Page 1

In Finnish På svenska

front page

Legislation

Case law

In English

Authorities Government agreements Government proposals Publications

Search the material
Search ›

Keyword...

In a quick search, a break character *, e.g., study aid *, and backspace * A broader search with or, e.g., open side * or married side *. Try it too
advanced search . See instructions .

Finlex ›Legislation› Legislation in its original form ›2018› 1054/2018

1054/2018

Acts in original
Texts of acts without changes
as published

Document versions
References På svenska

in the body of legislation. All acts v.
Since 1987 and a central part
older acts.

Helsinki, 5 December 2018

Law
the processing of personal data in criminal matters; and
maintaining national security
in connection with

Other material related to the material
› Swedish regulations
› Up - to - date legislation
› Directory of legislative amendments
› Acts in the Sámi language

In accordance with the decision of Parliament, the following is provided:

› Recent adjustments / De nyaste
rättelserna

Chapter 1
General provisions
§1
Scope of application
This Act applies to the processing of personal data by the competent authorities in the case of:

Table of contents
1054/2018
Chapter 1 - General provisions
§ 1 - Scope
Section 2 - Relationship with other legislation
Section 3 - Definitions

Chapter 2 - Processing of personal data
principles

1) the prevention, detection, investigation or prosecution of criminal offenses;

Section 4 - Requirement of legality
Section 5 - Intended use

2) prosecution and other activities of the prosecutor related to the crime;
3) the handling of a criminal matter in court;

Section 6 - Necessity requirement
Section 7 - Requirement of faultlessness
Section 8 - Separation of certain personal data
one another
Section 9 - To be transferred or made available
quality assurance of personal data

4) the execution of a criminal sanction;
5) protection against threats to public security or the prevention of such threats
In the context of the activities referred to in paragraphs 1 to 4.

Section 10 - Obligation to notify processing
special conditions
Section 11 - Concerning special categories of personal data
handling
Section 12 - Processing of personal identity numbers

To the beginning of the page

In addition to the provisions of subsection 1, this Act applies to:
1) Personal data processed by and on behalf of the Defense Forces
processing when information is processed pursuant to Section 2 (1) of the Defense Forces Act (551/2007)
To perform the tasks set out in paragraphs 1, 2 (a), 3 and 4;
2) the processing of personal data by the police when the data are processed in such a police act
(872/2011) in the task referred to in Chapter 1, Section 1, Subsection 1, which is related to the national
security protection;
3) the processing of personal data by the Border Guard when the data is processed in such a place
referred to in Article 3 (2) and (3) of the Border Guard Act (578/2005), which is related to the
to protect security.
However, section 10 does not apply to the processing of personal data referred to in subsection 2 above
Subsection 2 on the transfer of personal data to a recipient located in the European Union, section 54
mutual assistance with another EU Member State and not Chapter 7 on the transfer of personal data
third countries and international organizations.
However, this Act applies only to such personal data referred to in subsections 1 and 2
processing which is wholly or partly automatic or in which the data processed constitute or
they are intended to form the register or part of it.
This law is implemented by the authorities competent for the protection of natural persons
the prevention, investigation, detection or detection of criminal offenses in connection with the processing of personal data
for the purpose of prosecuting criminal offenses or enforcing criminal sanctions, and
on the free movement of such information and Council Framework Decision 2008/977 / JHA
Directive (EU) 2016/680 of the European Parliament and of the Council repealing
the Data Protection Directive in criminal matters .

§2
Relationship with other legislation
If other law contains provisions that deviate from this law, they shall apply instead of this law.
The right to receive information and other disclosure of personal data from the authority's personal register
the provisions on publicity for the activities of public authorities shall apply.

§3
Definitions
For the purposes of this Act:
1) personal data means any identified or identifiable natural person
( registered ) directly or indirectly related information;

2) processing means the collection, storage, organization, structuring, storage of data,
modification or modification, retrieval, query, use, transfer of data by transfer,
disseminating or otherwise making available, coordinating or combining information,
restriction, deletion or destruction and any other activity or activities targeted
personal data or sets of data containing personal data;
3) the purpose of restricting the marking of personal data stored by restriction of processing
their subsequent processing;
4) a set of information containing personal data structured in the register , from which the information is available in certain ways
whether the data set is centralized, decentralized or operational, or
geographically distributed;
5) " competent authority" means the authorities whose competence covers the prevention of criminal offenses;
disclosure, investigation or prosecution, prosecution or any other criminal offense
prosecution, criminal sanctions or
enforcement of criminal sanctions, including public security
protection against and prevention of such threats, as well as the Defense Forces, the police and the
The Border Guard when performing the tasks referred to in section 1, subsection 2;
6) the controller means the competent authority which alone or together with others determines
the purposes and means of the processing of personal data or for which the keeping of records is prescribed by law;
7) processor of personal data means a natural or legal person, authority, agency or
another body which processes personal data on behalf of the controller;
8) recipient is a natural or legal person, authority, agency or other body;
to whom personal data are disclosed;
9) personal data breach means a breach of security which results in the transfer of personal data ;
accidental or unlawful personal data stored or otherwise processed
destruction, loss, alteration, unauthorized disclosure or access to information;
10) appropriate safeguards means technical and organizational measures that:
ensuring the lawfulness of the processing of personal data, taking into account the nature of the processing,
the scope, context and purposes, as well as the risks to the data subjects' rights;
11) profiling means the automatic processing of personal data in which the use of personal data is assessed
the personal characteristics of the natural person;
12) genetic information, personal data relating to any natural person or inherited
acquired genetic traits which reveal the individual knowledge of that natural person
physiology or state of health and derived from the biological
by analyzing the sample or otherwise;
(13) biometric data relating to the physical and physiological characteristics of a natural person; or
personal data obtained through technical processing related to the conduct on the basis of which that
a natural person can be identified or the identification of that person can be verified;
14) health information relating to the physical or mental health of a natural person
personal data indicating his state of health;
15) third country means a state other than a member state of the European Union (EU), the European Union
a State belonging to the European Economic Area or Switzerland;
16) international organization means an organization and its subordinate bodies to which an international organization applies
public law, as well as any other body set up between two or more States
agreement or on the basis of such an agreement.
What is provided in this Act for a competent authority, subsection 1 shall also apply
To a private individual performing the task referred to in paragraph 5.
What this law provides for an EU Member State also applies to the European Economic Area
States and Switzerland.

Chapter 2
Principles for the processing of personal data
§4
Legality requirement
Personal data may be processed only in so far as is necessary for the purposes of the competent authority provided for by law,
To perform a task falling within the scope of subsection 1 or 2.
Personal data must be processed properly and carefully.

§5
Intended use
The controller may only collect personal data for certain specific and legitimate purposes
and shall not deal with them in a way incompatible with those purposes.
Personal data collected for the purpose provided for in section 1, subsection 1 or 2 above may be processed
for a purpose other than that provided for in that subsection only if processing is provided for
in law.
Personal data may also be processed for the purpose provided for in section 1, subsection 1 or 2, also in the public interest
for archival or scientific, statistical or historical purposes, provided that:
appropriate safeguards for the data subject's rights have been taken.

§6
Necessity requirement
The personal data processed must be appropriate and necessary for the purpose of the processing,
nor shall they be too broad for the purposes for which they are processed. Unnecessary
personal data must be deleted without undue delay.
Personal data may be kept in a form in which the data subject can be identified only for as long as is
necessary for the purpose of the processing of personal data.
The need for the retention of personal data shall be assessed at least every five years, unless
retention periods for personal data are otherwise provided elsewhere.

§7
Requirement of accuracy
The personal data processed must be accurate and take into account the purpose of the processing
updated. The controller shall ensure that all reasonable steps are taken
taken to ensure that data which are inaccurate in relation to the purposes for which they were processed are deleted, or
corrected without delay.

§8
Separation of certain personal data
The controller shall, where necessary and possible, clearly distinguish between them
personal data concerning data subjects in a different position in the present case.
To distinguish factual personal information from personal estimates
all reasonable steps must be taken with regard to personal data.

§9
Quality assurance of personal data to be transferred or made available
The competent authority shall take all reasonable measures to ensure that:
that incorrect, incomplete or outdated personal data is not transferred or made available.
As far as possible, all transfers of personal data must be accompanied by data that allow
the receiving competent authority may assess the accuracy of the personal data;
completeness, reliability and timeliness.
If it appears that incorrect personal data has been transferred or that personal data has been transferred
unlawfully, the consignee shall be informed without delay. The recipient must be informed
upon receipt, rectify, delete or restrict the processing of personal data.

§ 10
Obligation to notify the special conditions of processing
If the processing of personal data is subject to special conditions laid down by law, the competent authority shall:
the authority shall disclose the personal data in connection with the transfer or transfer of personal data
the recipient of those conditions and the obligation to comply with them.
When a competent authority transfers personal data to a recipient in the EU, it may not
impose stricter conditions on the processing of personal data than those applicable at national level
similar data transfers.

§ 11
Processing of specific categories of personal data
Data belonging to specific categories of personal data are personal data revealing ethnic origin,
political opinions, religious or philosophical beliefs or trade union membership, as well as
genetic data, biometrics for the unambiguous identification of a natural person
information as well as the health or sexual behavior and sexual behavior of the natural person
orientation information.
The processing of personal data referred to in subsection 1 is permitted only if it is necessary,
the safeguards necessary to safeguard the data subject's rights have been taken and if:
1) processing is provided by law;
2) it is a matter of criminal proceedings in a prosecutor's office or a court;
3) the protection of the vital interests of the registered or another natural person requires it; or
4) the processing concerns information which the data subject has expressly made public.
The kind of profiling that results in specific groups of personal data based on natural persons
discrimination is prohibited.

§ 12
Identity processing
The personal identity number may only be processed if the unambiguous identification of the data subject is important:
1) the competent authority for the performance of a task provided by law;
2) to implement the rights or obligations of the data subject or the data controller; or
3) for historical or scientific research or statistics in accordance with section 5 (3).
The personal identification number must not be unnecessarily marked on those printed or prepared on the basis of the register
documents.

§ 13
Automated individual decisions
Unless otherwise provided by law, the decision may not be made solely on the basis of automated personal data
processing if the decision has or has adverse legal effects on the data subject
otherwise significant to him.

Chapter 3
Registrar and processor of personal data
§ 14
Responsibility of the controller
The controller is responsible for ensuring that personal data is processed lawfully. It must also be able to
to show that personal data have been processed in accordance with Chapter 2.
The registrar shall implement the necessary technical measures required for the liability provided for in subsection (1)
and organizational measures. The measures must be taken into account in the implementation of the measures
nature, scope, context and purposes, as well as the rights of natural persons
risks.

§ 15
Built-in and default data protection
The controller must both determine the methods of processing personal data and the personal data
take appropriate technical and organizational safeguards during processing
to ensure the lawfulness of the processing and the protection of the data subject's rights.
The measures shall be implemented taking into account the technical solutions available,
the cost of carrying out the measures and the nature, extent, context and purposes of the processing
as well as the risks that processing poses to a person’s rights.
The controller shall take appropriate technical and organizational measures
to ensure that, by default, it is processed only for each specific processing purpose
necessary personal data.

§ 16
Joint registrars
If two or more controllers jointly determine the purposes and means of processing, they shall:
agree on their mutual division of responsibilities in the performance of their obligations under this Act, unless
the division of responsibilities is not provided by law.
The controllers referred to in subsection 1 above shall designate a contact point from among themselves
a working controller with whom the data subject may communicate in relation to the exercise of his rights
matters. However, the data subject may exercise his rights under this Act in relation to each
to the controller.

§ 17
Processor of personal data
The controller of personal data on behalf of the controller shall provide the controller with the appropriate
statements and commitments and otherwise adequate guarantees of their organizational and technical capacity
measures by which it ensures that personal data are processed in accordance with the provisions of this Act
according to the requirements.
The controller or its employee may not process personal data other than
in accordance with the instructions of the controller, and shall not transfer the processing of personal data to another processor without
written consent of the controller.
A written agreement must be made on the processing of personal data by the processor
or issue a written order stating the personal data to be processed, the duration of the processing, the nature
and purpose, the categories of personal data to be processed and the categories of data subjects, as well as the controller
obligations and rights. The written document referred to above shall also provide that:
personal data processor:
1) acts only in accordance with the instructions of the controller;
2) ensure that natural persons processing personal data have undertaken to comply
obligation of professional secrecy or that they are bound by a legal obligation of professional secrecy;
(3) assist the controller in all appropriate ways to ensure that:
the provisions on the data subject's rights are complied with;
4) at the option of the controller to delete or restore the data processing services
upon termination of the provision, all personal data to the controller and delete existing copies,
unless otherwise provided by law;
5) make available to the controller all information necessary for compliance with this section
to demonstrate;
6) meets the conditions for the use of a second processor referred to in this section.

§ 18
Description of processing operations
The controller shall keep a written record of the processing of personal data for which it is responsible
a leaflet containing the following information:
1) the registrar and, if necessary, the joint registrar and those referred to in section 38
the name and contact details of the data protection officer;
2) the purposes of the processing of personal data and the legal basis;
3) a description of the group or groups of data subjects and the groups of personal data being processed;
4) the groups of recipients to whom the personal data have been or will be disclosed;
5) groups of transfers of personal data to a third country or to an international organization;
6) if possible, the planned deadlines for the deletion of different groups of personal data;
7) possible use of profiling;
8) if possible, a general description of the information systems and the principles of their security
and a general description of the technical and organizational security measures referred to in section 31.
The controller must maintain everything that is done on behalf of the controller
a written report on the processing of personal data containing the following information:
1) the name and contact details of the processor or processors of personal data and the data protection officer;
2) the name and contact details of each controller on whose behalf the processor acts;
3) the groups of processing performed on behalf of each controller;
4) if the controller has expressly so instructed, any information about personal data
transfer to a third country or to an international organization;
5) if possible, a general description of the technical and organizational aspects referred to in section 31
safeguard measures.

§ 19
Log information
The controller and the processor of personal data must take care of the storage of log data
the collection of personal data in its automatic data-processing system,
modification, interrogation, transfer, transfer, amalgamation and deletion. Surveys
and donation log data must be able to determine query and donation
the basis, date and time of implementation and, where possible, the person requesting or having accessed the personal data
the identity of the person who provided the information and the identity of the recipients of that personal information.
Log data may only be used for the purpose of checking the lawfulness of processing, internal control,
ensuring the integrity and security of personal data and criminal proceedings.

§ 20
Data protection impact assessment
Before starting the processing of personal data, the controller must assess the planned ones
the effects of the processing operations on the protection of personal data.
A written impact assessment must be carried out by the controller if the processing of personal data is planned
may pose a significant risk to the exercise of the rights of a natural person.
The impact assessment shall include a general description of the planned treatment
an assessment of the risks to the data subject's rights and measures to reduce them, as well as measures
ensuring the protection of personal data.

§ 21
Prior consultation of the Data Protection Authority

The controller or processor must consult the Data Protection Officer before
processing of personal data if:
1) planned in accordance with the written impact assessment referred to in section 20 (2)
notwithstanding safeguards, the processing poses a significant risk to the data subject's rights; or
2) data processing, in particular the use of new technologies, mechanisms or procedures
poses a significant risk to the rights of data subjects.
The registrar shall provide the Data Protection Commissioner with the information referred to in section 20 (2)
impact assessment and, upon request, other information that the EDPS can use
assess the lawfulness of the processing of personal data.
If the Data Protection Commissioner considers that the processing referred to in subsection 1 would constitute this Act
the Data Protection Officer shall request a consultation within six weeks
upon receipt of the processing by the controller and the potential processor
to bring it into line. The deadline may be extended by one month if scheduled processing
complexity requires it. The Data Protection Officer shall inform the controller and
the potential processor of the extension of the time limit and the reasons for the delay
within one month of receipt of the request for consultation.

Chapter 4
Rights of the data subject
§ 22
Privacy statement and notification obligation
The controller shall keep a written record of the processing of personal data for which it is responsible
a leaflet, which shall be made publicly available, containing at least the following information:
1) the contact information of the controller and the data protection officer and, if the controller considers it
if necessary, the name of the data protection officer;
2) the name and contact information and information of the registrar acting as the contact point for the joint registrars
that the data subject may exercise his rights under this Act in relation to each
the controller;
3) the purposes and legal basis of the processing of personal data;
4) the retention period of personal data or, if it has not been specified, the criteria for determining the retention period;
5) possible regular recipients or groups of recipients of personal data;
6) information that the data subject has the right to request access from the registrar concerning him or her
personal data and the right to request the rectification, erasure or rectification of such personal data
restriction of processing;
7) information that the data subject has the right to make a request for action referred to in section 56
the Data Protection Officer, and the contact details of the Data Protection Officer.
The registrar shall provide the data subject with the description referred to in subsection 1 and other necessary information
information for the exercise of the data subject's rights under this Chapter, if such information
necessary in order to enable those rights to be exercised.
The registrar may omit the information in full or in part if this is necessary in section 28
on the grounds set out above.

§ 23
Right of inspection of the data subject
Everyone has the right to be informed by the controller whether personal data concerning him or her are being processed.
If such data are processed, the data subject shall have the right to obtain the following information from the controller:
1) the personal data to be processed and all available information on the origin of the data;
2) the purposes of the processing and the legal basis;
3) the personal data groups to be processed;
4) the recipients or groups of recipients to whom the personal data of the data subject have been disclosed;
5) the retention period of personal data or, if it has not been specified, the criteria for determining the retention period;
6) the right of the data subject to request personal data concerning him or her from the data controller
rectification, erasure or restriction of processing;
7) the right of the data subject to make a request for action referred to in section 56 to the Data Protection Officer; and
contact details of the authorized person.
Anyone who wishes to verify the information concerning themselves in the manner referred to in subsection 1 may submit this
a request to the controller by means of a handwritten document or equivalent
in a certified manner or in person at the controller.

§ 24
Restrictions on the right of inspection
The data subject's right to inspect may be totally or partially suspended or restricted or denied
in so far as it is necessary for the reasons mentioned in section 28. If the registrant has the right to inspect
suspended, restricted or refused, the controller shall, without undue delay, inform the
written certificate to the data subject. There are also grounds for postponement, restriction and refusal
unless their disclosure would jeopardize the purpose of the refusal or restriction.
The refusal to inspect is also considered to be the absence of the controller for three months
provided a written response to the data subject within the
The controller shall inform the data subject of his right to request a measure
the Data Protection Officer as a result of the suspension, restriction or refusal of the right of inspection; and
the right to exercise the right of inspection in accordance with section 29 through the Data Protection Officer.
The controller shall keep records of the grounds on which the refusal of the right of inspection or
restriction is based.

§ 25
Correction, deletion and restriction of processing of personal data
The controller shall, on its own initiative or at the request of the data subject, without undue delay
rectify or supplement the data subject, incorrect for the purpose of the processing, or
incomplete personal information.
The controller shall, on its own initiative or at the request of the data subject, without undue delay
delete personal data concerning the data subject if their processing is contrary to Article 4 or 5, Article 6 (1) or
The provisions of subsection 2 or section 7 or 11. However, instead of deleting, the registrar has to
restrict processing if:
(1) the data subject contests the accuracy of the information and not its accuracy; or
the inaccuracy can be verified; or
2) personal data must be kept for evidence.
If the processing has been restricted pursuant to subsection 2 (1), the controller must precede the restriction
the data subject shall be notified of the deletion.

§ 26
Denial of a registered claim
If the controller does not accept the data subject's request for rectification of personal data,
additions, deletions or restrictions on their processing, the controller shall notify
the data subject with a written certificate of refusal and the reasons for it. Details of the refusal
may be omitted, in whole or in part, in so far as is necessary 28
On the grounds mentioned in section.
The controller shall inform the data subject of his right to request a measure
to the Data Protection Commissioner as a result of the refusal referred to in subsection 1 and the right to use
The rights referred to in section 25 in accordance with section 29 through the Data Protection Commissioner.

§ 27
Obligation of the controller to notify rectification, erasure or
restriction of processing
The controller shall notify the authority from which the personal data have been corrected
incorrect personal information is from.
If personal data have been rectified or deleted or their processing has been restricted pursuant to section 25,
the controller shall inform the recipients to whom the controller has disclosed the matter
that information. The recipient shall rectify or delete such personal data contained therein, or
restrict their processing.

§ 28
Restriction of the data subject's rights
The rights of the data subject may be restricted by section 22 (2), section 24 (1), section 26
In the manner referred to in subsection 1 and section 35, if it is taking into account the rights of the data subject
proportionate and necessary:
1) for the prevention, detection, investigation or prosecution of criminal offenses;
or to avoid prejudice to the enforcement of criminal sanctions;
2) to secure another investigation, investigation or similar procedure of the authority;
3) to protect public safety;
4) to protect national security; or
5) to protect the rights of other persons.

§ 29
Exercise of rights through the Data Protection Officer
The data subject has the right to ask the Data Protection Officer to verify the personal data and their data
the lawfulness of the processing if the right of inspection of the data subject under this or any other law has been suspended,
restricted or denied or if the controller does not accept the data subject's request for personal data
correcting, supplementing, deleting or restricting their processing.
If the data subject exercises the right referred to in subsection 1, the data protection officer shall be reasonable
inform the data subject of the measures it has taken within that period. Data Protection Supervisor
shall also inform the data subject of his right to do so to the Data Protection Officer in section 56
request for action.

§ 30
Promoting the exercise of the data subject's rights and measures
free of charge
The controller shall facilitate the access of data subjects to those referred to in this Chapter
rights. All notifications to the data subject and information on the processing of personal data
shall be provided in a concise, comprehensible and easily accessible form in a clear manner
and in simple language.
Notices and information to be provided to the data subject in accordance with this Act and to the data subject in accordance with this Act
processing of requests made in accordance with this Regulation shall be free of charge for the data subject. If I register
the requests are manifestly unreasonable or unfounded because of their repetition or for any other reason;
however, the controller may charge a fee for the transaction. The criteria for the amount of the fee are laid down
in the State Payment Basis Act (150/1992).
If the controller charges a fee under subsection 2, it shall, if necessary, address the request
manifest unfoundedness or unreasonableness.

Chapter 5
Information security
§ 31
Protection of personal data
The controller and the processor of personal data must take technical and organizational measures
adequate protection of personal data, taking into account the processing of the data subject
risk to rights. In particular, personal data must be protected against unauthorized processing and
accidental loss, destruction and damage. Measures
the design and implementation shall take into account:
1) the latest technology;
2) the costs of implementing the measures;
3) the nature, scope, context and purposes of the processing;
4) the probability and severity of the rights of a natural person vary
risks.

§ 32
Protection of personal data in automated processing
In addition to the provisions of section 31, in the case of automated processing, the controller or
the controller shall, on the basis of a risk assessment, take measures to:
the idea is to:

Page 2

1) deny unauthorized persons access to the equipment used for processing;
2) prevent the unauthorized reading, copying, modification and deletion of data media;
3) prevent the unauthorized input of personal data into the system as well as those stored in the system
unauthorized viewing, modification and deletion of personal data;
4) prevent unauthorized use of automated processing systems by means of data transmission equipment;
5) ensure that persons authorized to use the automated processing system have access
only to personal data covered by their access rights;
Ensure that it is possible to verify and establish to which bodies personal data have been transmitted; or
made available or can be transmitted or made available by means of data transmission equipment;
7) ensure that it is subsequently possible to verify and establish what personal data have been input
automated processing systems, when they were fed and by whom;
8) prevent the unauthorized reading, copying, modification and deletion of personal data
when moving or transporting media;
9) ensure that used systems can be restored in the event of a failure;
10) ensure that the system is functioning, detected malfunctions are reported and the system
the malfunction cannot damage the stored personal data.

§ 33
Obligation of the controller to report a security breach
The processor of personal data is without receiving information about a personal data breach
undue delay shall notify the breach to the controller.

§ 34
Obligation of the controller to report a security breach
to the Data Protection Officer
The controller shall notify the personal data breach to the Data Protection Officer,
unless the infringement is not likely to endanger the data subject's rights.
The registrar shall make the notification referred to in subsection 1 without undue delay and
as far as possible, within 72 hours of becoming aware of the breach. If
notification to the EDPS is made later, the notification shall state the delay
the whys and wherefores.
The controller shall keep records of security breaches and related matters, including:
effects and remedial action taken.

§ 35
Obligation of the registrar to notify the data subject of a security breach
The controller shall, without undue delay, provide the personal data
from a security breach to the data subject if the security breach is likely to result
significant risk to the data subject's rights. However, there is no obligation to notify if:
1) the controller has misused the personal data subject to the breach
appropriate technical and organizational safeguards to effectively prevent or
(2) the controller has, after the breach, taken steps to ensure that:
the breach is likely to pose a risk to the data subject's rights.
Instead of notifying the data subject, the controller may report a security breach
by public notice if it would require unreasonable effort to notify the data subject.
Notification to the data subject may be postponed or restricted or may be omitted if section 28
conditions are met.

§ 36
Obligation of the controller to notify the security breach to another
to the controller
The controller shall, without undue delay, provide the personal data
a security breach to someone located in Finland or another EU Member State
the controller whose data have been or are being supplied with the infringement.

§ 37
Content of the security breach notification
In the notification referred to in section 34 above to the Data Protection Commissioner and in the notification referred to in section 36
the notification to the controller located in Finland or another EU Member State must describe
personal data breach. Where possible, the description should include information
the groups of data subjects concerned, the estimated number of data subjects,
groups of types of personal data and the estimated number of personal data.
The notification to the data subject referred to in section 35 above shall describe
the nature of the breach.
The notifications referred to in subsections 1 and 2 above shall also indicate:
1) the name and contact details of the data protection officer or other contact point from which additional information can be obtained;
2) the probable consequences of the security breach;
3) the measures taken or proposed by the controller
following a security breach and, where appropriate, measures to mitigate its adverse effects.
To the Data Protection Officer and to a controller located in Finland or another EU Member State
the information to be provided may be provided in stages to the extent that it is not possible to provide it
simultaneously.

Chapter 6
Data Protection Officer
§ 38
Designation of a Data Protection Officer
The controller must appoint a data protection officer. The data protection officer must be adequate
expertise in personal data processing legislation and practices; and
the ability to perform the tasks referred to in section 40. One data protection officer may be appointed by several
for the competent authority, if justified by the organizational structure and size of the authorities
considering.
The controller shall inform the Data Protection Officer of the contact details of the Data Protection Officer.

§ 39
Status of the Data Protection Officer
The controller must involve everyone in a proper and timely manner
personal data protection issues.
The data controller shall ensure the operating conditions of the data protection officer in accordance with the provisions of section 40
and provide access to personal data and processing operations.

§ 40
Duties of the Data Protection Officer
The tasks of the Data Protection Officer are:
1) advise the controller and the protection of personal data concerning personal data in its service
matters;
2) supervise the regulation of the processing of personal data and the personal data of the controller
compliance with processing procedures;
3) provide advice on data protection impact assessments upon request and monitor that it:
implemented in accordance with the provisions of section 20;
4) co-operate with the Data Protection Commissioner and act as its contact point for personal data
processing issues.
The duties of the Data Protection Officer do not extend to the judicial activities of the courts or to the Government
the Chancellor of Justice and the Parliamentary Ombudsman.

Chapter 7
Transfers of personal data to third countries and internationally
organizations
§ 41
General principles for the transfer of personal data
The competent authority may transfer personal data to a third country or internationally
organization only if other persons applicable to the processing of personal data referred to in this Act
provisions are complied with and:
1) the transfer is necessary for the purpose mentioned in section 1, subsection 1;
2) the personal data are transferred to the controller of a third country or to an international organization which is:
competent to process personal data for the purpose mentioned in section 1 (1); and
3) the adequacy of data protection is within the meaning of Article 36 of the Data Protection Directive in criminal matters
A valid decision of the European Commission ( Commission ) or, in the absence of such a decision,
appropriate safeguards exist in accordance with section 42 of this Act, or if provided for in section 43
exceptions for special situations will apply.
If the personal data have been obtained from another EU Member State, the transfer is also subject to the condition that:
the transfer has been authorized by that Member State. A transfer made without such permission is permitted
only if it is necessary for the public security of a State or for the essential interests of an EU Member State
to prevent an immediate and serious threat to their interests and authorization cannot be obtained in time. About the transfer
shall be notified without delay to the authority responsible for granting prior authorization.
If personal data is further transferred to another third country or other international
the competent authority which carried out the initial transfer may continue to grant authorization
in accordance with paragraphs 1 and 2 and with due regard to the offense
the seriousness, the purpose of the original transfer of personal data and the level of protection of personal data therein
in the third country or international organization to or to which the data are transferred; and
other significant issues.

§ 42
Transfer subject to appropriate safeguards
If the Commission has not taken the decision referred to in Article 41 (1) (3), personal data
may be transferred to a third country or to an international organization if the other provisions of section 41
the conditions are met and:
1) a legally binding instrument provides for appropriate safeguards for personal data; or
(2) the controller, after assessing all aspects of the transfer of personal data, considers that:
appropriate safeguards have been put in place to protect personal data.
The data controller shall notify the Data Protection Officer of any action taken pursuant to subsection 1 (2)
sets of transfers. The following information on transfers must be kept and made available on request
available to the EDPS:
1) dates and times of transfers;
2) the receiving competent authority;
3) the grounds for transfers; and
4) personal data transferred.

§ 43
Exceptions for special situations
If the Commission has not taken the decision referred to in Article 41 (1) (3) and not in Article 42
the conditions for the transfer are met, personal data may be transferred to a third country, or
to an international organization only if the transfer is necessary:
1) to protect the vital interests of the data subject or another person;
2) in order to safeguard the legitimate and important interests of the data subject;

(3) an immediate and serious threat to the public security of an EU Member State or a third country;
to prevent a serious threat; or
4) in an individual case for the purposes mentioned in section 1, subsection 1 or related to them
to formulate, present or defend legal claims.
However, personal data may not be transferred pursuant to subsection 1 (4) if the data subject concerned
rights must be considered to outweigh the public interest in favor of the transfer.
For transfers based on subsection 1, the following information shall be retained and set
available to the EDPS upon request;
1) the date and time of the transfer;
2) the receiving competent authority;
3) the basis for the transfer; and
4) personal data transferred.

§ 44
Transfer of personal data to third countries by private and other recipients
Notwithstanding the provisions of section 41 (1) (2), the competent authority may:
in an individual case, transfer personal data directly to individuals established in third countries
and other recipients, provided that the other provisions of this Act are complied with and:
(1) the transfer is necessary for the competent authority carrying out the transfer to carry out the tasks provided for
Their duties referred to in section 1, subsection 1;
2) the competent authority transmitting the data considers that the rights of the data subject concerned
do not override the public interest justifying the transfer in the present case;
3) the competent authority transmitting the data considers that the transfer to the competent authority of a third country
would be ineffective or inappropriate for the Authority due to urgency or otherwise;
4) the authority of a third country which is competent in accordance with section 1 (1)
the transfer shall be notified without undue delay, unless it would be ineffective or
inappropriate;
The competent authority transmitting the information informs the recipient of the specific purpose or purpose;
for certain purposes, this may process personal data that processing must be necessary
for these purposes and that the data may not be processed for other purposes; and
6) the transfer is not in conflict with Finland's international contractual obligations.
The competent authority transmitting the information shall keep the information on the task pursuant to subsection 1
and notify the transfer to the Data Protection Officer.

Chapter 8
Supervisory authority
§ 45
Data Protection Officer
Compliance with this Act is monitored by the person referred to in section 8 of the Data Protection Act (1050/2018)
the Data Protection Officer.
The provisions of this Act on supervision do not apply to the court, the Chancellor of Justice of the Government
and not the Parliamentary Ombudsman.
The Data Protection Officer shall be independent in the performance of his or her duties provided for in this Act.

§ 46
Tasks
In addition to monitoring compliance with this Act, the duties of the Data Protection Officer include:
1) promote public awareness of the risks associated with the processing of personal data, legislation,
safeguards and rights;
2) promote the awareness of data controllers and processors of personal data to them in accordance with this Act
responsibilities;
3) upon request, provide data subjects with information on their rights under this Act
use;
4) provide advice in the prior consultation referred to in section 21;
5) make reports on compliance with this Act;
6) check the lawfulness of the processing in accordance with section 29;
7) process requests for action made by the registered entity referred to in section 56;
8) monitor technological and other developments affecting the protection of personal data.
The EDPS also has a role to play in the protection of natural persons
processing of personal data and on the free movement of such data and Directive 95/46 / EC
Regulation of the European Parliament and of the Council repealing the General Data Protection Regulation
(EU) 2016/679 to the Data Protection Board referred to in Article 68. The EDPS does not
however, refer the matter to the Data Protection Board concerning the processing of personal data 1
In connection with the activities referred to in section 2.
The actions of the Data Protection Officer are free of charge for the data subject and the Data Protection Officer. If
however, the requests of the data subject or the Data Protection Officer are about the frequency of the requests or otherwise
for reasons manifestly unreasonable or unjustified, the delegatee may charge a fee for the measures or
dismiss the action as inadmissible. The criteria for the amount of payment are provided by the state
in the Basic Tax Act.
If the Data Protection Officer, in the manner referred to in subsection 3, charges a fee or dismisses the matter,
it shall, where appropriate, demonstrate that the request is manifestly unfounded or unreasonable.

§ 47
Right of access to information
The Data Protection Commissioner has the right to receive free of charge in section 22, notwithstanding the provisions on confidentiality
the description of processing operations referred to in Article 19, the log data referred to in section 19 and other management of their duties
necessary information.
The Data Protection Officer has the right to obtain a report from the controller and the processor of personal data
matters necessary for the performance of the tasks of the delegate.

§ 48
The right to carry out inspections
The Data Protection Officer may carry out an inspection at the premises of the controller or the processor,
if an inspection is necessary to monitor compliance with this Act.
In the space used for permanent residence, the inspection may be carried out only if it is
necessary to establish the facts to be inspected and in the case in question
In this case, there is a justified and identified reason to suspect the processing of personal data
provisions infringed or to be infringed in a manner which may result in a penalty under the Penal Code (39/1889)
provided for imprisonment.
The audit complies with the provisions of section 39 of the Administrative Procedure Act (434/2003).

§ 49
Official assistance
The Data Protection Officer has the right to receive official assistance from the police upon request in order to perform his or her duties.

§ 50
Use of experts
The EDPS may consult external experts and request their opinions.
In connection with the inspection referred to in section 48, the Data Protection Commissioner may use his or her assistance
external expert. The Data Protection Officer may appoint his or her consent as an expert
person who has a Data Protection Officer to carry out his or her duties
relevant expertise.
The expert shall be subject to the provisions on criminal liability
in performing the tasks referred to in this Act. Liability for damages is provided
in the Compensation Act (412/1974).

§ 51
Measures
In a matter covered by this Act, the Data Protection Officer may:
1) give guidance to the registrar in the prior consultation procedure referred to in section 21;
2) notify the registrar or processor of personal data of the alleged violation of this Act;
3) warn the controller or the processor of personal data that the intended processing operations may be
contrary to this law;
4) issue a notice to the controller or processor of personal data, if this has been processed
personal data illegally;
5) order the controller or the processor to comply with the data subject 's requests which:
concerning the exercise of the data subject's rights under this Act;
6) order the data controller to notify the data subject of a personal data breach;
7) impose a temporary or permanent prohibition or other restriction on processing;
Order the suspension of data transfers to a recipient in a third country; or
international organization;
9) order the rectification, deletion and restriction of the processing of personal data and to them
other related measures on the basis of section 25;
10) order the registrar or processor of personal data to complete the processing operations of this Act
comply with the provisions, if necessary in the prescribed manner and within a reasonable time.

§ 52
Penalty payment
The Data Protection Officer may set the decision referred to in section 51, paragraphs 5 to 10, and section 47
effect of a disclosure order based on Penalty payment
imposition and sentencing for payment is provided for in the Penalty Penalty Act (1113/1990).
A penalty payment may not be imposed on a natural person for disclosing the information referred to in subsection 1
if there is reason to suspect a criminal offense and the information concerns
the matter which is the subject of the criminal offense.

§ 53
Consultation of the EDPS
The Data Protection Commissioner may, on his or her own initiative or at his or her request, issue statements referred to in section 1
issues related to the processing of personal data.
The Data Protection Officer shall be given an opportunity to be heard in the preparation of the proceedings referred to in section 1
legislative or administrative reforms concerning the processing of personal data.

§ 54
Mutual assistance
Without prejudice to confidentiality provisions, the EDPS shall provide another EU free of charge
necessary for the supervisory authority of the Member State in the performance of its supervisory task
personal data and other necessary information and, if necessary, otherwise assist this supervision
implementation. The EDPS shall take other necessary measures
to ensure effective mutual cooperation.
The Data Protection Commissioner shall respond to the proposal of the supervisory authority referred to in subsection 1
without undue delay and in any case no later than one month after the request
receipt.

Chapter 9
Legal protection
§ 55
Infringement notification procedure
The competent authority must have procedures in place to enable it to:
confidentially report a suspected violation of this Act. The notification procedure must include:
appropriate and adequate measures to ensure the proper handling of notifications.
The notification procedure must also include instructions to safeguard the identity of the notifier
protection.
The competent authority shall keep the information referred to in subsection (1)
necessary information. The data shall be deleted five years after the notification, unless
further retention of data is not necessary for the purpose of criminal investigations, pending legal proceedings,
the rights of the notifier or the person subject to the notification
to secure. The need for further data retention shall be examined no later than three
one year after the previous revision. The review must be noted.
When a natural person has done to the competent authority the information referred to in subsection 1
notification, the identity of the notifier shall be kept confidential in the event of disclosure
the circumstances can be considered to be detrimental to the notifier.

§ 56
The right to refer the matter to the Data Protection Officer
The data subject has the right to refer the matter to the Data Protection Officer (request for action ) if:
the data subject considers that the processing of personal data concerning him or her violates this or that
the law on the processing of personal data. The matter may be brought with the consent of the data subject
the public interest entity, which promotes the protection of personal data, is also before the EDPS.

§ 57
Processing a request for action
The EDPS may suspend the case if a related case is pending
in court. The trustee shall, within a reasonable time, inform the initiator of the matter
the progress of the proceedings if the proceedings are delayed due to the necessary further clarification or other
for a reason.

§ 58
Commission decisions
If, in the case pending before it, the EDPS considers it necessary to determine whether Article 41 (1)
the Commission decision referred to in paragraph 3 on the adequacy of the level of data protection
in accordance with the Data Protection Directive in criminal matters, the trustee may, by application, make a reference for a preliminary ruling
the matter to the Helsinki Administrative Court.
The decision of the Administrative Court may be appealed only if the highest administrative
the right to grant leave to appeal.

§ 59
Appeal
The decision of the Data Protection Officer may be appealed to the Administrative Court as
the Administrative Procedure Act (586/1996) provides.
The decision of the Administrative Court may be appealed only if the highest administrative
the right to grant leave to appeal. The Data Protection Officer may also appeal to the Administrative Court
completed.
The decision of the EDPS may stipulate that the decision must be complied with
notwithstanding the appeal, unless the appeal authority orders otherwise.

Chapter 10
Miscellaneous provisions
§ 60
Damages
The controller shall be liable for the financial and other damage which is
incurred by a data subject or another person for processing personal data in violation of this Act.
Otherwise, the right to compensation for damage is provided for in the Compensation Act.

§ 61
Penalty provisions
The penalty for a data protection offense is provided for in Chapter 38, Section 9 of the Penal Code. Penalty
a breach of the secrecy of communications is provided for in Chapter 38, Section 3 of the said Act, aggravated
infringement of the secrecy of communications in section 4, breach of data in section 8 and aggravated breach of information in section 8a
§:in. The penalty is the duty of secrecy provided for in section 55 (3) of this Act and in section 62
breach of the obligation of professional secrecy referred to in Chapter 38, Section 1 or 2 of the Penal Code, unless
the act is not punishable under Chapter 40, Section 5 of the said Act or is provided for elsewhere in the Act
more severe punishment.

§ 62
Obligation of confidentiality
The obligation of professional secrecy and the prohibition of the use of data are regulated by the actions of the authorities
Section 23 of the Public Access Act (621/1999).

Chapter 11
Entry into force and transitional provisions
§ 63
Passage
This Act shall enter into force on 1 January 2019.

§ 64
Transitional provisions
Automated processing systems created before 6 May 2016 must be brought into line with Article 19
no later than 6 May 2023.
HE 31/2018
HaVM 14/2018
EV 113/2018
Directive 2016/680 / EU of the European Parliament and of the Council (320160680); OJ L 119, 4.5.2016
pp. 89
Helsinki, 5 December 2018
The president of the Republic
Sauli Niinistö
Minister of Justice
Antti Häkkänen

YOU ARE HERE: Finlex › Legislation › Legislation in original › 2018 › 1054/2018

LEGISLATION

CASE LAW

Up to date
legislation

The Supreme Court

Acts in original
Electric
statute book
Legislative changes
index
Translations of legal acts
Sámi-speaking
acts

AUTHORITIES

Authorities
collections of regulations
The Supreme Administrative Court
Collective agreements
Rights of the Court
Government
Administrative rights
attorney general
Market law
Data Protection Board
Industrial tribunal
Data Protection Officer
Insurance law
European courts
Case law
in the literature

GOVERNMENT AGREEMENTS THE BOARD OF DIRECTORS
PERFORMANCES
Government contracts
Government proposals
Government contracts
reference database
PROCEEDINGS
Electronic contract series
Legislative drafting
process guide
Board presentations
preparation instructions
The Writer's Guide

FINLEX®
News archive
RSS feeds
Instructions
Feedback
Terms of use
Accessibility statement
Sitemap

Equality
judgment
Legislative preparation
consultation guide
Trial Law Guide

Finlex ® is a public and free Internet service for legal material owned by the Ministry of Justice.
Finlex content is produced and maintained by Edita Publishing Oy. Neither the Ministry of Justice nor Edita is responsible for the content of the databases
any errors that may occur, the direct or indirect damage caused to the user by their use, or the Internet
network outages or other disruptions.

