Parliament of Finland approves new Data Protection Act

The Parliament of Finland finally approved the government proposal for a new Finnish Data Protection Act (HE 9/2018 vp) on 13 November 2018. The approved Act will now be sent to the President of Finland for ratification, after which it will come into effect. The new Data Protection Act will complement and specify the provisions of the EU General Data Protection Regulation (2016/679, “GDPR”) and serve as a general law for personal data protection in Finland. The new Act will also repeal the old Finnish Personal Data Act (523/1999).

The Main Provisions on the National Discretion in Finland

The new Act includes several provisions on national discretion, including provisions on health-related data, personal identity numbers, the processing of children’s personal data and criminal sanctions.

The Offering of Information Society Services to Children

The proposed Act makes processing personal data, based on consent, to offer information society services directly to a child is lawful for children aged 13 and older.

The Special Status of Data Containing a Personal Identity Number

Under the Act, personal identity numbers can be processed generally only with the data subject’s consent, or if the processing is required by law. Additionally, processing personal identity numbers is legal when identifying the data subject is essential (i) in order to perform a task set by law (ii) in order to realize the rights or duties of the data subject or the controller or (iii) for purposes of historical, scientific or statistical research. Personal identity numbers may be processed in employment relationships and in financial and credit service activities and the health care sector.

Processing of Health-related Data

The Act authorizes health-related data processing for certain specified purposes not explicitly listed in the GDPR. For instance, insurance companies may process health data, particularly when determining the provider’s liability. Health care service providers, including service purchasers and providers, have similar authorization.

The Competent Supervisory Authority

The Finnish Data Protection Ombudsman will remain the local supervisory authority under the GDPR. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board will issue advisory statements on data protection legislation upon the Data Protection Ombudsman’s request.

In e-privacy matters, however, the Finnish Communications Regulatory Authority will continue to act as the supervisory authority. When e-privacy legislation is reformed under the proposed EU Regulation on Privacy and Electronic Communications, clarifications about these closely related authorities may be expected.


In addition to the administrative fines or other administrative sanctions, such as temporary or indefinite bans on processing a personal data, criminal sanctions are included in the Finnish Criminal Code (39/1889). A new criminal offence, the so-called data protection offence, which applies only to natural persons, is also introduced.

Other Currently Ongoing Legislative Proposals on Data Protection

The GDPR, which has been applicable since 25 May 2018, has resulted in several legislative changes in Finland. Although the GDPR is a regulation, and therefore directly applicable, it allows some flexibility for Member States.

In addition to the Data Protection Act, the Finnish government has also proposed amending the Act on the Protection of Privacy in Working Life to better correspond to the GDPR’s requirements. The proposal is currently under negotiations in the Parliament of Finland. The amendments concern obtaining criminal record data, camera surveillance and the scope of sanctions directed at employers. The amendments will become effective in the near future.

The GDPR also affects health care data, and the Finnish government has made two new legislative proposals on the subject, one for a Genome Act and the other for an Act on the Secondary Use of Health and Social Data. The government has also proposed amendments to the 2012 Biobank Act.

  • The objective of the Genome Act is to promote responsible and equal use of genomic data for the benefit of health and for preventing, detecting and treating illnesses.The new Act would establish a Genome Center to manage a population-wide genome database. The Act will enter into force on 1 January 2019.
  • The Act on the Secondary Use of Health and Social Data will create more flexibility and security in using health and social data for different purposes under the Act. The data could be used in other – secondary – purposes than that for which it was originally collected, such as in research, teaching, research and development, and data management. The Act is currently under discussion in the Parliament.
  • The Biobank Act establishes the operations of biobanks in Finland. The Biobank Act would be amended to better comply with the GDPR requirements and to clarify the provisions under the GDPR. However, the legislative process is currently on hold because it will depend on the outcome of the Genome Act and the Act on the Secondary Use of Health and Social Data.


Johanna Lilja