Skip to Content
  • Valitse kieli Suomi
  • Välj språket Svenska
  • Select language English
Data Protection Ombudsman’s Office
Search page
  • Home
  • Current issues
  • Data protection
  • Private persons
  • Organisations
  • Office of the Data Protection Ombudsman
  • Home
  • Current issues
  • Data protection
  • Private persons
  • Organisations
  • Office of the Data Protection Ombudsman

The case register of the Office of the Data Protection Ombudsman is a logical entity that contains information describing the handling of cases opened to the Office of the Data Protection Ombudsman in connection with carrying out the tasks assigned to the Office by the Data Protection Act (1050/2018). The case register also deals with matters and documents related to the support processes of the Office of the Data Protection Ombudsman.

The case register is a register of cases received or instituted, their processing stages, measures, and documents and other information related to the measures. Information in the case register are also included in the case management system of the Office of the Data Protection Ombudsman, data in paper format and the shared information systems of the central government.

The processing of personal data by the Office of the Data Protection Ombudsman is based on statutory duties, and personal data are collected and processed only to the extent necessary for the performance of the Agency’s duties. You can read more about the data protection practices of the Office of the Data Protection Ombudsman on the page Our data protection policy.

The case register of the Office of the Data Protection Ombudsman consists of five data repositories: the administrative data repository, the international operations data repository, the access management repository, the data repository for the supervision of data protection and the communications data repository.

The data repositories of the Office of the Data Protection Ombudsman are not available openly through a technical interface. An exception to this are the publications in the communications data repository that are available on the public website.

The data repositories are described in more detail in the following sections.

The administrative data repository is maintained for the purpose of registering administrative matters of the Office of the Data Protection Ombudsman. The data repository covers data related to the personnel, finances, data management and information service, among other things.

The administrative data repository contains data stored both permanently and for a fixed term. The data are mostly public. However, depending on the case, the material may be non-disclosable.

The administrative data repository includes the following categories of data:

  • Personnel data
  • Employment relationship data
  • Financial information
  • Invoicing and payment information
  • Corporate and community information
  • Records management information
  • Information on decisions in administrative matters

Information systems: case management system, shared central government information systems (e.g. Kieku, Valtiolle.fi, Tahti and Handi services).

Search Factors: case ID, name of the case or document, type of document, initiator, name of the person, name of the company or community, or business ID.

The repository of international operations is maintained for the management of data arising from the activities of the Data Protection Ombudsman as Finland’s representative to the European Data Protection Board (EDPB) and other international cooperation.

The repository of international operations contains data that are stored both permanently and for a fixed term. The data are partly public. Public access to EDPB’s data is in line with the EDPB guidelines and the Regulation (EC) No 1049/2001 of the European Parliament and of the Council regarding public access to European Parliament, Council and Commission documents.

The repository of international operations includes the following categories of data:

  • Meeting information
  • Decision information
  • Instructions and recommendations
  • Reporting information

Information systems: case management system, Internal Market Information System (IMI), Confluence.

Search Factors: document number, document date, case ID, EU GDPR article number, name of the controller and processor, EDPB subgroup.

The access management data repository is maintained for the management of the access rights and log data of the organisational users at the Office of the Data Protection Ombudsman. The data repository includes data that are stored permanently and for a fixed term. The data are mostly non-disclosable.

The access management data repository includes the following categories of data:

  • User information
  • Access and access control data
  • Access rights information
  • Log data

Information systems: log management service, user directory (AD), IdM identity and access rights management service.

Search Factors: name of the user, date of the event (date, time), case that is or was being processed.

The data repository for the supervision of data protection legislation is maintained for the management of data arising from carrying out the duties specified for the Data Protection Ombudsman and the Office of the Data Protection Ombudsman in the Data Protection Act (1050/2018), the EU General Data Protection Regulation (EU 2016/679) and the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018).

The data repository for the supervision of data protection legislation contains data that are stored for a fixed term. The data are mostly public. However, depending on the case, the data may be partially or completely non-disclosable.

The data repository for the supervision of data protection legislation includes the following categories of data:

  • Customer information
  • Corporate and community information
  • Ex ante control data
  • Ex post control data
  • Information on influencing and general guidance

Information systems: case management system and separate register.

Search Factors: case ID, name of the case or document, document type, initiator, name of the person, name of the company or community, or business ID.

The communications data repository is maintained for the purpose of managing the data generated by the communications of the Office of the Data Protection Ombudsman. The data in the communications data repository may include newsletters from the Office of the Data Protection Ombudsman, electronic and printed publications, social media content and contact details of stakeholders, for example.

The communications data repository contains data stored both permanently and for a fixed term. The data are mostly public.

The communications data repository includes at least the following categories of data:

  • Publication data
  • Newsletters and bulletins
  • Images and video
  • Corporate and community information
  • Social media updates

Information systems: case management system, Shared Publishing Platform YJA, social media channels used by the Office of the Data Protection Ombudsman (X, LinkedIn).

Search Factors: name or business ID of the company or community, name of the publication, language of the publication, format of the publication (electronic or printed), date of publication.

Some of the data in the communications data repository are available on the page Julkaisut (Publications, in Finnish) on the website of the Data Protection Ombudsman.

The principle of publicity and grounds for non-disclosure

According to the principle of openness (section 12, subsection 2 of the Constitution of Finland 731/1999) and section 1 of the Act on the Openness of Government Activities (621/1999), official documents are, in principle, public unless their publicity is specifically restricted by law. Everyone has the right of access to public documents. The main grounds for the non-disclosure of official documents are listed in section 24 of the Act on the Openness of Government Activities.

The Office of the Data Protection Ombudsman discloses information to those who request it in accordance with the Act on the Openness of Government Activities. As a rule, the data of the Office of the Data Protection Ombudsman are public. Depending on the case, they may nevertheless be non-disclosable. The decision on non-disclosure is made separately in each case.

Submitting a request for information

Requests for information addressed to the Office of the Data Protection Ombudsman are sent to the Registry, where they are registered for the purpose of monitoring the deadlines. The Registry sends the requests for information to the right party within the organisation for a response.

A request for information may be free-form, but the requested documents must be identified in the request as clearly as possible. The Office of the Data Protection Ombudsman can assist customers in identifying the document, if necessary.

Contact details of the Registry:

E-mail: [email protected]
Telephone: +358 (0)29 566 6700
Postal address:
Office of the Data Protection Ombudsman
P.O. Box 800
00531 Helsinki, Finland

If data are disclosed, it may be necessary to charge a fee in accordance with the Decree of the Ministry of Justice (646/2024) and the Decision OEV-HPY/88/2025 by the Agency for Special Authorities in Judicial Administration (in Finnish).

Office of the Data Protection Ombudsman

Visiting address: Lintulahdenkuja 4, 00530 Helsinki

Postal address: P.O. Box 800, 00531 Helsinki, Finland

E-mail: tietosuoja(at)om.fi

Switchboard: +358 (0)29 566 6700

Registry: +358 (0)29 566 6768

 

 

General guidance for private persons: +358 (0)29 566 6777

General guidance for controllers: +358 (0)29 566 6778

Available Tue–Thu 9 a.m. to 11 a.m.

Information about telephone guidance

Frequently asked questions

Our data protection policy

Accessibility statement

For the media​​​​​​​

LinkedIn

​​​​​​​X

 

 ­ Tulosta

  • Home
  • Current issues
    • News
    • Guidelines of the European Data Protection Board
  • Data protection
    • What is personal data?
      • Pseudonymised and anonymised data
    • Legislation
    • Frequently asked questions
      • Adequacy decision concerning data protection in the United States
      • Banking
      • Camera surveillance
      • Credit information
      • Data Protection Officers
      • Digital Services Act (DSA)
      • Direct Marketing
      • Elections
      • Genealogy
      • Health care
      • Information systems
      • Internet
      • Mobile location
      • Personal identity code
      • Phone calls
      • Scientific research
      • Search engines
      • Working life
    • Children's data protection
    • AI systems and data protection
    • Scientific research and data protection
      • Defining the research scheme and purpose for processing personal data
      • Minimisation of personal data
      • Lifespan of personal data processing, data protection principles and the protection of data
      • Choosing the processing basis and ensuring its lawfulness
      • Rights of the data subject in scientific research
      • Roles and responsibilities for processing personal data
      • Transfer of data abroad
      • Accountability in scientific research
      • Destruction, anonymisation or archiving of data
      • The researcher’s data protection expertise
    • EU digital and data regulation
      • Digital Services Act (DSA)
      • Data Act (DA)
  • Private persons
    • Know your rights
    • Have you been notified of the processing of your personal data?
    • When you want to inspect your data
    • If you want to have your data rectified
    • If you would like to have your data erased
    • If you would like to have your personal data transferred to another controller
    • If you do not want your data processed
    • Have you been subjected to a decision based solely on automated processing?
    • Have you been affected by a personal data breach?
    • When your personal data are processed in the Schengen Information System or the Visa Information System
    • Have you misplaced personal data?
    • Claiming damages
    • When a competent authority processes your personal data
      • What is a competent authority
      • Right to obtain information on the processing of personal data
      • Right to inspect data processed by a competent authority
      • Rectification of data processed by a competent authority
      • Erasure of data and restriction of processing
    • Notification to the Data Protection Ombudsman
  • Organisations
    • Processing of personal data
      • When is the processing of personal data permitted?
        • Consent of the data subject
        • Controller's legitimate interests
        • Processing of special categories of personal data
      • Risk assessment and data protection planning
        • Impact assessments
          • Carrying out an impact assessment
          • List of processing operations which require DPIA
        • Prior consultation
          • Prior consultation request
      • Automated decision-making and profiling
      • Processing involving several EU countries
    • Data protection principles
      • Lawfulness, fairness and transparency
      • Purpose limitation
      • Minimisation of data
      • Accuracy of data
      • Storage limitation
      • Confidentiality and security
    • Demonstrate your compliance with data protection regulations
      • Record of processing activities
        • Controller's record of processing activities
        • Processor's record of processing activities
    • Inform data subjects about processing
    • Rights of the data subject
      • The right to obtain information on the processing of personal data
      • Right of access
      • Right to rectification
      • Right to erasure
      • Right to restriction of processing
      • Right to data portability
      • Right to object
      • Right not to be subject to a decision based solely on automated processing
      • What rights do data subjects have in different situations?
      • Derogating from the rights of data subjects
    • Data protection officers
      • Designating a data protection officer
      • Declaration of Data Protection Officer
      • Change to Data Protection Officer declaration
    • Processors
      • Processors’ responsibilities
    • Personal data breaches
      • Data breach notification
    • Transfers of personal data out of the European Economic Area
      • Transfers on the basis of an adequacy decision
      • Standard clauses adopted by the Commission
      • Safeguards to supplement transfer tools
      • Binding corporate rules
      • Derogations for specific situations
      • Transfer bases for authorities and the public sector
      • Brexit and the transfer of personal data to the UK
    • Codes of Conduct
      • The review and approval of codes of conduct
      • Supervision of codes of conduct
  • Office of the Data Protection Ombudsman
    • Duties
      • Corrective powers
    • Mission statement
    • International activities
    • Annual report 2024
      • Archive
    • Forms
    • Our data protection policy
      • Visiting the office
      • Electronic services at our office
        • Cookies
      • Telephone services
      • Processing of matters within our competence
      • Processing of the personal data of Data Protection Officers
      • Submitting job applications
      • Disclosure of data
      • Your data protection rights and legal protection
    • Accessibility statement
    • Contact information
      • Telephone guidance
      • Registry
      • Description of public access to documents
      • Data Protection Officer
      • Lecture requests
      • For the media
Back to top