Skip to Content

The Office of the Data Protection Ombudsman published its annual report for 2022

Publication date 31.7.2023 12.07 | Published in English on 4.8.2023 at 17.06
Press release

The Office of the Data Protection Ombudsman has published a report on its activities in 2022. The report describes the most important data protection events of the year, the most significant solutions and monitoring measures in different sectors as well as key figures of the activities. The year was characterised by the Office's reformed strategy as well as close European cooperation.

The number of cases remained high, while the number of personal data breach notifications continues to increase

Within the last three years, approximately 11,000 cases per year have been instituted with the Office of the Data Protection Ombudsman. A total of 11,095 cases were instituted in 2022. For the third year in a row, more cases were resolved than ones were instituted, numbering 11,869 cases in total.

The largest group of the cases instituted consist of reports of personal data breaches. The number of data breach reports has grown year by year, and they already amount to one half of the cases instituted with the Office.  A total of 5,445 data breaches were reported to the Office of the Data Protection Ombudsman during the year, representing an increase of approximately 660 from the previous year. Most of the reports are received from regulated sectors, such as healthcare and social welfare, the financial sector and the telecommunications sector.

Administrative fines and reprimands for data protection violations

Policies on major data protection issues were outlined concerning matters such as data minimisation, the legality of processing, location information as well as the right to inspect. Specifically, several violations leading to an administrative fine involved deficiencies in implementing the rights of the data subject. The Sanctions Board of the Office of the Data Protection Ombudsman imposed administrative fines on a total of five controllers due to data protection violations. The amounts of the administrative fines ranged from EUR 8,300 to EUR 750,000.

One of the most significant decisions involved a reprimand issued to the Finnish Tax Administration concerning unnecessarily extensive collection of data concerning cross-border account transfers. Other important decisions stated, among other things, that an authority cannot use the data subject's right to inspect as a data collection method, and that the location information of a tool of an employee cannot be always on by default. In addition, an opinion on the use of the use of tracking technologies on an authority's website was stated.

The office also continued systematic inspections of internal security authorities. A total of four inspections consisting of one or several parts were conducted.

The strategy was renewed and the data protection authorities intensified their cooperation 

The Office of the Data Protection Ombudsman renewed its strategy for 2022–2025 by defining strategic focus areas, a vision and a mission for its operations. The new vision of the Office emphasises the Office's role as an active proponent for responsibility in the digital environment.

In the spring, European data protection authorities presented key goals and measures for more effective cooperation. During the year, the data protection authorities of the EU and EEA countries implemented their first joint coordinated measure, which examined the use of cloud services in the public sector. In addition, the dispute resolution procedure of the European Data Protection Supervisor established itself as a form of cooperation between the supervisory authorities.

The European Commission has adopted several legislative proposals to implement the EU data strategy and strengthen the European data economy. The impact of both the measures to streamline the operations of European data protection authorities as well as the renewed data regulation will be felt in the coming years.

"Many of the themes featured over the past year will become more significant in 2023. The most important thing in the successful implementation of the data regulation package issued by the Commission is that the responsibilities of the supervisory authorities will be clear," says Data Protection Ombudsman Anu Talus.

A summary of the annual report in English has been published on our website in digital format:

We have compiled the main points of the annual report on our website: Annual report 2022

A version of the report in Finnish and Swedish are also available:

Further information:

Data Protection Ombudsman Anu Talus, anu.talus(at), tel. +358 29 566 6766

As of 7 August, Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at), tel. 029 566 6787

Back to top