Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Finland - Data Protection

History of Data Protection in FINLAND

The first legislation on the protection of personal data in Finland was The Personal Data File Act (Act 471/1987). In 1995, the year that Directive 95/46 was introduced, Finland became a member of the European Union. As a result of this, in 1999 the legislation was revised.

The new Personal Data Act (Act 523/1999) did not change the main principles of protection, but laid more stress on the basic rights and freedoms of individuals and took into account not only the Directive, but also some constitutional reforms.

Summary of Data Protection in FINLAND

Title of Data Protection Legislation Personal Data Act (523/1999)
Name of supervisory authority The Data Protection Ombudsman/ The Data Protection Board
General Powers of supervisory authority "The primary duty of the Data Protection Ombudsman is to influence, in advance, compliance with the legislation concerning the keeping of registers" (From Ombudsman Website). See section 38(1) of the Act. Section 38(2) sets out the role of the Data Protection Board: "The Data Protection Board deals with questions of principle relating to the processing of personal data, where these are significant to the application of this Act, as well as makes decisions in matters of data protection, as provided in this Act".
Who has standing to notify the supervisory authority of breaches? Anybody
What are the penalties for data controllers if they breach the law? The penalties for breaches are not set out in the personal data Act, but in the Finnish Criminal Code (Act 578/1995) section 38, para.9. The sentence is either a fine or imprisonment for up to a year.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Yes. See section 13 of the 1999 Act. A 'personal identity number' may be processed with the unambiguous consent of the data subject, or in other specified situations, for example for purposes of historical, scientific or statistical research.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. However medical research always requires consent (See Act no. 488/1999).
Does the Data Protection Legislation cover the deceased? Only indirectly, in cases where the sensitive data of the dead may affect the surviving relatives.
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions