Finland
Finland Data Privacy Laws: GDPR, Finnish Data Protection Act & Enforcement (2026)
Finland enforces data privacy through the EU GDPR, the Data Protection Act (Tietosuojalaki 1050/2018), and the Act on the Protection of Privacy in Working Life (759/2004). The Office of the Data Protection Ombudsman supervises compliance and its Sanctions Board may impose fines up to EUR 20 million or 4% of worldwide annual turnover.
Finland implements the EU General Data Protection Regulation (GDPR) through a layered national framework anchored in the Data Protection Act (Tietosuojalaki 1050/2018) and supplemented by the Act on the Protection of Privacy in Working Life (759/2004). The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) supervises compliance, and a collegial Sanctions Board composed of the Ombudsman and two deputies imposes administrative fines. This guide covers every layer of Finland's data protection regime, including the 2024-2025 enforcement actions that produced Finland's largest fines to date and the EU AI Act supervision framework that entered into force on 1 January 2026.
Information last verified on 2026-05-19. This article has not been reviewed by a licensed lawyer. Consult a qualified attorney licensed in Finland for advice on your specific situation.
Jurisdiction scope: This article covers data protection law in Finland, including the EU GDPR as directly applicable EU law, the Finnish Data Protection Act 1050/2018, the Act on the Protection of Privacy in Working Life 759/2004, and Act 1377/2025 on the supervision of certain AI systems. It does not address data protection law in other EU member states. For the broader EU framework, see our EU data privacy laws guide.
Quick Answer: Finland's Data Protection Framework at a Glance
Finland's data protection law operates on three levels. First, the GDPR applies directly as binding EU law. Second, the Data Protection Act 1050/2018 fills the gaps the GDPR leaves to member state discretion, addressing personal identity codes, the supervisory authority's structure, criminal penalties, and a digital consent age of 13. Third, the Act on the Protection of Privacy in Working Life 759/2004 governs the employment relationship exclusively, applying a necessity standard stricter than the GDPR's general rules. The Office of the Data Protection Ombudsman enforces all three layers. Fines for serious violations can reach EUR 20 million or 4 % of worldwide annual turnover. Since 2019, Finnish supervisory authorities have issued fines against organizations including the national postal service, a major e-commerce retailer, and a psychotherapy centre, with Finnish courts actively reviewing and in some cases reversing those decisions on appeal.
Constitutional Basis for Data Protection
Finland gives data protection constitutional weight. Section 10 of the Finnish Constitution (Suomen perustuslaki 731/1999) protects everyone's private life, honour, and the sanctity of the home. Section 10 also expressly states that the protection of personal data is regulated by an Act of Parliament, a constitutional delegation that grounds the Data Protection Act 1050/2018 and the workplace privacy law.
Section 12 of the Constitution guarantees freedom of expression and access to information, and Finnish courts balance these rights against data protection in cases involving journalism, research, and public-interest processing. The constitutional status of both rights means that neither automatically overrides the other; proportionality analysis is required.
Importantly, the Finnish Constitution treats communications transmitted over electronic networks as having the same confidential status as sealed correspondence. This constitutional protection forms the foundation for Finland's strict rules on employer access to employee email, discussed in detail below.
GDPR and the Finnish Data Protection Act 1050/2018
The GDPR entered into force across all EU member states on 25 May 2018 and applies directly in Finland without requiring domestic transposition. The Data Protection Act 1050/2018 entered into force on 1 January 2019, replacing the earlier Personal Data Act (523/1999).
The Data Protection Act supplements the GDPR in areas where the regulation expressly permits member-state specification. The Act's key national provisions cover:
- Personal identity codes (henkilötunnus). Section 29 of the Data Protection Act restricts the use of Finland's personal identity codes, which function as universal identifiers across public and private sector systems. Controllers may process a personal identity code only when the data subject has given consent, when processing is provided for by law, or when unambiguous identification of the data subject is important for a purpose connected to the employment relationship, healthcare, social welfare, credit operations, or insurance. The controller must ensure that a personal identity code is not unnecessarily included in printed documents or data-file outputs.
- Digital consent age. Section 9 of the Data Protection Act sets 13 years as the minimum age at which a child may independently consent to information society services. For children under 13, parental or guardian consent is required.
- Scientific research, statistics, and archiving. Sections 31-33 permit the processing of personal data for scientific or historical research, statistical purposes, and archiving in the public interest, subject to appropriate safeguards.
- Journalistic and expressive purposes. Sections 27-30 permit derogations from various GDPR rights where processing is undertaken for journalistic, artistic, literary, or academic expression and the derogation is necessary to reconcile data protection with freedom of expression.
- Criminal penalties. Section 24 creates a data protection offense (tietosuojarikos) punishable by a fine or imprisonment of up to one year for intentional or grossly negligent breaches of the GDPR or the Data Protection Act.
Supplementary Sector Legislation
Finland also maintains sector-specific data protection provisions. The Act on Electronic Communications Services (917/2014) implements the ePrivacy framework, including rules on cookies, direct marketing, and the confidentiality of electronic communications. The Act on the Protection of Privacy in Working Life (759/2004) governs employment data. Healthcare and social welfare legislation contains additional rules on sensitive health data.
The Office of the Data Protection Ombudsman
The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) is Finland's independent GDPR supervisory authority, established under Article 51 of the GDPR and structured in detail by Chapter 4 of the Data Protection Act 1050/2018. The office is headed by the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, all appointed by the Finnish government for five-year terms. Each of the three officials holds independent decision-making authority, meaning any one of them may issue binding orders on data protection matters without requiring the agreement of the others.
The Sanctions Board
The three officials collectively form the Sanctions Board (seuraamuskollegio), which is the body responsible for imposing administrative fines under Article 83 of the GDPR. Under Section 24 of the Data Protection Act, the Sanctions Board decides fine cases collegially, providing an additional deliberation layer before significant penalties attach. This structure distinguishes Finland from most EU member states, where fine authority rests with a single official.
Powers
The Office holds the full range of GDPR supervisory powers under Article 58. These include: conducting investigations and on-site inspections; issuing warnings, reprimands, and binding orders requiring controllers or processors to bring processing into compliance; imposing temporary or permanent prohibitions on processing; ordering rectification, erasure, or restriction of personal data; and referring fine cases to the Sanctions Board.
Legal Bases for Processing Personal Data
Finnish controllers must ground every processing activity in one of the six legal bases listed in Article 6(1) of the GDPR. The bases available in practice for Finnish organizations are:
| Legal Basis | Article 6(1) | Typical Finnish Application |
|---|---|---|
| Consent | (a) | Marketing, cookies, non-essential analytics |
| Contract performance | (b) | Customer account management, employment contract administration |
| Legal obligation | (c) | Tax records, anti-money-laundering, occupational safety reporting |
| Vital interests | (d) | Emergency medical situations |
| Public task | (e) | Public authorities and entities exercising official authority |
| Legitimate interests | (f) | Fraud prevention, network security, internal administrative processing |
For special category data under Article 9 (health, biometric, genetic, trade union membership, and similar), a further condition from Article 9(2) must be met. Finnish employers frequently rely on Article 9(2)(b) (employment and social protection law obligations) when handling health-related employee data under the Act on the Protection of Privacy in Working Life.
Consent in the Employment Context
Finnish data protection practice treats consent with particular care in employment. The Data Protection Ombudsman and the Act on the Protection of Privacy in Working Life both recognize that the power imbalance between employer and employee makes genuinely voluntary consent difficult to establish. Consent is not a valid legal basis for employer processing of employee personal data unless the processing falls entirely outside the necessity framework of the workplace privacy law.
Data Subject Rights
Finnish data subjects hold all eight rights established by Chapter III of the GDPR. Controllers must respond to requests within one month, with a possible two-month extension for complex or numerous requests. The Data Protection Ombudsman has taken enforcement action against controllers that required data subjects to produce a personal identity code or other disproportionate identification to exercise access rights (Article 15), denied erasure requests without a legitimate ground under Article 17(3), or failed to provide information in clear and plain language as required by Articles 13 and 14.
Right of access (Article 15). The controller must provide a copy of all personal data being processed and supplementary information including the purposes of processing, the categories of data, the recipients or categories of recipients, and the envisaged retention periods.
Right to erasure (Article 17). Data subjects may request deletion when the data is no longer necessary for its original purpose, consent has been withdrawn, or the processing was unlawful. Exceptions apply for freedom of expression, legal obligations, and the establishment, exercise, or defence of legal claims.
Right to data portability (Article 20). Where processing is based on consent or contract and carried out by automated means, data subjects may receive their data in a structured, commonly used, machine-readable format and request its direct transmission to another controller.
Right to object (Article 21). Data subjects may object to processing based on legitimate interests or public task at any time on grounds relating to their particular situation. The controller must stop processing unless it demonstrates compelling legitimate grounds that override the data subject's interests.
Employee Privacy: The Strictest Rules in Europe
Finland's Act on the Protection of Privacy in Working Life (Laki yksityisyyden suojasta työelämässä, 759/2004) is widely regarded as the most restrictive statutory employee data protection regime in the European Union. It applies exclusively to the relationship between employers and employees and imposes obligations that go beyond what the GDPR requires.
The Necessity Requirement
The cornerstone of the Act is Section 3, which states that an employer may only process personal data that is directly necessary for the employment relationship and connected to managing the rights and obligations of the parties or to benefits provided by the employer. No exception applies even where the employee gives explicit consent. Finnish courts and the Data Protection Ombudsman have confirmed this consistently: the inherent power imbalance in employment means that employee consent cannot render non-necessary data processing lawful.
Email and Communications Monitoring
All communications transmitted to and from an employee's work email address carry constitutional confidentiality under Section 10 of the Finnish Constitution. Unauthorized access by an employer to an employee's email constitutes a criminal offense punishable by up to one year's imprisonment under the Act on the Protection of Privacy in Working Life read together with Chapter 38 of the Finnish Criminal Code.
Sections 18-23 of the Act on the Protection of Privacy in Working Life establish narrowly defined conditions under which an employer may access or redirect an employee's work email. The prerequisites include: the employee is unexpectedly absent; the employer has reasonable grounds to believe that business-critical messages have been received; the email address is used exclusively for work purposes; and the employer has first attempted to contact the employee or the employee's designee. Even when these conditions are met, a designated person (not the employee's immediate supervisor) must conduct the access under procedural safeguards, and the employee must be informed as soon as possible.
Camera Surveillance
Section 16 of the Act on the Protection of Privacy in Working Life permits camera surveillance in workplaces for limited purposes: ensuring employee safety, protecting property, monitoring production processes, or preventing and investigating safety-threatening situations. Cameras may not be directed at a specific employee as the primary purpose. Surveillance of break rooms, changing rooms, washrooms, or other private spaces is prohibited. Employees and their representatives must be informed before any surveillance system is installed.
Drug Testing and Health Data
Sections 6-9 address drug testing. Employers may require a drug test only where the position involves tasks requiring special precision, reliability, or independent judgment, and only where safety, national security, the protection of trade secrets, or similar serious interests are at stake. Health data may be processed by only designated persons within the employer organization, and the list of authorized persons must be documented.
Background Checks
Section 5a permits credit checks on job applicants or current employees only for positions involving significant financial responsibility where the nature of the role genuinely warrants them. General precautionary screening is not a sufficient justification.
Data Protection Officer Requirements
Article 37 of the GDPR requires designation of a Data Protection Officer (DPO) for: (a) public authorities and bodies; (b) controllers or processors whose core activities involve large-scale, regular, and systematic monitoring of individuals; and (c) controllers or processors whose core activities involve large-scale processing of special category data.
In Finland, all public authorities are required to designate a DPO. The Data Protection Ombudsman has confirmed that "public authorities" includes municipalities, joint municipal authorities, state agencies, and entities exercising statutory public power.
Private sector organizations in Finland that must designate a DPO include healthcare providers, insurers, and social welfare service providers (large-scale special category data); advertising technology companies and operators of loyalty or targeting programs (large-scale systematic monitoring); and telecommunications companies and internet service providers. The DPO must be registered with the Data Protection Ombudsman's office through the authority's notification service.
Breach Notification
Finland applies the GDPR's two-tier breach notification framework without national modification. Under Article 33, a controller that becomes aware of a personal data breach likely to result in a risk to individuals' rights and freedoms must notify the Data Protection Ombudsman within 72 hours. Where a breach poses a high risk to the rights and freedoms of affected individuals, Article 34 requires the controller to notify those individuals directly, without undue delay, using clear and plain language describing the nature of the breach, likely consequences, and measures taken or proposed.
International Data Transfers
Finland follows the GDPR's Chapter V framework for transfers of personal data outside the EEA. The available transfer mechanisms include:
- Adequacy decisions. Commission adequacy decisions cover countries including Japan, South Korea, New Zealand, Israel, and the United Kingdom.
- EU-US Data Privacy Framework (DPF). The Commission adopted the DPF adequacy decision in July 2023, permitting transfers to certified US organizations. Finnish organizations relying on the DPF should verify certification status before each transfer, as certification must be renewed annually.
- Standard Contractual Clauses (SCCs). The 2021 SCCs remain the most widely used transfer mechanism for non-adequacy countries and require a transfer impact assessment documenting destination-country laws and any supplementary measures.
- Binding Corporate Rules (BCRs). Multinational groups may seek BCR approval from the Data Protection Ombudsman (where Finland is the lead authority) or from the competent lead supervisory authority under the one-stop-shop mechanism.
- Article 49 derogations. Explicit consent, contract necessity, vital interests, important public interest, and legal-claims derogations are available but narrowly construed. The Data Protection Ombudsman aligns with EDPB guidance treating them as exceptional rather than routine.
Fines and Penalties
Administrative Fines
The Sanctions Board may impose administrative fines under Article 83 of the GDPR. The two-tier structure applies:
- Lower tier (Article 83(4)). Fines up to EUR 10 million or 2 % of total worldwide annual turnover for violations of controller and processor obligations, supervisory authority obligations, and certification body obligations.
- Upper tier (Article 83(5)). Fines up to EUR 20 million or 4 % of total worldwide annual turnover for violations of basic processing principles (Articles 5-7, 9), data subject rights (Articles 12-22), third-country transfers (Articles 44-49), and non-compliance with supervisory authority orders.
Turnover figures are calculated at the level of the undertaking as a whole, not limited to the Finnish entity's revenue.
Criminal Penalties
Section 24 of the Data Protection Act 1050/2018 creates a data protection offense (tietosuojarikos) punishable by a fine or up to one year's imprisonment for intentional or grossly negligent violations of the GDPR or the Data Protection Act. The Act on the Protection of Privacy in Working Life separately makes unauthorized access to employee email a criminal offense under Chapter 38 of the Finnish Criminal Code, also punishable by fines or up to one year's imprisonment.
The Helsinki Court of Appeal's December 2025 ruling in the Vastaamo CEO case clarified that criminal liability requires proof of gross negligence, not merely the occurrence of a security failure.
Notable Enforcement Actions
Vastaamo psychotherapy centre (December 2021, fine EUR 608,000). The Sanctions Board imposed a EUR 608,000 fine on Vastaamo after a data breach exposed confidential therapy notes of approximately 36,000 patients. The violations included failure to maintain adequate security (Article 32), failure to notify the supervisory authority within 72 hours (Article 33), and deficiencies in accountability documentation (Article 5(2)). In April 2023 the Helsinki District Court convicted former CEO Ville Tapio of a data protection offense, imposing a three-month suspended sentence. In December 2025, the Helsinki Court of Appeal unanimously acquitted Tapio, finding that the prosecution had not proved the gross negligence required for criminal liability.
Verkkokauppa.com (March 2024, fine EUR 856,000). The Sanctions Board imposed a EUR 856,000 fine on Verkkokauppa.com Plc for failure to define retention periods for customer account data (customer data stored indefinitely in breach of Article 5(1)(e)) and for requiring mandatory customer account registration as a condition of online purchase (found to lack a lawful basis under Articles 5 and 6). The fine was calculated primarily by reference to the company's EUR 540 million turnover for 2022. Verkkokauppa.com announced it would appeal.
Posti Group OmaPosti service (November 2024, fine EUR 2.4 million, reversed November 2025). The Sanctions Board imposed a EUR 2.4 million fine on Posti Jakelu Oy for automatically creating an OmaPosti electronic mailbox for users without giving them the ability to decline that specific service component. The service had over 2 million registered users. In November 2025, the Helsinki Administrative Court reversed the fine, ruling that Posti was entitled under principles of freedom of enterprise and freedom of contract to bundle its digital services and had a lawful basis under Article 6(1)(b) for the mailbox processing. The court upheld a reprimand for insufficient transparency in customer information.
EU AI Act National Implementation: Act 1377/2025
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and applies in phased stages. Finland enacted national supervisory legislation through Act 1377/2025 on the supervision of certain AI systems (laki eräiden tekoälyjärjestelmien valvonnasta), which entered into force on 1 January 2026.
Decentralized Supervision
Finland chose a decentralized supervision architecture. Rather than designating a single national AI authority, Act 1377/2025 allocates supervisory responsibility to the authorities already competent in each sector. Authorities responsible for road traffic, financial services, medical devices, product safety, digital infrastructure, and personal data protection each supervise AI systems within their domain.
Traficom as Single Contact Point
The Finnish Transport and Communications Agency (Traficom) serves as the national market surveillance authority for general-purpose AI models under Article 88 of the EU AI Act and as the single national contact point facilitating information exchange between domestic supervisory authorities and the European AI Office. Traficom also represents Finland on the European AI Board. A new Sanctions Board operating in connection with Traficom handles AI Act administrative fines exceeding EUR 300,000.
The Data Protection Ombudsman's AI Role
The Office of the Data Protection Ombudsman is designated as a supervisory authority for AI systems that process personal data. Where a deployer of a high-risk AI system must conduct a fundamental-rights impact assessment under Article 27 of the EU AI Act and that assessment identifies personal data processing, the output must be reconciled with the GDPR's data protection impact assessment (Article 35). Finnish guidance indicates that organizations should conduct these assessments jointly rather than as separate documents.
Recent Developments (2024-2026)
Cybersecurity Act 124/2025 (April 2025). The Act implementing the NIS2 Directive entered into force, creating mandatory cybersecurity obligations and incident reporting requirements for operators of essential and important services. The Data Protection Ombudsman coordinates with the National Cyber Security Centre on incidents involving personal data breaches.
EU Data Act applicable from September 2025. The EU Data Act (Regulation 2023/2854) became applicable on 12 September 2025. It covers data-sharing obligations for connected products and related services. National legislation dividing supervisory responsibilities between Traficom and other authorities, including the Data Protection Ombudsman for provisions intersecting personal data, was submitted to the Finnish Parliament on 25 September 2025.
Helsinki Administrative Court reverses EUR 2.4m Posti fine (November 2025). The court found that service bundling did not breach the GDPR's lawful-basis requirement, providing the first Finnish judicial guidance on freedom of enterprise as context for Article 6(1)(b) analysis.
Helsinki Court of Appeal acquits Vastaamo CEO (December 2025). The acquittal clarifies that criminal data protection liability requires proof of gross negligence, not merely inadequate security measures, raising the threshold for personal criminal exposure.
Act 1377/2025 on AI supervision in force (1 January 2026). Traficom designated as single contact point; the Data Protection Ombudsman and other sectoral authorities assume AI Act supervisory responsibilities in their domains.
Practical Compliance for Businesses Operating in Finland
Organizations operating in Finland face a compliance environment that is materially stricter than the GDPR baseline in several areas.
Employee monitoring audit. Review all employee monitoring systems against the Act on the Protection of Privacy in Working Life, not only the GDPR. Email access policies, location tracking systems, camera surveillance, and background check procedures must satisfy the necessity requirement under Section 3 of Act 759/2004. Practices lawful in other EU states may not be permissible in Finland.
Retention schedules. The Verkkokauppa.com fine illustrates the Sanctions Board's focus on defined retention periods. Every data category in a record of processing activities (Article 30) should carry a documented retention period and a deletion or anonymization trigger. Indefinite storage of customer data is a red flag.
Personal identity codes. Map all system outputs and printed documents that include the henkilötunnus. Remove it from outputs where alternative identifiers are sufficient. Processing the code without a statutory ground violates Section 29 of the Data Protection Act 1050/2018.
DPO registration. Public authorities and private-sector organizations meeting the Article 37 thresholds must designate and register a DPO with the Data Protection Ombudsman. Registration must be updated when the DPO changes.
AI systems inventory. With Act 1377/2025 in force from 1 January 2026, organizations deploying AI systems that may qualify as high-risk under Annex III of the EU AI Act should conduct a classification assessment and, where classification triggers obligations, prepare a fundamental-rights impact assessment aligned with the DPIA framework under Article 35 of the GDPR.
Consent age gate. For digital services, verify that age-gating mechanisms prevent under-13 users from self-consenting and that parental consent mechanisms meet GDPR standards.
Watch out: Employee consent does not cure unlawful data processing in the Finnish employment context. If the data is not directly necessary for the employment relationship under Section 3 of Act 759/2004, no legal basis exists regardless of what the employee has signed. Finnish companies that imported consent-based employee monitoring practices from other EU jurisdictions have encountered enforcement action.
Disclaimer
This article provides general legal information about Finland's data privacy laws as of 2026-05-19 and is not legal advice. It covers the EU GDPR as applicable in Finland, the Finnish Data Protection Act 1050/2018, the Act on the Protection of Privacy in Working Life 759/2004, and Act 1377/2025 on the supervision of certain AI systems. Data protection laws change frequently. Consult a qualified attorney licensed in Finland for guidance on your specific situation.
Related Articles
Last updated: 2026-05-19. Statutes cited reflect their in-force versions as of 2026-05-19.
Frequently Asked Questions
What is Finland's primary data protection law beyond the GDPR?
Finland's primary national data protection legislation is the Data Protection Act (Tietosuojalaki 1050/2018), which entered into force on 1 January 2019. It supplements the GDPR with provisions on personal identity codes (Section 29), a digital consent age of 13 (Section 9), scientific research and archiving derogations (Sections 31-33), and criminal sanctions for serious violations (Section 24). The Act on the Protection of Privacy in Working Life (759/2004) adds a separate layer for the employment context.
Who imposes GDPR fines in Finland?
GDPR administrative fines in Finland are imposed by the Sanctions Board (seuraamuskollegio), a collegial body consisting of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen. This three-official structure provides additional deliberation before significant penalties attach. Fines can reach EUR 10 million or 2 % of worldwide turnover for lower-tier violations and EUR 20 million or 4 % for upper-tier violations under Articles 83(4) and 83(5) of the GDPR respectively.
Can Finnish employers monitor employee emails?
Generally no. Work email communications are constitutionally protected as confidential under Section 10 of the Finnish Constitution. Unauthorized employer access is a criminal offense under Act 759/2004 and Chapter 38 of the Finnish Criminal Code, punishable by fines or up to one year's imprisonment. Limited access is permitted only under the conditions in Sections 18-23 of Act 759/2004, which require unexpected employee absence, a reasonable belief that business-critical messages exist, exclusive work use of the address, and strict procedural safeguards.
Can employees consent to employer data processing that is not necessary for the employment relationship?
No. Section 3 of the Act on the Protection of Privacy in Working Life contains an absolute necessity requirement that cannot be overridden by employee consent. The law reflects the view that the inherent power imbalance in employment prevents genuinely voluntary consent. If the data is not directly necessary for the employment relationship, no legal basis for employer processing exists regardless of what the employee has signed.
What is Finland's digital consent age?
Finland set the digital consent age at 13 years under Section 9 of the Data Protection Act 1050/2018. Children aged 13 and older may independently consent to information society services. For children under 13, consent must be given or authorized by a parent or legal guardian. Finland chose the GDPR's minimum permissible threshold, the same as Denmark and Portugal.
Are there criminal penalties for data protection violations in Finland?
Yes. Section 24 of the Data Protection Act 1050/2018 creates a data protection offense punishable by a fine or imprisonment of up to one year. The Helsinki Court of Appeal's December 2025 ruling in the Vastaamo CEO case clarified that the offense requires proof of intentional conduct or gross negligence, not merely the occurrence of a security failure. Criminal liability may attach to individuals, in addition to administrative fines imposed on the organization.
How does Finland supervise AI systems under the EU AI Act?
Act 1377/2025, in force from 1 January 2026, establishes Finland's decentralized AI Act supervision framework. The Finnish Transport and Communications Agency (Traficom) acts as national market surveillance authority for general-purpose AI models and as the single contact point for the European AI Office. Sectoral authorities, including the Data Protection Ombudsman for AI systems that process personal data, supervise AI within their respective domains. A Sanctions Board connected to Traficom handles AI Act administrative fines exceeding EUR 300,000.
What transfer mechanisms may Finnish organizations use to send personal data outside the EEA?
Finnish organizations may transfer personal data outside the EEA using European Commission adequacy decisions, the EU-US Data Privacy Framework for certified US organizations (since July 2023), Standard Contractual Clauses (2021 version) accompanied by a transfer impact assessment, Binding Corporate Rules approved by the relevant supervisory authority, or the Article 49 derogations where the specific conditions are met. The Data Protection Ombudsman treats Article 49 derogations as exceptional rather than routine.
What did the Helsinki Administrative Court decide in the Posti GDPR case?
In November 2025, the Helsinki Administrative Court reversed the EUR 2.4 million fine the Sanctions Board had imposed on Posti Jakelu Oy in November 2024. The court found that Posti was entitled under freedom of enterprise and freedom of contract to bundle its digital services into a single package and had a lawful basis under Article 6(1)(b) of the GDPR to process personal data connected to the automatically created OmaPosti mailbox. The court upheld a reprimand for insufficient transparency in informing customers.
Does the EU Data Act create new obligations for Finnish organizations?
Yes. The EU Data Act (Regulation 2023/2854) became applicable from 12 September 2025. It creates data-sharing obligations for manufacturers and providers of connected products and related services, and rights for users to access and share the data generated by those products. The Data Protection Ombudsman supervises Data Act provisions that intersect with personal data protection. National Finnish legislation dividing supervisory responsibilities between Traficom and other authorities was submitted to Parliament in September 2025.
Sources and References
- Office of the Data Protection Ombudsman – Legislation(tietosuoja.fi).gov
- Data Protection Act 1050/2018 – Finlex(finlex.fi).gov
- Ministry of Economic Affairs – Protection of Privacy at Work(tem.fi).gov
- Data Protection Ombudsman – Working Life FAQ(tietosuoja.fi).gov
- Finnish Government – National Supervision of EU AI Act(valtioneuvosto.fi).gov
- Ministry of Economic Affairs – National Supervision of EU AI Act(tem.fi).gov
- EDPB – Finnish SA Fine EUR 856,000 Verkkokauppa.com (2024)(edpb.europa.eu).gov
- EDPB – Finnish SA Fine EUR 2.4m Posti (2024)(edpb.europa.eu).gov
- Data Protection Ombudsman – Vastaamo Fine Decision(tietosuoja.fi).gov
- Data Protection Ombudsman – EU Data Act(tietosuoja.fi).gov
- EDPB – Finnish DPA First Three Fines (2020)(edpb.europa.eu).gov
- GDPRhub – Finnish DPA Enforcement Tracker(gdprhub.eu)