Last review date: 31 December 2024
The Office of the Data Protection Ombudsman acts as the national supervisory authority of Finland pursuant to the GDPR. Further, the Finnish Transport and Communications Agency Traficom is the competent supervisory authority in some data privacy and security matters under the AECS, including cookie rules.
Last review date: 31 December 2024
The Office of the Data Protection Ombudsman and the Finnish Transport and Communications Agency Traficom are both moderately active regulators in their respective fields.
Last review date: 31 December 2024
While the Office of the Data Protection Ombudsman has not yet published its priorities for 2025, they are unlikely to differ significantly from the priorities from previous years. The Office of the Data Protection Ombudsman has paid special attention to the following areas during the previous years:
- rights of the data subjects and protection of privacy of minors;
- transparency and timeliness of information
- artificial intelligence, automated decision-making and profiling
- new data regulations and the powers of the Data Protection Ombudsman
- European cooperation and cross-border decision making
- Monitoring the processing of personal data in organizations and managing access rights
We expect the Office of the Data Protection Ombudsman to continue imposing administrative fines for data protection breaches. In 2024, the level of administrative fines reached a new high, with the Data Protection Ombudsman imposing fines totaling EUR 2.4 million, the largest to date in Finland. Other record high fines from the year 2024 include fines of EUR 856.000 and EUR 950.000. This development indicates a trend towards more stringent enforcement.
Following the Finnish Supreme Administrative Court’s decision KHO:2023:82 regarding the relationship between the obligation to demonstrate compliance with the GDPR and the privilege against self-incrimination, we might see a more restrictive development in how controllers respond to information requests from the Office of the Data Protection Ombudsman.
Further, we expect the number of cases, in particular the number of data breaches, to be reported and registered in the Office of the Data Protection Ombudsman to continue to increase.
Traficom will continue to focus on matters relating to cookies. National Cyber Security Center under Traficom focuses on identifying cyber security threats and forming overall picture of cyber security as a CERT-fi. For the implementation of the new NIS 2 Directive, the forthcoming Cybersecurity Act will grant the National Cyber Security Center new responsibilities, for which it has been preparing throughout 2024. After the law comes into effect, the National Cyber Security Center will also provide support to those under its supervision.
Last review date: 31 December 2024
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 31 December 2024
There are:
☒ administrative remedies from regulators and law enforcement
The administrative fine imposed on a private sector entity can amount to up to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Under Section 24 of the DPA, administrative fines (based on Article 83 of the GDPR) cannot be imposed on public sector organizations, such as government and municipality authorities, public utilities and universities, nor on the Finnish Evangelical Lutheran or Eastern Orthodox Church. The Finnish government, however, has begun a process to update the DPA, after which it is expected that administrative fines can be imposed on public sector organizations as well. The government proposal is expected to be submitted to the parliament in 2026.
Under the Cybersecurity Act, the relevant supervisory authority may enforce its decision by imposing a penalty payment, a threat of execution or a threat of suspension.*
☒ criminal penalties from regulators and law enforcement
Pursuant to Section 26 of the DPA, the below data protection related infringements are considered as criminal offenses.
Data Protection Offense
Under Chapter 38 Section 9 of the Criminal Code of Finland (39/1889), a person who, as someone other than the controller or processor provided in the GDPR, intentionally or grossly negligently acquires personal data in a manner that is incompatible with the purpose of processing, discloses personal data or transfers personal data in violation of the provisions of:
- the GDPR;
- the DPA;
- the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018); or
- another act concerning the processing of personal data,
and thus violates the protection of privacy of a data subject or causes a data subject other damage or essential harm, shall be sentenced for a data protection offence to a fine or to imprisonment for at most one year. Violation of the secrecy of communications and aggravated violation of the secrecy of communications
Under Chapter 38 Section 3 and 4 of the Criminal Code, a person who unlawfully:
- opens a letter or another closed message addressed to another or by decoding the protection, obtains information on the contents of an electronic or other technically recorded message protected against third parties; or
- obtains information on the contents of a telephone call or an electronic message, or another equivalent telecommunications message transmitted in a telecommunications network or an information system or on the transmission or reception of such a message,
shall be sentenced for a violation of the secrecy of communications to a fine or to imprisonment for at most two years. The violation of the secrecy of communications is deemed aggravated where, e.g., the message that is the object of the offence has an especially confidential content or the act constitutes a grave violation of the protection of privacy and the interception is aggravated also when assessed as a whole, in which cases the offender shall be sentenced for an aggravated violation of the secrecy of communications to imprisonment for at most three years.
Unlawful access to an information system and aggravated unlawful access to an information system
Under Chapter 38 Section 8 and 8 (a) of the Criminal Code, a person who unlawfully, by using an access code that does not belong to him or her or by otherwise breaking the security system of an information system, accesses an information system where information or data is processed, stored or transmitted electronically or in another equivalent technical manner, or a separately protected part of such a system, shall be sentenced for unlawful access to an information system to a fine or to imprisonment for at most two years. The same punishment applies also to a person who unlawfully obtains data contained in a data system by using a special technical device or otherwise by by-passing the security measures by manifestly fraudulent means. Section 8 (a) regulates aggravated unlawful access to an information system, for which the maximum punishment is imprisonment for at most three years. Unlawful access to an information system is considered aggravated when it is committed as a part of an organized criminal group or in a particularly planned manner.
Secrecy offense and secrecy violation
Under Chapter 38 Section 1 and 2 of the Criminal Code, a person who violates the secrecy duty set forth in Section 35 and 36 of the DPA by disclosing information that should be kept secret and which the discloser has obtained by virtue of their position, task or performance of a duty, shall be sentenced for a secrecy offense to a fine or to imprisonment for at most a year; or for a secrecy violation to a fine.
Breach and negligent breach of official secrecy
Under Chapter 40 Section 5 of the Criminal Code, a public official who, intentionally, while in an employment relationship or thereafter, unlawfully discloses a document or information that is to be kept secret or not disclosed, or makes use of such document or information to the benefit of him- or herself or to the loss of another, shall be sentenced for breach of official secrecy to a fine or imprisonment for at most two years. If a public official commits the offense through negligence and the act is not of minor significance when assessed as a whole, the public official shall, unless a more severe punishment for the act is provided elsewhere by law, be sentenced for a negligent breach of official secrecy to a fine or to imprisonment for at most six months.
☒ private remedies
Individuals may, for example:
- file complaints with the data protection authorities
- claim damages for material or non-material damages