Personal Data

The collection, storage and processing of personal data are regulated by the Personal Data Act (1050/2018, as amended). The Data Protection Act specifies and supplements the EU’s General Data Protection Regulation (GDPR) and its national application. Among other things, the Act provides for the appointment, organisation and powers of the supervisory authority on data protection matters.

The Act on the Protection of Privacy in the Work Environment (759/2004, as amended) regulates the protection of privacy in employment relationships, whereas the Information Society Code (as amended 917/2014) regulates the processing of data in electronic communications.

Furthermore, the Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) applies in Finland.

The GDPR contains six bases that permit the processing of personal data: i) the consent of the data subject, ii) a contract, iii) the controller’s legal obligation, iv) the protection of vital interests, v) a task carried out in the public interest or the exercise of public authority, vi) and the legitimate interests of the controller or a third party.

Special categories of personal data, such as data concerning ethnic origin or health, is principally prohibited. However, such processing can be permitted if an exception to the ban on processing is provided for in the GDPR or national legislation.

Compliance with the provisions of the GDPR is required when processing personal data. Accountability means that the controller must be able to demonstrate its compliance with data protection legislation and is a key principle of the GDPR.


For further information please contact your current contact person or named specialist on this page. We are pleased to provide further information on the above issues.