Finland Recording Laws: One-Party Consent, NCII, and AI Rules (2026)

Finland follows a one-party consent framework for recording private conversations. If you participate in a conversation, you may legally record it without informing the other parties. Finnish law does not criminalize recording your own communications, and the Constitution of Finland (Suomen perustuslaki) protects this right under Section 12, which guarantees freedom of expression.

This guide covers the full scope of Finnish recording and surveillance law, including the governing statutes under the Criminal Code (Rikoslaki), GDPR obligations enforced by the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu), the 2023 reform on non-consensual intimate image sharing, EU AI Act deepfake disclosure rules that take effect in 2026, workplace surveillance restrictions, and criminal penalties.

Quick Answer: Is Finland One-Party or Two-Party Consent?

Finland is a one-party consent country. A participant in a private conversation, phone call, or video call may record that conversation without notifying or obtaining consent from the other parties. The Finnish Data Protection Ombudsman has confirmed: "Citizens have the right to record telephone calls in which they are the caller or receiver." This right derives from Section 12 of the Constitution of Finland (731/1999), which guarantees everyone the freedom of expression, including the right to receive and disseminate information.

Recording crosses into criminal conduct only when done by a non-participant. Criminal Code Chapter 24, Section 5 targets eavesdropping by outsiders who use a technical device to secretly listen to or record conversations they are not part of. The statute protects against surveillance by third parties, not against a participant's decision to preserve a record of their own communications.

The distinction between participant recording (lawful) and non-participant eavesdropping (criminal) is the foundation of Finnish recording law. Everything else in this guide layers GDPR obligations, workplace rules, and newer provisions addressing image-based abuse and AI-generated content on top of that core principle.

Overview of Finnish Recording Laws

Finland has a layered legal framework governing the recording of conversations, telephone calls, and video. Multiple statutes work together to define what is permitted and what crosses into criminal conduct.

The primary criminal provisions governing audio recording fall under Chapter 24 of the Criminal Code of Finland (Rikoslaki 39/1889, as amended). This chapter addresses offenses against privacy, peace, and honor. Section 5 of Chapter 24 specifically defines the crime of eavesdropping (salakuuntelu), while Section 6 covers illicit observation (salakatselu).

For electronic communications, the Act on Electronic Communications Services (917/2014), commonly known as the Information Society Code, provides additional protections for the confidentiality of telecommunications transmitted over Finnish networks.

The General Data Protection Regulation (GDPR), as applied in Finland through the national Data Protection Act (Tietosuojalaki 1050/2018), governs the processing of personal data captured in any recording. The Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) serves as the supervisory authority enforcing GDPR compliance.

Finland is also a party to the European Convention on Human Rights. Finnish courts reference Article 8 ECHR (right to respect for private life) when deciding cases involving recordings and privacy.

Recent additions to this framework include the 2023 sexual offences reform (Act 723/2022) that introduced non-consensual dissemination of a sexual image as a distinct criminal offense under Chapter 20, and the EU AI Act (Regulation (EU) 2024/1689), whose deepfake transparency obligations become applicable in Finland from August 2, 2026.

The Constitutional Foundation: Sections 10 and 12

The Constitution of Finland (731/1999) provides the foundational framework for recording rights and privacy protections.

Section 10: The Right to Privacy

Section 10 of the Constitution guarantees that everyone's private life, honor, and sanctity of the home are protected. It states that the secrecy of correspondence, telephony, and other confidential communications is inviolable.

However, Section 10 also allows Parliament to pass laws that limit communication secrecy when necessary for investigating crimes that threaten individual or societal security, during court proceedings, during security checks, and during lawful deprivation of liberty.

This constitutional provision establishes a strong baseline of privacy protection while permitting carefully defined exceptions through legislation.

Section 12: Freedom of Expression

Section 12 guarantees everyone the freedom of expression, which includes the right to express, disseminate, and receive information, opinions, and other communications without prior prevention by anyone.

Finnish legal interpretation holds that Section 12 protects a person's right to record their own conversations. Because the Criminal Code does not criminalize participant recording, and the Constitution affirmatively protects the right to communicate and receive information, recording a conversation you participate in is a constitutionally protected activity in Finland.

Criminal Code Chapter 24: Privacy Offenses

Chapter 24 of the Criminal Code (Rikoslaki) is titled "Offenses Against Privacy, Peace, and Honor" (Yksityisyyden, rauhan ja kunnian loukkaamisesta). This chapter contains the core criminal provisions relevant to recording.

Section 5: Eavesdropping (Salakuuntelu)

Section 5 defines eavesdropping as the use of a technical device to unlawfully listen to or record conversation, speech, or other private sounds. The offense applies only to conversations taking place in locations protected by domestic peace (kotirauha) or in other places where the speaker has a reasonable expectation of privacy.

The critical element is that Section 5 targets non-participants. A person who is part of the conversation and uses a device to record it does not commit eavesdropping. The statute protects against secret surveillance by outsiders, not against a participant's decision to preserve a record of their own communication.

Attempted eavesdropping is also punishable under Finnish law.

Penalty: A fine or imprisonment for up to one year.

Section 6: Illicit Observation (Salakatselu)

Section 6 addresses illicit observation, which is the use of a technical device to watch or photograph a person in a location protected by domestic peace, such as homes, hotel rooms, and tents, or in bathrooms, changing rooms, or other private facilities.

Illicit observation covers situations like placing a hidden camera in someone's apartment, filming through a window into a private residence, or installing surveillance equipment in a restroom.

Attempted illicit observation is also punishable.

Penalty: A fine or imprisonment for up to one year.

Section 7: Preparation for Eavesdropping or Illicit Observation

Section 7 criminalizes placing a device for the purpose of committing eavesdropping or illicit observation. This means that installing a hidden microphone or camera with the intent to secretly record carries its own criminal penalty, even before any actual recording occurs.

Penalty: A fine or imprisonment for up to six months.

Section 8: Dissemination of Information Violating Personal Privacy

Section 8 makes it a crime to disseminate information about another person's private life in a way that causes damage, suffering, or contempt. This provision is directly relevant to recording because sharing a lawfully made recording can become criminal if the content reveals private matters and the disclosure causes harm.

Even if you legally recorded a conversation as a participant, publishing or distributing that recording in a way that violates the other person's privacy may constitute an offense under Section 8.

The public prosecutor generally cannot bring charges under Section 8 unless the injured party files a report. An exception exists when the Prosecutor-General determines that prosecution serves a very important public interest.

Penalty: A fine or imprisonment for up to two years.

Section 8a: Aggravated Dissemination

When the dissemination of private information causes particularly significant suffering or damage, the offense is classified as aggravated under Section 8a.

Penalty: A fine or imprisonment for up to three years.

Criminal Code Chapter 38: Communication Offenses

Chapter 38 of the Criminal Code addresses offenses related to information and communication. These provisions protect the secrecy of electronic communications and are relevant to wiretapping and message interception.

Section 3: Message Interception (Viestintasalaisuuden Loukkaus)

Section 3 prohibits unlawfully opening a sealed message addressed to another person, hacking to obtain the contents of an electronic message protected from outsiders, or obtaining information about the contents of a telephone call or electronic message not directed to oneself.

This provision targets traditional wiretapping and modern forms of electronic interception. Tapping into another person's phone line, intercepting their emails, or using software to monitor their messaging apps all fall under this section.

Penalty: A fine or imprisonment for up to two years.

Section 4: Aggravated Message Interception

Section 4 applies when the intercepted message has especially confidential content or the act constitutes a grave violation of privacy protection. If the interception is aggravated when assessed as a whole, enhanced penalties apply.

Penalty: Imprisonment for up to three years.

GDPR and the Finnish Data Protection Ombudsman

Recording a conversation captures personal data because a person's voice qualifies as personal data under the GDPR. This means that even where a recording is lawful under criminal law (because you are a participant), you must still comply with GDPR requirements when the recording falls outside purely personal or household use.

Legal Basis for Recording Under GDPR

Article 6(1) of the GDPR requires a valid legal basis before processing personal data. For recording conversations, the most common bases are:

Consent (Article 6(1)(a)): The data subject has given clear, informed, and specific consent to the recording. Under GDPR, consent must be freely given, and the person must be able to withdraw it at any time.

Legitimate interest (Article 6(1)(f)): The recording serves a legitimate interest of the controller (such as quality assurance or dispute resolution), provided this interest does not override the fundamental rights and freedoms of the data subject. A documented balancing test is required.

Legal obligation (Article 6(1)(c)): Certain regulated industries (such as financial services) may be legally required to record communications for compliance purposes.

Transparency Obligations

The Finnish Data Protection Ombudsman has made clear that the conversation partner must always be informed about the collection of personal data, including call recording. The controller must inform the conversation partner about the recording at the start of the call.

A simple mention on a website is not sufficient. The information must reach the person being recorded before the recording begins. This is a strict requirement from the Finnish DPA that goes beyond what many organizations assume.

Secret recordings made without any notice do not comply with GDPR, even when they are technically legal under criminal law. Criminal law allows participant recording without notice, but data protection law requires transparency about data processing.

Data Subject Rights

According to the GDPR, the controller must deliver a copy of a recorded phone call if requested by the data subject under Article 15. The data subject in this context is any individual whose speech the organization recorded.

The Finnish DPA has specifically ruled that organizations must provide actual recordings, not written summaries. In September 2023, the Sanctions Board imposed a fine of EUR 23,000 on Suomen Yritysrekisteri for systematically providing written summaries of sales calls instead of actual recordings in response to Article 15 access requests. The Sanctions Board found the violations intentional and extensive, noting that "a summary delivered by the company cannot be considered to constitute a copy corresponding to the contents of the original call as required by the General Data Protection Regulation."

The Finnish DPA has also emphasized that data subjects have the right to request deletion of their recorded data under Article 17 (the right to erasure), provided no overriding legal basis requires its retention.

Finnish DPA Enforcement

The Tietosuojavaltuutettu has maintained active enforcement. As of the end of 2024, the Sanctions Board has imposed a cumulative total of 21 administrative fines totaling EUR 3,503,400. In 2024 alone, the office issued 3 administrative fines, 18 reprimands, 9 compliance orders, and 42 breach-notification orders.

A relevant early enforcement action involved Taksi Helsinki Oy (EUR 72,000 fine, 2020), where the Sanctions Board found that taxi audio recording violated GDPR's data minimisation principle and that the company lacked adequate transparency about surveillance practices in its vehicles.

GDPR administrative fines can reach up to 20 million EUR or 4% of annual global turnover for the most serious violations. Organizations recording calls in Finland must take compliance seriously.

Phone Calls: Recording Rights and Obligations

Finnish law applies the same fundamental one-party consent principle to phone calls. This section addresses practical obligations for individuals and businesses.

Individual Rights

The Finnish Data Protection Ombudsman has explicitly stated that citizens have the right to record telephone calls in which they are the caller or receiver. Finland's Constitution protects the right to record your own communications, and recording phone calls has not been criminalized in the Criminal Code.

Recording video calls and VoIP calls follows the same principle: if you are a participating party, the one-party consent rule applies.

Business Call Recording

For businesses recording customer calls, the GDPR requires an upfront disclosure before recording begins. The common practice of playing a message such as "This call may be recorded for quality and training purposes" serves both GDPR transparency obligations and establishes a basis for lawful processing. However, the DPA has made clear that businesses must also be prepared to:

• Provide actual recordings (not summaries) in response to data subject access requests
• Delete recordings upon valid erasure requests where no legal retention obligation applies
• Limit retention to what is necessary for the stated purpose

In-Person Recording

Recording a face-to-face conversation follows the same one-party consent principle. If you are present and participating, you may record. The key factor is actual participation. You cannot place a hidden recording device in a room and leave, because you would become a non-participant for the portions of conversation occurring in your absence.

The eavesdropping provision under Chapter 24, Section 5 applies specifically to locations protected by domestic peace (kotirauha) and places where speakers have a reasonable expectation of privacy. A private living room, a hotel room, or a closed office where a confidential meeting takes place are all locations where eavesdropping laws protect against non-participant recording.

Recording Police and Public Officials

Citizens in Finland have the right to record and film police officers and other public officials while they carry out their duties in public spaces. This right flows from Section 12 of the Finnish Constitution, which guarantees freedom of expression and the right to receive and disseminate information.

There is no Finnish statute that specifically prohibits recording police in public. The same rules that govern public filming generally apply: you may record what is visible from public property, provided you do not interfere with police operations or enter a restricted area.

Body-Worn Cameras

The Finnish Police introduced body-worn cameras for all officers nationwide in spring 2021. The National Police Board published instructions governing their use. Devices are used visibly, and video recording is made known to the person being filmed as far as possible. Recorded information that is appropriate and necessary for police assignments is retained; other footage is not saved in police registers.

Under the GDPR and the Act on the Openness of Government Activities, individuals may submit access requests for police footage in which they personally appear. However, the Finnish Police's data processing guidance notes that individuals do not have a general right to access police usage logs, as log data does not personally concern the requesting individual.

Limits on Filming

While recording police in public is lawful, the following conduct remains prohibited regardless of whether police are present:

• Recording in locations protected by domestic peace (kotirauha) without permission from the occupant
• Publishing footage in a way that violates a person's privacy under Chapter 24, Section 8 (including footage of persons who are not public figures)
• Using recordings to harass, intimidate, or defame

Workplace Recording and Surveillance in Finland

Workplace recording in Finland is governed by the Act on the Protection of Privacy in Working Life (Laki yksityisyyden suojasta tyoelamassa 759/2004). This is one of the most detailed workplace privacy statutes in Europe.

Camera Surveillance Rules

Employers may operate camera surveillance at workplaces only for three specific purposes: ensuring the personal security of employees and other persons on the premises, protecting property, and supervising the proper operation of production processes.

Critical restrictions apply. Camera surveillance may not be used for monitoring a particular employee or particular employees. Employers cannot single out workers for camera-based performance monitoring. Cameras are also prohibited in lavatories, changing rooms, staff facilities, and workrooms designated for the personal use of employees.

Transparency Requirements

Before implementing camera surveillance, employers must discuss the matter with employees or their representatives in a cooperation procedure (yhteistoimintamenettely). The employer must provide clear information about the purposes, locations, and methods of surveillance.

Camera surveillance must be as transparent as possible and necessary to achieve its stated purpose. Signs or notices must inform employees and visitors about the presence of cameras.

Use of Surveillance Recordings

Surveillance recordings can be used only for the purpose for which the surveillance was carried out. However, there are limited exceptions. Recordings may be used to substantiate the grounds for termination of an employment relationship or to identify and prove harassment, abuse, or inappropriate behavior at the workplace.

Audio Recording at Work

Audio recording in the Finnish workplace follows the general one-party consent rules. An employee participating in a meeting or conversation with a colleague or manager may record it without notification under criminal law.

However, GDPR obligations apply in a professional context. Recording rarely falls under the "personal or domestic use" exemption. The Taksi Helsinki enforcement action (EUR 72,000, 2020) demonstrates that audio recording of employees or customers without adequate legal basis and transparency can draw significant fines even for relatively limited surveillance systems.

Employer Monitoring Limitations

The Act on the Protection of Privacy in Working Life limits employer access to employee personal data. Employers may process only personal data directly necessary for the employment relationship. No exceptions can be made to this necessity requirement, even with the employee's consent.

The occupational safety and health authorities supervise compliance with this Act, together with the Data Protection Ombudsman.

Recording in Public Places

Finland allows photography and filming in public spaces, but this right is balanced against privacy protections.

General Right to Photograph

You have the right to film and photograph in public places in Finland, including streets, roads, marketplaces, public squares, shopping centers, train stations, and areas outside airports. Finland does not require a filming permit for public locations in most situations.

The Finnish freedom of expression guarantee under Section 12 of the Constitution supports the right to record in public. As long as your recording activity does not significantly disrupt traffic or business operations, it is permitted.

Privacy Restrictions

Recording becomes problematic in private spaces. Finnish law protects domestic peace (kotirauha), which covers homes, holiday homes, common areas inside residential buildings, hotel rooms, tents, houseboats, private yards, and similar spaces. Recording inside these locations without permission from the occupant may violate Chapter 24 of the Criminal Code.

A photograph or recording of a person must not be published in a manner that infringes on the person's honor or privacy. Using a person's image for advertising purposes without consent is also prohibited.

Photographing Minors

Finnish law treats photographing minors with particular care. Taking photographs of children without permission from their legal guardians can raise legal issues even in public spaces where photography is generally permitted.

Public Figures

Public figures, including politicians and celebrities, may be photographed in public settings for non-commercial news and informational purposes without prior consent. However, commercial use of anyone's likeness requires permission.

Law Enforcement Recording and Wiretapping

Finnish law enforcement authorities have specific powers to conduct telecommunications interception and surveillance under the Coercive Measures Act (Pakkokeinolaki 806/2011).

Telecommunications Interception

Police may intercept telephone calls and electronic communications when investigating certain serious crimes. Telecommunications interception requires a court order and may be authorized only when it can be assumed to be of particularly important significance in clarifying the offense. This represents a heightened threshold beyond the general requirements for coercive measures.

Constitutional Safeguards

The confidentiality of communications guaranteed by Section 10 of the Constitution means that law enforcement wiretapping is permitted only within strict boundaries established by statute. Unauthorized surveillance by public officials can result in criminal liability.

The Information Society Code

The Act on Electronic Communications Services (917/2014) extends the obligation to protect the confidentiality of communications from traditional telecommunications companies to all intermediaries of electronic communications services. This covers phone calls, emails, SMS, MMS, voice messages, instant messages, and online messages.

Communications providers may process messages and traffic data only to the extent necessary for transmitting communications, implementing the agreed service, and ensuring information security as provided by law. The National Cyber Security Centre Finland (NCSC-FI) supervises compliance.

Voyeurism and Non-Consensual Intimate Images (NCII)

Finland strengthened its legal framework for image-based abuse through a comprehensive reform of sexual offences legislation that took effect on January 1, 2023 (Act 723/2022).

Non-Consensual Dissemination of a Sexual Image

Criminal Code Chapter 20 now expressly criminalizes non-consensual dissemination of a sexual image. The statute covers any image, video, or other visual recording that is shown or disseminated in a way that significantly violates another person's right to sexual self-determination.

Three aspects of this offense are particularly important:

First, the act is criminal regardless of whether the image was originally taken with the consent of the person depicted. A person who consented to a private photograph being taken does not thereby consent to that image being shared with third parties.

Second, the threshold for the offense is low: showing even a single image or distributing a single image file to one other person may be sufficient to constitute the offense.

Third, the law covers all visual media: still images, video recordings, and any other visual format.

Penalty: A fine or imprisonment for up to two years.

Finland has co-signed international statements on preventing and responding to NCII abuse alongside Australia, Canada, France, Iceland, Sweden, and several other governments, reflecting the seriousness with which Finnish policymakers treat this issue.

Distribution of Child Sexual Abuse Images

Criminal Code Chapter 17, Section 18 addresses distribution of pictures depicting child sexual abuse. Section 18a addresses the aggravated form, which applies when: the child is particularly young; the picture depicts severe violence or humiliating treatment; the offense is committed methodically; or when carried out within organized criminal groups. Aggravated distribution carries significantly enhanced penalties.

Illicit Observation Overlap

Where recording is used specifically to capture intimate content without consent, Chapter 24, Section 6 (illicit observation/salakatselu) may apply in addition to Chapter 20. A person who places a hidden camera in a changing room, hotel room, or similar private space and captures sexual images faces potential prosecution under both provisions.

Deepfake Content and the EU AI Act

Finland sits within two overlapping EU regulatory frameworks that directly address AI-generated video and audio content: the EU AI Act and the EU Digital Services Act.

EU AI Act Article 50: Deepfake Disclosure (From August 2, 2026)

Article 50 of the EU AI Act (Regulation (EU) 2024/1689) imposes a transparency obligation on deployers of AI systems that generate or manipulate image, audio, or video content constituting a deepfake: they must disclose that the content has been artificially generated or manipulated.

This obligation applies from August 2, 2026. It covers AI-generated audio recordings, synthetic video content, voice cloning, and face-swap technology. The disclosure requirement is limited when the content forms part of an "evidently artistic, creative, satirical, fictional or analogous work," though even then a disclosure about the existence of generated content is required.

The European Commission published the first draft Code of Practice on Transparency of AI-Generated Content in December 2025 to provide practical guidance on how to comply with Article 50.

Finland's National AI Supervision Framework

Finland's national implementing legislation, the Act on the Supervision of Certain AI Systems (Laki eraiden tekoalyjärjestelmien valvonnasta, 1377/2025), entered into force on January 1, 2026. The act establishes the supervisory structure for Finland's implementation of the EU AI Act:

• The Finnish Transport and Communications Agency (Traficom) serves as the national single point of contact for EU AI Act coordination
• Supervision is distributed across 15 sectoral authorities with pre-existing domain competence
• A new Sanctions Board handles administrative fines exceeding EUR 100,000
• The Data Protection Ombudsman retains competence for AI systems that process personal data

The earlier GPAI model obligations under the EU AI Act became applicable on August 2, 2025, before Finland completed its full national implementation.

Digital Services Act (DSA)

The EU Digital Services Act (Regulation (EU) 2022/2065) became applicable to all platforms throughout the EU from February 17, 2024. In Finland, Traficom serves as the Digital Services Coordinator. The DSA imposes obligations on online platforms to:

• Provide transparent content moderation policies
• Give users reasons for content removal and a right to appeal
• Remove flagged illegal content, including NCII and non-consensual recordings

In 2024, Finnish authorities received 78 DSA complaints. The majority concerned Facebook, Instagram, and TikTok, typically involving account suspensions or unexplained content removal. The DSA's obligation to remove illegal content also applies to non-consensual recordings and NCII material distributed through covered platforms.

Criminal Penalties for Illegal Recording in Finland

Finland imposes criminal penalties for unauthorized recording and surveillance. The severity depends on the nature of the offense.

Offense	Statute	Penalty
Eavesdropping (salakuuntelu)	Ch. 24, Sec. 5	Fine or up to 1 year imprisonment
Illicit observation (salakatselu)	Ch. 24, Sec. 6	Fine or up to 1 year imprisonment
Preparation for eavesdropping/observation	Ch. 24, Sec. 7	Fine or up to 6 months imprisonment
Dissemination of private information	Ch. 24, Sec. 8	Fine or up to 2 years imprisonment
Aggravated dissemination	Ch. 24, Sec. 8a	Fine or up to 3 years imprisonment
Message interception	Ch. 38, Sec. 3	Fine or up to 2 years imprisonment
Aggravated message interception	Ch. 38, Sec. 4	Up to 3 years imprisonment
Non-consensual dissemination of sexual image	Ch. 20 (Act 723/2022)	Fine or up to 2 years imprisonment
Distribution of child sexual abuse images	Ch. 17, Sec. 18	As prescribed by statute
GDPR administrative fine	GDPR Art. 83	Up to 20 million EUR or 4% of global turnover

Prosecution Requirements

For eavesdropping, illicit observation, and dissemination of private information, the public prosecutor generally cannot bring charges unless the injured party files a report requesting prosecution. This means these offenses are complaint-based (asianomistajarikos) in most cases.

An exception exists when the Prosecutor-General determines that prosecution serves a very important public interest.

Practical Sentencing

In practice, Finnish courts typically impose fines or suspended (conditional) sentences for first-time eavesdropping or illicit observation offenses. Actual prison time is uncommon for these offenses unless the perpetrator has a prior criminal record or the circumstances are particularly egregious.

Business Compliance: Call Recording in Finland

Businesses operating in Finland that record customer or employee calls must navigate both criminal law and GDPR. Here is a practical compliance framework based on guidance from the Finnish Data Protection Ombudsman.

Step 1: Identify a Legal Basis

Choose the GDPR legal basis for your call recording. For customer service calls, legitimate interest (Article 6(1)(f)) is commonly used for quality assurance and training. For financial services, legal obligation (Article 6(1)(c)) may apply if regulations require transaction recording.

Step 2: Provide Clear Notice at the Start of the Call

The Finnish DPA has specifically ruled that customers must be told before recording begins. A simple mention on the company website is not enough. The notification must reach the person being recorded before the recording starts.

Play an audio announcement informing the caller that the call is being recorded, why it is being recorded, the legal basis for the recording, how to opt out if applicable, and where to find the full privacy notice.

Step 3: Document Your Processing

Maintain a Record of Processing Activities (ROPA) under GDPR Article 30 that includes call recording. Conduct a Data Protection Impact Assessment (DPIA) under Article 35 if the recording is systematic and large-scale.

Step 4: Honor Data Subject Rights

The Finnish DPA has confirmed that recorded callers have the right to request copies of their recordings under Article 15 GDPR. The Suomen Yritysrekisteri enforcement action (EUR 23,000, September 2023) demonstrates that providing written summaries instead of actual recordings is a GDPR violation. Businesses must be prepared to locate, extract, and provide actual recordings within the one-month deadline.

Step 5: Set Retention Limits

Store recordings only as long as necessary for the stated purpose. Establish and enforce automatic deletion schedules. Indefinite retention of call recordings violates the GDPR principle of storage limitation (Article 5(1)(e)).

Cross-Border Recording Issues

When a recording involves parties in different countries, questions arise about which country's law applies and whether a recording lawful in one jurisdiction exposes the recorder to liability in another.

GDPR Extraterritoriality

The GDPR applies extraterritorially under Article 3. A non-EU business that records calls with individuals located in Finland must comply with GDPR transparency and legal-basis requirements, regardless of where the business is headquartered. The Tietosuojavaltuutettu can investigate and impose fines on non-EU controllers whose processing affects Finnish residents.

Cross-Border Calls Within the EU

For calls between parties in different EU member states, both national recording consent regimes technically apply to the conduct, but GDPR imposes consistent transparency obligations across the entire EU. All EU member states are one-party consent countries for criminal-law purposes under their national criminal codes (though terminology differs). This means a participant-recorded call between a Finnish caller and a German recipient does not implicate German wiretapping law, which also follows one-party consent for participant recordings.

Calls Involving Non-EU Countries

When a call involves a party in a non-EU country with stricter consent requirements, the analysis becomes more complex. A call between a Finnish participant and a US state with an all-party consent requirement (such as California) is governed by Finnish law for the Finnish participant's conduct. However, multinational businesses typically adopt the strictest applicable standard as their corporate policy to avoid cross-border liability exposure.

EU-Internal vs. Non-EU Calls

The EU's GDPR Regulation defines a consistent framework for personal data processing throughout the EEA. For audio recordings processed within the EEA, the lead supervisory authority (determined by the controller's main establishment) has jurisdiction over cross-border enforcement. The Tietosuojavaltuutettu participates in EDPB enforcement cooperation for cross-border cases involving Finnish residents.

Key Differences from Neighboring Countries

Understanding how Finland compares to its Nordic neighbors helps travelers and cross-border businesses stay compliant.

Sweden follows a one-party consent model similar to Finland. A participant may record their own conversation without informing others.

Norway also follows one-party consent. Norwegian law permits a participant to record conversations they take part in.

Denmark permits one-party consent recording. A participant in a conversation can record it without the other party's knowledge.

Estonia generally follows one-party consent, but with stricter GDPR enforcement on how recordings are stored and shared.

Russia has complex recording laws that vary by context. Cross-border communications involving Russia require careful legal analysis.

For anyone traveling between Finland and its Nordic neighbors, the recording laws are generally consistent. All Nordic EU member states are also subject to the same EU AI Act Article 50 deepfake disclosure obligations from August 2, 2026. GDPR enforcement intensity varies by national DPA, and businesses operating across borders should follow the strictest applicable standard.