Skip to Content
  • Valitse kieli Suomi
  • Välj språket Svenska
  • Select language English
Data Protection Ombudsman’s Office
Search page
  • Home
  • Current issues
  • Data protection
  • Private persons
  • Organisations
  • Office of the Data Protection Ombudsman
  • Home
  • Current issues
  • Data protection
  • Private persons
  • Organisations
  • Office of the Data Protection Ombudsman

Consent can be used as the basis of personal data processing both in the development and use of an AI system. An individual can give consent to processing their personal data for one or more purposes. Such consent must be a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to them.

The controller, meaning the organisation developing or using an AI system, must be able to prove that consent has been given as required by law. It must also be possible to withdraw consent for free at any time and as easily as it was given. After a data subject withdraws consent, the processing of the data processed based on the consent must be immediately stopped and the data erased. The implementation of the withdrawal of consent must be efficient in AI systems as well. If it cannot be implemented, for example, technologically, consent cannot be used as the processing basis.

The Data Protection Ombudsman stresses that choosing consent as the processing basis at the development stage of an AI system can be burdensome in terms of administrative work required, especially if personal data of a large group of people is processed.

Read more about the requirements for using consent as a basis

Contracts can be used as the basis of personal data processing both in the development and use of an AI system. When a natural person is party to a contract, personal data of the person can be processed if it is necessary for the performance of the contract.

Legal obligation can be used as a processing basis both in the development and use of AI systems if the personal data processing is necessary for compliance with a legal obligation to which the controller, or the organisation developing or using an AI system, is subject.

Protection of vital interests can be used as a processing basis in the development and use of AI system only if the processing is required in order to protect the vital interests of the data subjects or another natural person. For example, personal data processing may protect a vital interest in situations requiring humanitarian aid such as natural disasters or epidemics.

In order to meet this requirement, the danger to peoples’ lives must be sufficiently concrete, for example. This processing basis is therefore very rarely applicable.

Personal data can be processed in the development and use of AI systems if the processing is required for the public interest or the exercise of official authority vested in the controller. The public interest task or official authority must be vested by law or other legal provision. ‘Controller’ means the organisation developing or using an AI system.

Personal data can be processed in the development and use of AI systems if the processing is required for the purposes of a legitimate interest pursued by the controller or third party. ‘Controller’ means the organisation developing or using an AI system.

For example, a legitimate interest may exist when there is a meaningful relationship between the data subject and the controller. The relationship between an organisation and its customer is one example of such a relationship. However, personal data may not be processed if the interests and rights or the data subject override the legitimate interest of the organisation.

The European Data Protection Board has published guidelines on matters that must be taken into account when determining whether a legitimate interest exists.

The three stages of the determination are:

1. Identification and description of the legitimate interest. In order to use legitimate interest as a processing basis, all of the following must be met:

  • The legitimate interest pursued is legal.
  • The legitimate interest is clearly communicated and justified.
  • The legitimate interest is real and exists (not based on an expectation).

2. Assessing the necessity of the planned personal data processing

  • Do the planned processing activities promote achieving the legitimate interest?
  • Are there alternative implementation methods that would require less personal data processing?

3. Determining whether the legitimate interest is overridden by the rights and freedoms of natural persons (‘balancing test’). The determination must be made on a case-by-case basis and the following must be taken into account in particular:

  • The risks to which the development and use of the AI system could expose the rights and freedoms of natural persons.

  • The effects that the personal data processing in the development and use of an AI system could have on the natural persons. There can be different types of effects and they can be positive or negative.

  • The nature of the personal data to be processed, the context of the processing activities, and the possible consequences of the processing to the natural person.

An organisation that plans to use legitimate interest as the basis for processing personal data in the development or use of an AI system should read the opinion of the EDPB (link directs to the EDPB website): Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models

Office of the Data Protection Ombudsman

Visiting address: Lintulahdenkuja 4, 00530 Helsinki

Postal address: P.O. Box 800, 00531 Helsinki, Finland

E-mail: tietosuoja(at)om.fi

Switchboard: +358 (0)29 566 6700

Registry: +358 (0)29 566 6768

 

 

General guidance for private persons: +358 (0)29 566 6777

General guidance for controllers: +358 (0)29 566 6778

Available Tue–Thu 9 a.m. to 11 a.m.

The telephone guidance is closed 6.7.–3.8.2026

Information about telephone guidance

Frequently asked questions

Our data protection policy

Accessibility statement

For the media​​​​​​​

LinkedIn

​​​​​​​X

 

 ­ Tulosta

  • Home
  • Current issues
    • News
    • Guidelines of the European Data Protection Board
  • Data protection
    • What is personal data?
      • Pseudonymised and anonymised data
    • Legislation
    • Frequently asked questions
      • Adequacy decision concerning data protection in the United States
      • Banking
      • Camera surveillance
      • Credit information
      • Data Protection Officers
      • Digital Services Act (DSA)
      • Direct Marketing
      • Elections
      • Genealogy
      • Health care
      • Information systems
      • Internet
      • Mobile location
      • Personal identity code
      • Phone calls
      • Scientific research
      • Search engines
      • Working life
    • Children's data protection
    • AI systems and data protection
    • Scientific research and data protection
      • Defining the research scheme and purpose for processing personal data
      • Minimisation of personal data
      • Lifespan of personal data processing, data protection principles and the protection of data
      • Choosing the processing basis and ensuring its lawfulness
      • Rights of the data subject in scientific research
      • Roles and responsibilities for processing personal data
      • Transfer of data abroad
      • Accountability in scientific research
      • Destruction, anonymisation or archiving of data
      • The researcher’s data protection expertise
    • EU digital and data regulation
      • Digital Services Act (DSA)
      • Data Act (DA)
      • Regulation on political advertising
  • Private persons
    • Know your rights
    • Have you been notified of the processing of your personal data?
    • When you want to inspect your data
    • If you want to have your data rectified
    • If you would like to have your data erased
    • If you would like to have your personal data transferred to another controller
    • If you do not want your data processed
    • Have you been subjected to a decision based solely on automated processing?
    • Have you been affected by a personal data breach?
    • When your personal data are processed in the Schengen Information System or the Visa Information System
    • Have you misplaced personal data?
    • Claiming damages
    • When a competent authority processes your personal data
      • What is a competent authority
      • Right to obtain information on the processing of personal data
      • Right to inspect data processed by a competent authority
      • Rectification of data processed by a competent authority
      • Erasure of data and restriction of processing
    • Notification to the Data Protection Ombudsman
  • Organisations
    • Processing of personal data
      • When is the processing of personal data permitted?
        • Consent of the data subject
        • Controller's legitimate interests
        • Processing of special categories of personal data
      • Risk assessment and data protection planning
        • Impact assessments
          • Carrying out an impact assessment
          • List of processing operations which require DPIA
        • Prior consultation
          • Prior consultation request
      • Automated decision-making and profiling
      • Processing involving several EU countries
    • Data protection principles
      • Lawfulness, fairness and transparency
      • Purpose limitation
      • Minimisation of data
      • Accuracy of data
      • Storage limitation
      • Confidentiality and security
    • Demonstrate your compliance with data protection regulations
      • Record of processing activities
        • Controller's record of processing activities
        • Processor's record of processing activities
    • Inform data subjects about processing
    • Rights of the data subject
      • The right to obtain information on the processing of personal data
      • Right of access
      • Right to rectification
      • Right to erasure
      • Right to restriction of processing
      • Right to data portability
      • Right to object
      • Right not to be subject to a decision based solely on automated processing
      • What rights do data subjects have in different situations?
      • Derogating from the rights of data subjects
    • Data protection officers
      • Designating a data protection officer
      • Declaration of Data Protection Officer
      • Change to Data Protection Officer declaration
    • Processors
      • Processors’ responsibilities
    • Personal data breaches
      • Data breach notification
    • Transfers of personal data out of the European Economic Area
      • Transfers on the basis of an adequacy decision
      • Standard clauses adopted by the Commission
      • Safeguards to supplement transfer tools
      • Binding corporate rules
      • Derogations for specific situations
      • Transfer bases for authorities and the public sector
      • Brexit and the transfer of personal data to the UK
    • Codes of Conduct
      • The review and approval of codes of conduct
      • Supervision of codes of conduct
  • Office of the Data Protection Ombudsman
    • Duties
      • Corrective powers
    • Mission statement
    • European cooperation
    • Annual report 2024
      • Archive
    • Forms
    • Our data protection policy
      • Visiting the office
      • Electronic services at our office
        • Cookies
      • Telephone services
      • Processing of matters within our competence
      • Processing of the personal data of Data Protection Officers
      • Submitting job applications
      • Disclosure of data
      • Your data protection rights and legal protection
    • Accessibility statement
    • Contact information
      • Telephone guidance
      • Registry
      • Description of public access to documents
      • Data Protection Officer
      • Lecture requests
      • For the media
Back to top