GDPR compliance in Finland

Like its Nordic neighbors, Finland is fully covered by the EU General Data Protection Regulation (GDPR). However, Finland has a long tradition of strong privacy protection, especially in the workplace, which gives the GDPR a uniquely Finnish character.

For businesses operating in Finland, understanding both EU regulations and specific national laws is crucial.

The Finnish “Data Protection Act“

The GDPR is supplemented in Finland by the national Data Protection Act (in Finnish: Tietosuojalaki / in Swedish: Dataskyddslag). This law specifies how the GDPR is to be applied nationally and provides, among other things, rules for the processing of the Finnish personal identity number (henkilötunnus).

The most striking Finnish feature, however, is another law: The Act on the Protection of Privacy in Working Life (työelämän tietosuojalaki). This law remains in force alongside the GDPR and sets a very strict framework for how an employer can process its employees’ data. For example, there are strict rules for monitoring employee emails and health tests, and the principle of “necessity” (that data is necessary for the must be necessary for the employment relationship) is interpreted very restrictively.

Supervision: Office of the Data Protection Ombudsman office

The Finnish supervisory authority is Office of the Data Protection Ombudsman (in Finnish: Tietosuojavaltuutetun toimisto / in Swedish: Office of the Data Protection Ombudsman).

This authority has proven to be very active in enforcing GDPR. They have issued several fines that clearly signal their priorities: transparency, data minimization and clear deletion policies.

Important cases that define the GDPR i Finland

The Finnish Data Protection Ombudsman has made several notable decisions:

1. Fine to the Finnish Post: It was fined €100,000 for lack of transparency. When customers reported moving, Posti did not clearly inform them of their right to object to their data being used for direct marketing. The case highlights the need for proactive and easy-to-understand information to data subjects.
2. Fine for a large e-commerce company: The company was fined €856,000 for having unclear and too long retention periods for customer accounts. In practice, they stored data indefinitely unless the customer asked for it to be deleted. The Data Protection Ombudsman stated that a company must have a defined and justified retention period for personal data – you can’t just store it “just in case”.
3. Fine to A taxi company: they were fined for several violations, including illegally recording audio in their taxis. This was considered a gross violation of the data minimization principle – it was in no way necessary to record conversations in the car to fulfill the purpose (safety).

What does does it mean to you?

Doing business in Finland requires a keen eye for the special Finnish regulations:

• Control storage time: You must have a clear, documented policy for when you delete customer data. Indefinite retention is not accepted.

• Be extra careful with employee data: The Finnish law on privacy at work is stricter than in many other EU countries. You must be able to justify exactly why you process any information about your employees.

• Transparency is paramount: Inform your customers clearly, honestly and in easy-to-understand language about how you use their data (especially for marketing).

Finland takes data protection seriously and the Office of the Data Protection Ombudsman does not hesitate to enforce the rules to protect citizens’ rights.

Train the entire organization with a GDPR Course

Get a handle on employee training, get the whole team up to speed with our customizable GDPR course. You’ll have a consistent level of knowledge and automatic documentation of your efforts.