Somewhat belated, but on 13 November 2018 the Finnish Parliament approved of the new Data Protection Act (DPA), repealing the old Personal Data Act from 1999. The aim was to have the DPA approved already in May 2018, but the government proposal for the DPA was passed to the Constitutional and Administrative Committees for examination and their final statements were given in October. This led to the DPA being approved by the Finnish Parliament only in November 2018. As soon as ratified by the President of Finland the DPA will enter into force (probably still during 2018).
The DPA applies together with the GDPR in Finland and regulates such issues that have been left outside of the scope of the GDPR for member states to include in their own national laws, such as:
Offering of information society services to children: A child cannot lawfully give consent to the processing of his/her personal data for the purposes of offering information society services if not being at least 13 years of age (the age provided by the GDPR is 16).
Health related data: The DPA provides for a possibility to process health related data also in situations other than those allowed under the GDPR. For example, health related data may be processed by
- an insurance provider for the purposes of liability assessment
- in the operations of a health care service provider for the purposes of organizing or producing health care services
- in the operations of a social welfare service provider or when such a service provider grants benefits
- in the context of anti-doping work and sports of the disabled
- for scientific, historical research or statistical purposes.
Personal identity numbers: The DPA requires as a main rule that personal identity numbers are processed only by consent or if allowed under applicable laws. An exemption to this is however provided by the DPA, and personal identity numbers may be processed also
- when performing a task laid down by law
- in order to fulfil statutory rights and duties of data subjects and controllers
- for historical and scientific research or statistical purposes
- in credit, insurance, debt collection, payment service, rental, credit and health care operations
National supervisory authority: The relevant Finnish data protection authority is still the Data Protection Ombudsman, which has an office (expert organisation) with some 25 employees. A new feature is the expert board (under the office of the Data Protection Ombudsman) which gives statements on issues relating to the application of data protection laws.
Administrative fines: Only a special board consisting of the Data Protection Ombudsman and two deputy ombudsmen may decide on the imposing of administrative fines. Fines may not be imposed on public authorities and bodies.
In connection with enacting the DPA, also the Finnish Penal Code has been amended to include a new provision on data protection offences. Further, a new act on the processing of personal data in criminal matters and in connection with the maintaining of national security (implementing Directive (EU) 2016/680 on data protection in the police and justice sectors) will enter into force in connection with the DPA. It currently also awaits the ratification of the President of Finland.