On 13 November 2018 the Finnish Parliament approved the Data Protection Act (tietosuojalaki). That act complements the GDPR and repeals the Personal Data Act of 1999. The date on which the Act enters into force will be confirmed later. Besides setting forth the national provisions required by the GDPR, the Data Protection Act also uses the opening clauses in the Regulation on several occasions.
With the Personal Data Act and several other legal acts, Finland has had already had an exceptionally high level of data protection. Accordingly, the Government proposal (HE 9/2018 vp) introducing the draft of the new law stated that the intent of the legislator was to utilize the national discretion as extensively as possible to maintain the current state of affairs.
The new Act introduces changes to the Criminal Code, the Act on the Enforcement of Fines and the Act on the Grey Economy Information Unit. The Act on Protection of Privacy in Working Life will continue to apply and set a strict standard for protection of employee personal data in Finland.
The most important points in the new Finnish law are:
Children's data, sensitive data, the personal identity code & criminal convictions
The age of consent with respect to offering information society services to children has been set to 13 years, whereas the default option in the GDPR is 16 years.
Additional specific legal grounds for processing health data are introduced for insurance companies to define liability. Processing of health data and genetic data is also allowed for anti-doping work and in the context of sport for disabled people.
Processing of personal identity code (PIC) is subject to additional requirements. PIC may be processed, for instance, purposes of lending, debt collection and insurance.
Several instances are identified in which actors other than public authorities are allowed to process personal data relating to criminal convictions. This includes situations where processing is carried for the establishment, exercise and defense of legal claims or by courts deciding on such claims. Processing of data on criminal convictions is also allowed for scientific, historical or statistical research and for insurance companies to define liability.
Public authorities, the Data Protection Ombudsman & administrative fines
The Data Protection Ombudsman remains as the national data protection authority and supervises the entire field of data protection in Finland. The Finnish Data Protection Board, which under the old Personal Data Act was the most important decision-making agency in personal data matters, is disbanded.
Public authorities and bodies are excluded from the GDPR administrative fines.
The administrative fine will be imposed by a three-member board consisting of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen.
The right of access and right to receive information about the processing have been limited in connection with the processing for various tasks of public authorities. For instance, these data subject rights may be restricted for the purposes of crime prevention and maintaining public order. These derogations are accompanied by various safeguards for the data subjects.
The lawful ground of public interest & processing for the purposes of expression
The lawful ground of processing for the performance of a task carried out in the public interest is specified by a provision stating that processing is allowed if it concerns information regarding the status, duties and performance of a person in a public corporation, business, third-sector organisation or comparable activity. This provision will maintain the situation under the old Personal Data Act promoting freedom of speech and the principle of openness.
The public interest lawful ground is also specified by introducing a provision allowing processing for scientific or historical research, statistics and archiving. Subject to additional safeguards, data subject rights may be limited in when processing is based on these grounds.
Processing of personal data solely for journalistic, academic, artistic or literary purposes is permitted without a separate lawful ground. Furthermore, exceptions to certain GDPR obligations are introduced. For instance, data subject rights (access, rectification and erasure, data portability, etc.) are limited when processing takes place solely for these purposes.