providers and the Social Insurance Institution of Finland.
An obligation of secrecy for DPOs is included in the new Data Protection Act.

National identification numbers/any other identifier of general application

The Working Group has proposed that current provisions concerning processing of Personal Identity Code (PIC) set in the Personal Data Act would be upheld in the Data Protection Act. The Working Group has proposed that PIC may be processed with an explicit consent from the data subject or when it is important to unequivocally identify the data subject for compliance with a legal obligation, carrying out rights and responsibilities of the data subject or the controller, or for the purposes of scientific or historical research or for statistical purposes.


Other:

Any other areas under discussion

n/a