Data protection (GDPR)

The European Union’s General Data Protection Regulation, GDPR (General Data Protection Regulation from 2016), is important for students of information technology because it concerns all personal data. The requirements of the regulation must be taken into account in information systems and in the systems surrounding them, and personal data exists even in places where one might not initially expect it. One example of this is electronic locking systems, in which log data on key usage is collected inside the lock mechanism.

Key laws affecting data protection in Finland have included the Personal Data Register Act (1987–1998) and the Personal Data Act (1999–2018). At the beginning of 2019, the Data Protection Act (1050/2018) entered into force, specifying and supplementing the GDPR within the limits it allows.

Key concepts: To understand the GDPR, it is necessary to know the key concepts:

• Identifiable person: a person who can be directly or indirectly identified using
  • identifiers: e.g. name, personal identity number, location data, online identifiers
  • characteristic factors: e.g. physical, physiological, genetic, psychological, economic, cultural, social.
• Personal data: all information relating to an identified or identifiable natural person. Personal data may be stored, for example, in electronic files, databases, on paper, in card indexes, folders, or in audio or video recordings.
• Processing: any operation (including “use”) that can be performed on personal data. Processing always requires a legal basis defined by law.
• Data subject: the person to whom the personal data relates.
• Controller: a person, company, authority or organisation that determines the purposes and means of processing personal data.
• Processor: a party external to the controller that processes personal data on behalf of the controller.

The controller is always primarily responsible for compliance with the data protection regulation. In practice, responsibility is shared with the processor through contracts. The GDPR also requires this when an external party processes the controller’s data. An example: a housing company is the controller of the flat owners’ and residents’ personal data, which are typically handled by a property management company and a maintenance company, which have the role of processors.

Each country has an independent supervisory authority that, among other things, monitors compliance with data protection legislation, provides guidance, and receives complaints about suspected violations. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

The GDPR does not impose obligations on natural persons (= private individuals) in their private life. A legal person (= company, organisation, community or similar) cannot transfer the processing of personal data to a natural person and thereby avoid the obligations of the law. There is a court case from Finland on this issue, which was handled by the Court of Justice of the European Union; see an YLE page.

Data protection by design and by default

”Data protection by design” in GDPR means organisations must assess risks early and integrate privacy from the start. ”By default” requires that settings are privacy-protective—e.g., automatic encryption in systems to reduce breach impact. GDPR also enforces data minimisation: Each personal data item must be necessary for a defined purpose (collect only what’s needed) and deleted when no longer required.

Conditions for processing personal data

According to Article 6 of the GDPR, the processing of personal data requires one of the following:

• the data subject has given consent to the processing of their personal data for one or more specific purposes
• processing is necessary * for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the request of the data subject * for compliance with a legal obligation of the controller * to protect the vital interests of the data subject or another natural person * for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller * for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, especially if the data subject is a child.

If none of these applies, the processing of personal data is unlawful.

Requesting consent

More detailed provisions on the requirement of consent, i.e. the first condition for processing personal data in Article 6, are given in Article 7:

1. If processing is based on consent, the controller must be able to demonstrate that the data subject has given consent to the processing of their personal data.
2. If the data subject gives consent in a written declaration that also concerns other matters, the request for consent must be presented clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and simple language. Any part of such a declaration that violates this regulation shall not be binding.
3. The data subject has the right to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject must be informed of this before giving consent. Withdrawal must be as easy as giving consent.
4. ”If someone has to agree to unnecessary data use just to get a service, their consent isn’t really free.” and the same more formally: When assessing whether consent is freely given, account shall be taken, as far as possible, of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Electronic recording, for example of responses collected online, is sufficient to demonstrate consent. However, consent must not be the default; for example, a pre-ticked box does not meet legal requirements. See example.

It must also be possible to refuse consent. Consent cannot therefore be used as a legal basis for processing personal data if the data subject does not have a genuine possibility to refuse. In such cases, the legal basis must be found in other parts of Article 6. When relying on legitimate interest, the controller must perform a balancing test before starting the processing of personal data. Lengthy instructions for this test can be found here.

GDPR in a student’s everyday life

For many, GDPR appears in everyday life mainly as cookie consent pop-up windows on websites. Websites operating in the EU are required to request consent from users residing in the EU for the use of cookies, for example for marketing purposes. This request is often regarded as merely annoying, and many people simply click the “Accept cookies” button without thinking about it. You can improve your own privacy by choosing the “Reject” option in the future. The website will most likely function just as well as if you had accepted the cookies. In your browser settings, you can delete stored cookies, after which websites will ask again for permission to use them.

Students participating in guild or club boards may also have experience acting as processors of personal data. Associations are also legal persons under the GDPR. Maintaining a membership register is defined in the Associations Act, so an association is obliged to keep records of members’ names and domiciles. However, if a club wishes to keep records of members’ email addresses for communication purposes, this requires the members’ consent. Note also that the processing of personal data often occurs almost unnoticed. For example, if a club sends an email bulletin to all members, recipients should be placed in the blind carbon copy field, not in the recipient field where all email addresses are visible to other members. If you are on the board of a club or student guild, it is advisable to study the current page properly and check with GDPR itself if in any doubt.

Special categories of personal data

Sensitive personal data is referred to in the GDPR as “special categories of personal data”. These include:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic or biometric data for identification purposes;
• data concerning health (including medical treatments);
• sexual orientation or behaviour;

Processing of these is, as a rule, prohibited, but the GDPR lists 10 cases where exceptions apply. These include, for example, consent and necessity. The Data Protection Act supplements these exceptions with a list of 8 items (compared to the GDPR, new ones such as insurance, anti-doping, disability sports, cultural heritage). When sensitive data is processed, the Data Protection Act requires the use of ”suitable and specific measures to safeguard the rights of the data subject”. Eleven such measures are listed, the last being “other technical, procedural and organisational measures”. It is therefore not enough to read the law; one must know what one is doing and also understand the other topics of this course. The GDPR describes similar procedures in a more general context, in fact in more than one place. You can explore these, for example, by searching for where pseudonymisation appears (there are four places after the definition).

Accountability

The controller must be able to demonstrate that the regulation is being complied with. This includes ensuring the security of the register. The controller must inform data subjects about the processing of personal data by means of a privacy notice or a similar document. Read more here.

Impact assessment

The GDPR refers to risk assessment in many places. Article 35 takes the matter further:

“If a type of processing, in particular using new technologies, is likely, taking into account the nature, scope, context and purposes of the processing, to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

There must therefore already be a prior understanding of the risks, and this leads to carrying out an impact assessment, which also includes a risk analysis. Prior consultation (i.e. consultation with the supervisory authority) may also be required, and the impact assessment has evidently been considered sufficiently complex that the GDPR requires the controller to seek advice from the data protection officer—if one has been appointed. The supervisory authority, in turn, must publish a list of the types of processing operations for which an impact assessment is required. See the Data Protection Ombudsman’s decision on the list. You will need it and the criteria list in two questions.

An impact assessment therefore concerns the necessity and proportionality of the processing of personal data, the risks involved, and the measures required to address those risks. The aim is to assess whether the remaining risk (i.e. the residual risk) is justified and acceptable in the circumstances at hand. The impact assessment helps the controller not only to comply with the requirements, but also to document and thus, when necessary, demonstrate that they have been complied with.

Rights of the data subject

The rights of the data subject are important from the perspective of the design and implementation of information systems, so that matters such as access to data, deletion of data, prohibition of processing, correction of incorrect data and statutory deadlines can be taken into account.

The GDPR describes the rights of the data subject; read more here.

In certain government registers, data subjects do not have all rights. For example, it is not possible to request the deletion of health data. Likewise, there is no right of access to police tip registers or money laundering registers.

Personal data breach

One of the key changes compared to earlier legislation is that the GDPR lays down procedures for situations where a personal data breach occurs. Central aspects include the obligation to notify the supervisory authority and users, as well as the obligation to document. Read more here.

In the event of a personal data breach, it is advisable to file a criminal report with the police. This may also be a requirement for receiving insurance compensation. In addition, the National Cyber Security Centre receives notifications. However, the law does not require a criminal report or notification to the Cyber Security Centre.

Administrative fine

A personal data breach as such does not lead to sanctions if the GDPR has been complied with, including the accountability requirement. Otherwise, an administrative fine may be imposed. According to the Office of the Data Protection Ombudsman:

“The supervisory authority may impose fines on a controller or processor for violations of the data protection regulation.” “An administrative fine may be up to 20 million euros or four percent of the global annual turnover. Other possible sanctions include warnings, reprimands and orders, as well as limitations or prohibitions on the processing of personal data.”

The fine must be substantial in order to be effective, but its purpose is not to drive the controller into bankruptcy. The fine is adjusted according to the severity of the violation, but also according to the financial situation of the controller and other circumstances. An example of such circumstances is the consideration of the COVID-19 situation in determining the amount of the fine imposed on Taksi Helsinki Oy. A fine imposed by the supervisory authority can be appealed to an administrative court.

Here are examples of administrative fines in Finland:

Psychotherapy Centre Vastaamo

Direct marketing

Parking enforcement company

Higher education institution

Taksi Helsinki

Finland has made an exception compared to other EU countries: administrative fines are not imposed on authorities. The idea is that other corrective measures are sufficient. An example of this can be found here, where the Legal Register Centre would quite clearly have been imposed an administrative fine.

Data protection officer

A data protection officer must be appointed if

• sensitive data is processed on a large scale;
• people are monitored on a large scale, regularly and systematically;
• the organisation is a public authority (excluding courts).

Even small companies need a data protection officer, for example if they process the personal data of dozens of data subjects during a year (a loose interpretation based on guidance from the Data Protection Ombudsman). The duties of the data protection officer are described by the Office of the Data Protection Ombudsman as follows:

• monitors compliance with data protection rules throughout the organisation and highlights any shortcomings observed
• provides information and advice on obligations under data protection rules to management and employees handling personal data
• provides advice, when requested, on carrying out data protection impact assessments and monitors their implementation
• acts as a contact person for data subjects in matters related to the processing of personal data
• acts as a contact point for the Office of the Data Protection Ombudsman and cooperates with it

Despite the title, the data protection officer is not personally responsible for compliance with data protection laws. It is the responsibility of the organisation’s management to ensure compliance with the law.

Note! A data protection officer and the Data Protection Ombudsman are different things and are easily confused. Be careful!

Other legislation

Other legislation also affects data protection:

• The right to privacy is a fundamental right laid down in the Constitution of Finland. The registration of personal data constitutes a deviation from this, and more detailed provisions are provided by the Data Protection Act. (The Charter of Fundamental Rights of the European Union also grants protection to private life and personal data.)
• The Act on Electronic Communications Services (917/2014, originally named the Information Society Code) covers in more detail, among other things, the protection of confidential communications as well as various identification and location data produced by communications.
• The Act on the Protection of Privacy in Working Life (759/2014) applies to the processing of personal data carried out by employers, for example drug testing and video surveillance.
• When an authority discloses personal data from its registers, instead of the general provisions of the Data Protection Act, the Act on the Openness of Government Activities (621/1999) is applied, which also lays down the most common grounds for confidentiality as well as principles of good information management.
• In 2007, provisions concerning the processing of personal data were transferred from the then Personal Data Act to the Credit Information Act (527/2007), including, for example, retention periods for entries in credit information registers: e.g. bankruptcy 5 years, officially confirmed payment default 3 years, others 2 years. In the 2022 reform, the retention period of a default entry was shortened to one month from the repayment of the debt. This reform is in a sense compensated for by the Positive Credit Register (Act 739/2022), which stores and discloses (from 2024 onwards) more personal data than before.
• In addition to the Data Protection Act, provisions concerning the processing of personal data are included in sector-specific legislation in different fields, especially those governing the duties and operations of authorities. An important example is the Act on the Processing of Client Data in Social and Health Care (764/2021, corresponding legislation originally from 2007). In addition, there are international norms and guidelines.

The GDPR itself can be read as such, but it is not easy to read. (The 45 references to the GDPR contained in the Data Protection Act make that law even more complex; cf. also the exercise.) Interpretative assistance can be found on the website of the Office of the Data Protection Ombudsman in the frequently asked questions. The site also provides a useful presentation of data protection principles. A good example of planning the processing of personal data is the description of processing for scientific research. Tampere University has a data protection website for external users, and an internal version is available on the intranet. The TUNI Moodle includes a Data Protection Driving Licence, which is useful for students working on their thesis.

In Finland, the Population Information System is an important personal data register governed by the Population Information Act (661/2009). In addition to the usual prohibition on disclosure for purposes such as direct marketing, a much stronger restriction, a confidentiality order, can be recorded in it.

The protection of personal data must not weaken when data is transferred from one country to another. It may be that transfer outside the EU is not permitted. The GDPR provides various mechanisms by which an adequate level of protection in a non-EU country can be ensured. In international data transfers, the current case law and guidance from supervisory authorities must be taken into account.

Legislation is continuously evolving. The GDPR was a broad and important reform. It harmonised data protection across Europe so that companies only need to deal with one Member State. Large sanctions (administrative fines) have led companies to take the matter seriously, and there is already a long list of rulings; in Finland, 27 cases had been recorded by May 2026. Development does not stop at the GDPR, as new regulation aimed at improving the privacy of electronic communications is under preparation—despite the fact that the “ePrivacy” regulation proposal from 2017 was removed from the Commission’s work programme in 2025.

Freedom of expression is another right guaranteed by the Constitution, and it may conflict with privacy. An example of an important boundary concerns the now very common practices of photography and videography, and additionally the publication of the material produced. The use of surveillance cameras and web cameras, and the storage or publication of images, may lead to extensive considerations, as storage constitutes a personal data register. Criminal law provisions on voyeurism and domestic privacy also become relevant. However, photographing in public places is permitted under constitutional rights.

The main objective of this problem is that you learn how the two law texts look like and how it feels reading them. Open the Data Protection Act and the GDPR in separate browser tabs. Note that the actual regulation only begins with Article 1 slightly before the midpoint of the long page.

Question 1

As stated in the material, the GDPR describes 10 and the Act 8 situations in which the processing of sensitive personal data is permitted. These are found in Article 9 of the regulation and Section 6 of the Act. Find these and determine that

in the regulation they are 1–10 and in the law 1–8.

in the regulation they are a–j and in the law 1–8.

in the regulation they are 1–10 and in the law a–h.

in the regulation they are a–j and in the law a–h.

Question 2

Neither law text uses the term “sensitive” for the data of the previous question but special categories of personal data. The term category comes from the fact—also visible in this material—that most items contain more than one type of data. Neither law text directly defines that these are the special (or sensitive) categories of personal data (they only prohibit processing). Examine both laws using search and answer: SP: does the term “sensitive” appear, SC: does the Act explain what these special categories are.

SP does not appear in either; SC is not explained in the Act.

SP appears only in the Regulation but not in its articles; SC is not explained in the Act.

SP does not appear in either; SC is explained in the Act.

SP appears only in the Regulation but not in its articles; SC is explained in the Act.

SP appears in both; SC is not explained in the Act.

SP appears in both; SC is explained in the Act.

Question 3

Chapter 3 of the Act defines the Data Protection Ombudsman, the supervisory authority required by the GDPR. The GDPR also requires controllers and processors to appoint a Data Protection Officer. What does the Act say about the Data Protection Officer?

Nothing.

Only that the processor must appoint one in certain situations.

Only that Articles 37–39 of the GDPR must be followed.

In addition to appointment, the law requires Data Protection Officers to register with the Office of the Data Protection Ombudsman.

Question 1

What obligations required by the Act arise if a company’s customer register is subject to a data breach and there is justified suspicion that it has been leaked? Select the correct options.

A report must be made to the National Cyber Security Centre .

A criminal report must be filed.

Customers must be informed without delay.

The Office of the Data Protection Ombudsman must be notified within 72 hours of detecting the data breach.

A security breach always results in an administrative fine that must be paid.

Question 2

When must an impact assessment be carried out? Select the correct options.

Always when processing special category personal data.

When a trade union introduces a messaging application for member communications.

When a data breach occurs.

When large-scale location data is processed.

When planned processing of personal data is likely to cause a high risk to the rights and freedoms of individuals.

When an EU-wide company creates behavioural profiles based on website usage.

Question 3

What does an impact assessment include? Select the correct options.

Risk analysis.

Appointment of a Data Protection Officer.

Evaluation of residual risks.

Seeking advice from the Data Protection Officer.

Question 4

When must an impact assessment be carried out? Select the correct options.

When high-risk processing of personal data has started.

Before processing of personal data begins.

When risks change.

When studying the effect of COVID vaccinations received by Finns on the severity of infections.

Question 5

One legal basis for processing personal data is requesting consent. What does requesting consent require? Select the correct options.

It is sufficient to state on a form that personal data is collected, with no alternative but to consent or refuse the service.

A pre-ticked box is sufficient if there is an option to refuse data collection.

Small-print legal text on consent terms is sufficient.

Consent must be unambiguous.

Consent must be demonstrable.

Clear language must be used when requesting consent.

Question 6

Data Protection Officer

is personally responsible for compliance with data protection legislation.

must exist in every company that processes personal data.

is the organisation’s contact person for the Office of the Data Protection Ombudsman.

is an authority that voluntary associations do not need to appoint.

is a contact person in matters related to the processing of personal data.

supervises the implementation of impact assessments.

GDPR’s prescriptive jurisdiction (advanced)

Before applying a regulation, it is necessary to know to what matters it applies. Therefore, the scope is defined at the beginning of legal texts, and this has been discussed above. In addition, regulations involve jurisdiction, that is, where they are applied, as presented in the previous section. The GDPR introduced a significant change to the prescriptive jurisdiction of European data protection law.

The GDPR applies to all processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” (Article 3(1)). Here, the concept of an establishment of a controller is defined unusually broadly in the regulation compared to other commonly understood legal principles. Establishing or maintaining an establishment in the EU does not require anything more than the ability to direct business activities. The definition is particularly broader than in company law or international tax law. For example, a holding company located in the United States may be considered to have a place of processing in the EU through its wholly owned subsidiary. Thus, a legal person without a “fixed establishment” or “taxable presence” in the EU may nevertheless carry out data processing in connection with an “establishment” located in the EU from the perspective of GDPR liability analysis.

Because the GDPR is an EU regulation rather than a directive, it is directly applicable in EU Member States. In situations of conflict, an EU regulation overrides national legislation of the Member State. However, the GDPR also leaves room for national legislation, as it explicitly states. One example of this is that national legislation may permit the processing of personal data relating to criminal convictions without the requirements of the special categories of personal data.

The GDPR extends prescriptive jurisdiction to the processing of personal data carried out by anyone, anywhere, if it relates to the offering of goods or services to a data subject located in the EU (Article 3(2)(a)). This prescriptive jurisdiction is generally considered to apply only in situations where the provider voluntarily offers such goods or services to data subjects in the EU.

In addition, the GDPR applies to all parties who monitor the behaviour of data subjects in the EU, insofar as this behaviour takes place within the EU (Article 3(2)(b)). This basis of jurisdiction appears to relate in particular to relatively new services that track and analyse various patterns of human behaviour, for example the use of web browsers or physical movement, such as shopping behaviour. Persons located outside the EU who fall under the GDPR on these grounds must, in many cases, designate a representative in the EU (Article 27 and Recital 80). The European Data Protection Board (edpb) published guidelines on the territorial scope of the GDPR in 2019. Despite these, the interpretation of the regulation may still be difficult, particularly in connection with new digital services, and enforcement with respect to actors outside the EU also involves practical challenges.

Posting submission...