News and events

New Data Protection Act to Complement the GDPR


The Finnish Government has published its Government Bill 9/2018, introducing a new Data Protection Act. The idea is not to produce a new comprehensive law regarding the processing of personal data, but rather to complement the General Data Protection Regulation (“GDPR”), which is directly applicable in Finland. Although the GDPR is quite extensive and detailed at least in some respects, it does provide EU member states with some leverage and room to adjust the rules according to their local needs. The new law and the GDPR should therefore be read together.

The new law awaits approval of the Finnish Parliament, but the aim is to have it come into force on 25 May 2018 – the same day when the GDPR becomes applicable.

The Government Bill boasts 145 pages, but we have listed its key provisions below.

The Finnish Data Protection Ombudsman’s role

As expected, the Finnish supervisory authority will be the Data Protection Ombudsman. However, since the amount of cases is likely to grow when the GDPR becomes applicable, there will be some structural changes within the office, and an expert panel, authorized to provide the Ombudsman with expert opinions regarding the application of the new data protection rules, will be established.

The Data Protection Ombudsman will, as supervisory authority, be responsible for handing down not only the much-discussed fines under the GDPR, but also milder punishments such as warnings. Intriguingly, the Government Bill proposes a rather controversial exception: no administrative fines may be given to actors in the public sector. This categorical immunity is expected to face criticism in the Parliament.

Criminal offences

The Government Bill also covers criminal penalties, stating, for example, that an employee who unlawfully pries into personal data, may be personally found guilty of a data protection offence and be either fined or imprisoned for a maximum of one year.

Information society services offered to children

When information society services, like social media, are offered directly to children, the processing of their personal data is allowed if they are at least 13 years old. Otherwise parental consent is necessary, and it is the controller’s responsibility to make sure such consent exists (the GDPR suggested 16, but allows Member States to provide for a lower age).

Exceptions for freedom of speech, research and archiving

The Government Bill lists a number of exceptions when it comes to processing personal data for purposes securing freedom of speech (for example journalism). There are also a number of exceptions covering scientific and historical research, compilation of statistics, and archiving. In practice the exceptions mean, for example, that data subjects’ rights under the GDPR would be significantly restricted when data is processed for the above-mentioned purposes.

According to the Government Bill, the new Data Protection Act would also include a list of situations where the general prohibition in the GDPR to process special categories of data would not apply. For example, insurance companies can still process health data of the insured if necessary to clarify what the insurance company’s liability is.

Local laws concerning employment relationships not to be forgotten

Article 30 of the proposed law includes a reminder that the Act on the Protection of Privacy in Working Life (759/2004) still applies to the processing of employees’ personal data. Said act includes a number of important rules on tests, technical supervision, opening of emails etc.

For further information, please contact:
Anna Liinamaa

More news

Back to News and Events »