Skip to Content

Application of new data protection legislation beings tomorrow

Publication date 24.5.2018 18.15 | Published in English on 28.5.2018 at 16.18
News item

The General Data Protection Regulation entering into force tomorrow regulates the processing of personal data in all EU Member States. The adoption of the national Data Protection Act to supplement the GDPR has been delayed, but this will have no impact on the application of the GDPR.

The purpose of the new legislation is to improve the protection of personal data. People will be better able to manage the processing of their personal data, and all EU residents will share the same, universal data protection rights.  Those whose data protection rights have been infringed can request the Data Protection Ombudsman to issue an order on the fulfilment of their rights. The request can be made even if the infringement has taken place in another Member State.

Competitive advantage from data protection

The GDPR aims at promoting the development of the digital internal market through the uniform application of common rules across the EU.

Accountability and the evaluation of risks are key aspects of the new legislation. The greater the risks involved in the processing of personal data, the greater the obligations related to the processing. Compliance with legislation must be demonstrated with sufficient documentation.

National Data Protection Act delayed

The national Data Protection Act to supplement the GDPR is still being discussed by Parliament. The Act was intended to enter into force at the same time with the GDPR. However, the delay in the adoption of the Data Protection Act will not affect the implementation of the GDPR, since the regulation is directly applicable legislation.

The Personal Data Act will remain in force until repealed by the proposed Data Protection Act. Due to the principle of precedence of EU law, national legislation that is in conflict with the GDPR will not be applied, however.

Certain other national enactments applying to the processing of personal data have also not been checked yet with regard to the national margin of manoeuvre provided for in the GDPR. If an organisation's processing of personal data is based on such legislation, it must evaluate the legislation applied by it in order to ensure that there are no conflicts with the GDPR.

The proposed Data Protection Act also includes provisions on the competence of the Data Protection Ombudsman. The Data Protection Ombudsman will continue performing its duties based on the Personal Data Act and the Act on the Data Protection Board and Data Protection Ombudsman. However, controllers are no longer required to file notifications based on the Personal Data Act.

The Data Protection Act will enter into force as soon as possible, once the bill has been approved and Parliament has adopted the Act. More information on the implementation of the Data Protection Ombudsman’s new powers will be provided once the Act has been adopted.

The European Data Protection Board will begin operations

The European Data Protection Board, consisting of the EU's national data protection authorities and representatives of the European Data Protection Supervisor, will be established in Brussels tomorrow.  Data Protection Ombudsman Reijo Aarnio and Senior Officer Anna Hänninen of the Office of the Data Protection Ombudsman will take part in the founding meeting of the Data Protection Board.

The European Data Protection Board will be responsible for the uniform application of data protection legislation in the European Union and will give decisions and guidelines on the interpretation of data protection legislation.

The Data Protection Board continues the work of the previous cooperation body, the Article 29 Working Party.

Further information:

Data Protection Ombudsman Reijo Aarnio, tel. +358 2956 66730, firstname.lastname(at)

Back to top