Key Points of the Finnish Data Protection Act Applicable as of 1 January 2019

Author: Anna Räty

Nearly six months after the entry into force of the EU General Data Protection Regulation (the “GDPR”), the Finnish Parliament finally approved the national Data Protection Act on 13 November 2018. The Act supplements and specifies the GDPR, which is directly applicable in all EU member states. The Data Protection Act has now been confirmed to enter into force on 1 January 2019, and we present below certain key points worth noting in the provisions of the national Act.

Rules on administrative fines have been specified on the national level. Administrative fines may not be imposed on public authorities or bodies, including e.g. the church and universities. As mentioned in our previous blog post on the subject from June 2017, the working group had some difficulties in reaching a consensus on the applicability of sanctions to public authorities, but eventually ended up excluding public authorities from the scope of applicability. Under the new Act, a new body called the Sanctions Board, which consists of the Data Protection Ombudsman and at least two Deputy Data Protection Ombudsmen, will be formed to decide on and impose administrative fines, which may amount up to 20 MEUR or 4% of the total annual global turnover of the preceding financial year. Moreover, administrative sanctions may not be imposed, if more than ten years have passed since the offense or wrongdoing.

The age of consent for processing children’s personal data is 13 years. A parental consent is required for processing personal data of children younger than 13 years old. Several other EU member states have implemented the age of consent to apply to children younger than 16 years, as set out as an option in the GDPR, and thus, the age limit in Finland promotes a less strict approach, which follows the course taken in other Nordic countries.

Criminal sanctions relating to data protection are amended and a newly formulated data protection offence is presented in the Criminal Code. The more limitedly available offence shall only be applied to natural persons acting in breach of the data protection regulations, such as employees of a company acting as a data processor or controller – immense administrative fines are considered an appropriate sanction for non-compliant companies. However, the offence is more widely applicable, if the breach is intentional or conducted by gross negligence.

National leeway has been used on processing personal data in certain specific situations. To give an example, the personal identity code, which is a Finnish speciality, may only be processed with the data subject’s consent or on law-based grounds for processing, or if the identification of the data subject is important for certain other specific situations, e.g. for the purposes of debt collection. Further examples where national leeway has been used relate to protecting the freedom of speech in mass communications and the public interest in certain situations.

To summarise, the aim of the new Act has not been to alter the current legal state, but to continue along the existing line of a rather high level of data protection. For example, the Act on the Protection of Privacy in Working Life, which offers even stricter rules than the GDPR on the processing of employee data, remains in force and requires no massive amendments, and will only be completed with certain GDPR-specific adjustments.