Authorities Directing and Supervising the Processing of Personal Data
The Office of the Data Protection Ombudsman (tietosuojavaltuutettu) supervises the application of the data protection legislation in Finland. In addition to the national Data Protection Ombudsman, the European Data Protection Board (EDPB) acts on the European Union level, with the main task to ensure a harmonized implementation of the GDPR in the EU. The EDPB holds the final power of decision, in cases where the national authorities of the EU member states are unable to reach mutual understanding. The EDPB consists of the directors of the national data protection authorities of each member state, and the European Data Protection Supervisor (EDPS).
The Finnish Data Protection Ombudsman’s main task is to maintain and promote the citizens’ basic right to respect for privacy. In this context, the Ombudsman’s Office issues opinions on the processing of personal data and publishes topical news and materials, which controllers can use as guidance in their own operations. The decisions of the Data Protection Ombudsman may be appealed to the Administrative Court. The decision of the Administrative Court can be appealed only if the Supreme Administrative Court grants a leave to appeal. The Data Protection Ombudsman has the right to impose a conditional fine for the purpose of enforcing its decisions.
Moreover, the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen form a collegial body for sanctions, which has the right to impose administrative fines. According to the GDPR, the data protection supervisory authority can impose administrative fines on controllers, up to an amount of 20 million EUR or 4 % of the total annual turnover of a company. Besides the fines, milder remedies are also available, such as the issuing of warnings.
Further, the Criminal Code of Finland contains a provision on data protection crimes, under which a fine or imprisonment of up to 1 year can be enforced. Compensation for damage to the affected party is also an available remedy. In addition to these sanctions, potential negative publicity and its impact on a business is another significant consequence.
Organizations are obliged to inform the Data Protection Ombudsman about prior consultations, personal data breaches and of their data protection officers. The Data Protection Ombudsman shall also be notified of credit data processing and the commencement of processing of traffic data These obligations are further defined in the Credit Data Act.