Annual report 2023
The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data
The Office of the Data Protection Ombudsman is an autonomous and independent authority that supervises compliance with data protection legislation and other laws governing the processing of personal data.
In 2023, Anu Talus served as Data Protection Ombudsman and Heljä-Tuulia Pihamaa and Annina Hautala as Deputy Data Protection Ombudsmen. The Data Protection Ombudsman
and the Deputy Data Protection Ombudsmen are independent in the performance of their duties.
Read the annual report here (summary in English): Annual report of the Office of the Data Protection Ombudsman 2023 (pdf)
Data Protection Ombudsman Anu Talus: Data protection work in a changing digital environment
The General Data Protection Regulation celebrated its 5th anniversary last year. Over the past five years, the importance of the digital operating environment has increased further and the amount of regulation has multiplied. My election as Chair of the European Data Protection Board (EDPB) in May 2023 came at a time when many of the provisions of the Commission’s digital and data regulations were either finalised in Brussels or implemented domestically.
New digital regulation will be built on the GDPR. Although the starting point may seem simple, there is a lot of overlapping regulation. Therefore, cooperation between authorities is all the more important. In addition to the new digital projects, the Commission presented its proposal for a provision supplementing the GDPR with the aim of streamlining cooperation between authorities in cross-border matters between EU Member States.
The year was also marked by new legislative projects nationally. The Data Protection Act was amended by adding a provision on so-called inactivity complaints. If the Office of the Data Protection Ombudsman does not notify about the progress of the complaint within three months, the person may appeal to the Administrative Court. At the same time, a provision was introduced into the Data Protection Act that enables the referendaries of the Office to resolve cases on which there already is established policy. The amendments entered into force at the beginning of 2024.
The number of new cases, which had remained stable for three years, started to rise again sharply. Over 2,000 more cases were initiated during the year than in the previous year, a total of 13,179 cases. Almost as many cases were resolved as initiated. This is a testament to the tireless work of our specialists. However, it is clear that as tasks increase due to new legislation and matters become more complex and difficult, additional resources will be needed to carry out statutory tasks.
The organisational structure of the Office of the Data Protection Ombudsman was renewed in April 2023. Changes were made, for example, to units and the responsibilities of ombudsmen. New supervisor positions and expert positions requiring long experience were also created. In an expert organisation, it is important to recognise the importance of deepening and broadening expertise.
The Office also quite successfully introduced a new case management system. The new system improves work efficiency, promotes knowledge-based management and creates new kinds of opportunities to develop operations based on more accurate statistical data than before.
In addition to adopting new legislation and developing the organisation, day-to-day data protection and supervision work was at the core of the operations. For example, we issued 44 legislative opinions during the past year. In the election year, the Government’s legislative work began in earnest in the autumn.
A number of important decisions were also made during the year. In some decisions, an administrative fine was imposed on the controller, while in others, the controller was ordered to rectify its actions. During the year, administrative fines were imposed on three controllers. In two cases, a fine was imposed for non-compliance with a previous order of the Data Protection Ombudsman.
The sanctions board of the Office of the Data Protection Ombudsman also dealt with other important matters, for example, a so-called urgent procedure was used in a decision concerning taxi service Yango that temporarily banned data transfers to Russia. Processing of the case has since continued in cooperation with the Dutch and Norwegian supervisory authorities.
During the year, the Administrative Court and the Supreme Administrative Court issued several decisions concerning data protection, which confirmed the Data Protection Ombudsman’s policy on the application of the GDPR.
European cooperation has become a part of the authority’s statutory tasks since the GDPR became applicable. The most significant EU-level decision of the year is probably the Commission’s so-called adequacy decision on the level of data protection in the United States. The EDPB issued a positive opinion to the European Commission on the new EU-US data protection framework, although it expressed some concerns about the whole.
The Office of the Data Protection Ombudsman has also contributed to the dispute resolution decisions of the European Data Protection Board. Last year, following the EDPB’s decision, a fine of 1.2 billion euros was imposed on Meta for data transfers to the United States, and a fine of 345 million euros on TikTok for breaches of children’s privacy. In addition, the EDPB adopted an urgent binding decision against Meta, in which it considered that Meta had processed personal data for the purpose of targeting advertising to individuals without an appropriate legal basis.
March also saw the launch of the EDPB’s second coordinated enforcement action, which, on the
initiative of the Office of the Data Protection Ombudsman, focused on the designation and position of Data Protection Officers in organisations. In the spring, the EDPB published a guide for SMEs, the Finnish translation of which will be available during 2024. The position of SMEs will also be on the agenda of the EDPB’s next strategy, which was adopted in spring 2024. The GDPR4CHLDRN – Ensuring data protection in hobbies project, which promotes children’s data protection and is funded by the Commission, proceeded in cooperation with TIEKE Finnish Information Society Development Centre, coordinated by the Office of the Data Protection Ombudsman.
The discussion about artificial intelligence continued intensively over the past year and will continue to be highly relevant in 2024. The EDPB set up a working group on ChatGPT, and decisions by national supervisory authorities on artificial intelligence can be expected during 2024. A political agreement has been reached on the Artificial Intelligence Act, and national supervisory authorities will play an important role in its application, regardless of which authority supervises the AI Act.
Anu Talus
Data Protection Ombudsman
Debuty Data Protection Ombudsman Heljä-Tuulia Pihamaa: Consolidated positions, clarifications to the use of personal identity codes, and guidelines on children’s data protection
In the private sector, financial sector matters were the largest group in terms of matters instituted with the Office. We were kept particularly busy with personal data breach notifications, matters involving the right of access, requests for the erasure of data, and cases related to payment default entries.
An administrative fine was imposed in the financial sector in 2023 for unfounded payment default entries made on the basis of judgments in civil cases. The company had not erased the data from its credit information register despite an order issued in 2021.
One of the key positions adopted by the Data Protection Ombudsman in the private sector involved the lawfulness of purchase data storage times in the retail sector. The storage of purchase
data for the whole duration of loyalty programme membership, in practice often for decades, cannot be considered to comply with data protection legislation. If the processing of personal data is an essential part of a company’s business, it must strictly observe the principles of processing of personal data, such as data minimisation and determining storage periods. This will only increase in importance in our data-driven economy and will be reflected in the Office of the Data Protection Ombudsman’s decisions going forward.
As a rule, the Office of the Data Protection Ombudsman’s decisions were upheld by the administrative courts. In September, the Supreme Administrative Court issued its decision on the administrative fine imposed on Posti in the spring of 2020. It was the first Sanctions Board decision to be taken to the Supreme Administrative Court. The Court enforced the administrative fine, which had been imposed for shortcomings in informing people who had submitted a notification of change of address. It is noteworthy that, in its decision, the Supreme Administrative Court confirmed that the supervisory authority had been within its rights in imposing the administrative fine before exercising its other corrective powers, such as issuing an order or reprimand.
In December, the Administrative Court of Eastern Finland issued a decision in the “log data case”. The decision was based on a preliminary ruling issued by the European Court of Justice. In the main, the Administrative Court decision upheld the Deputy Data Protection Ombudsman’s position and thus the Office of the Data Protection Ombudsman’s established interpretation of the disclosure of user log data. According to the Administrative Court decision, a bank is not obliged to disclose information on the bank’s employees who had accessed the customer’s data. However, the bank is required to disclose the precise times when the customer data was accessed from the user logs. The decision has been appealed, so we will wait for the Supreme Administrative Court’s decision on the matter.
The processing of personal identity codes was clarified by law. In December, Parliament approved amendments to the Data Protection Act and the Act on the Processing of Personal Data in Criminal and in Connection with Maintaining National Security. The provisions on the processing of personal identity codes were also clarified in this connection. The amendment is intended to highlight the original purpose of the personal identity code as a means of individualisation, that is, telling people apart from each other. The law was clarified with an amendment that entered into force at the beginning of 2024 and states that a person may not be identified with their personal identity code alone or with a combination of their name and personal identity code. The use of personal identity codes for identifying individuals in addition to their original purpose of telling specific individuals apart has become a problem. It is to be hoped that the amendment will clarify practices on the ground.
In June, the Supreme Administrative Court issued a decision on processing the personal identity codes of children. The Supreme Administrative Court upheld the Deputy Data Protection Ombudsman’s position, according to which regularly collecting the personal identity codes of the children of all tenants and everyone applying for a rental home by property managers and lessors is not necessary under the General Data Protection Regulation. Even though the law permits the processing of personal identity codes in renting, such processing must always be necessary.
Children’s data protection was the focus of our operations in 2023, which was reflected in the continuation of the GDPR4CHLDRN – Ensuring data protection in hobbies project, among other things. The project is a two-year EU-funded project by the Office of the Data Protection Ombudsman and TIEKE Finnish Information Society Development Centre intended to improve the practical data protection knowledge of children and young people aged 13–17, their parents, and associations that organise hobby activities. Among other things, the project will produce a ”digital toolkit” to help associations resolve issues related to compliance with data protection legislation. The project will conclude in late 2024.
Heljä-Tuulia Pihamaa
Deputy Data Protection Ombudsman
Deputy Data Protection Ombudsman Annina Hautala: Data protection touches all parts of society
The public-sector guidance and supervision unit was placed under my responsibility in the Office of the Data Protection Ombudsman’s organisational reform in April 2023. The organisational reform merged the data protection guidance and enforcement of the security and judicial administration sector with that of other sectors of the public administration. With this change, we are able to build a more comprehensive picture of the state of data protection in the public administration and of where to focus enforcement. The aim is to allocate our resources to the enforcement and guidance actions that have the most impact and thus ensure the realisation of data protection for everyone as required by law.
As in previous years, social welfare and health care was the largest sector in terms of matters instituted with the Office of the Data Protection Ombudsman in 2023. The most common matters instituted with the Office, both in social welfare and healthcare and in other public sectors, were personal data breach notifications and matters involving the exercise of the rights of the data subject, such as requests concerning the right of access and right to erasure. The launch of the new wellbeing services counties and the amendment to the Act on the Processing of Client Data in Healthcare and Social Welfare, which entered into force at the start of 2024, were also reflected in our work in the social welfare and healthcare sector.
In addition to the organisational reform, the Office of the Data Protection Ombudsman developed its practices and processes in order to improve the efficiency of its operations. For example, the processing of matters involving social welfare and healthcare was improved by introducing a screening procedure for cases involving the rights of individuals. We also allocated more human resources to enforcement work in the sector.
The year was also full of reform in the education and early childhood education sector. The Office of the Data Protection Ombudsman issued several reminders about data protection to the parties responsible for the preparation and implementation of the reforms. The subjects of the reforms included the processing of personal data in basic education and the organisation of student welfare. Several legislative projects related to the work of the security authorities were also initiated in 2023, and the Office of the Data Protection Ombudsman supported the preparation of these projects from the perspective of data protection.
Our enforcement activities in 2023 also included planned audits of controllers. The goal of such audits is to identify development needs before risks involving personal data are realised. At the same time, they serve to increase the organisations’ knowledge and awareness of data protection. Our Office was also the subject of an inspection as part of the evaluation of Schengen states’ compliance with EU law. Last year, it was Finland’s turn for this regular inspection.
The considerable number of “snooping” cases found by our enforcement measures and through pre-trial investigation authorities’ and prosecutors’ requests for statements is noteworthy. Some of these cases have been extensive and protracted. The pre-trial investigation authority or prosecutor is required to request a statement from the Data Protection Ombudsman on matters involving a data protection offence, secrecy offence, unlawful access to an information system or violation of the secrecy of communications. The number of such requests increased from 37 in 2022 to 54 in 2023.
Due to the above-mentioned observations, the monitoring of processing in the operations of controllers was adopted as a special theme for the 2024 audit plan. I cannot overstate the importance of the active self-monitoring of processing by the controller in addition to looking after the security of data files and information systems, access rights management, and instructing users.
Annina Hautala
Deputy Data Protection Ombudsman
Office of the Data Protection Ombudsman’s year 2023 in figures
In 2023, the Office of the Data Protection Ombudsman issued
- 3 decisions imposing administrative fines for data protection violations
- 41 reprimands for processing measures that violated data protection legislation
- 20 orders to bring personal data processing measures into compliance with the GDPR
- 6 orders to fulfil the rights of the data subject
- 2 orders to notify data subjects about a personal data breach
Our year in figures
- 6,894 personal data breach notifications
- 2,856 calls answered by the telephone service
- 11 inspections carried out
- 44 statements on legislative projects
- 54 statements to prosecutors and pre-trial investigation authorities
- 6 cross-border cases where the Office of the Data Protection ombudsman was designated as the lead supervisory authority
- 147 cross-border cases where the Office of the Data Protection ombudsman was designated as a concerned supervisory authority
Organisational reform
The Office of the Data Protection Ombudsman updated its organisation structure and rules of procedure in April 2023. The updates were made in response to needs identified in the Office’s strategy work in the previous year.
Changes were made to the Office’s units and the responsibilities of the Ombudsmen. The new organisation consists of a private-sector guidance and supervision unit, public-sector guidance and supervision unit, administrative unit, and management support and core services unit. The Office’s administrative, information management and registry services have been centralised in the administrative unit. The Office’s IT specialists, coordination of international matters, communications staff, senior specialist and data protection officer work in the management support and core services unit.
The Deputy Data Protection Ombudsmen are responsible for the monitoring of the private and public sectors. The Data Protection Ombudsman’s responsibilities include the supervisory authority’s general policies, European cross-border cooperation, and liaising with the European Data Protection Board (EDPB).
New team manager’s posts were introduced in the private-sector and public-sector units in connection with the restructuring. The team managers supervise the work of the Office’s inspectors and legal experts.
The duties of the Office of the Data Protection Ombudsman are expected to increase in the coming years, for example due to new tasks arising from the EU’s digital and data legislation.
Increasing number of cases
After fairly stable volumes in recent years, the number of cases instituted with the Office of the Data Protection Ombudsman grew clearly in 2023, with a total of 13,179 cases instituted with the Office. This was approximately 2,000 cases more than in the previous year. The number of cases resolved also increased, with 13,059 cases closed in 2023.
Personal data breach notifications were the most common type of cases instituted with the Office, accounting for 52 per cent of all cases instituted. The number of cross-border EU cases also grew.
The Office of the Data Protection Ombudsman has been systematically clearing its case backlog since 2020. At the end of 2023, there were approximately 880 unresolved cases instituted in 2018–2021 that had been pending for more than two years. Cross-border cases led by the supervisory authority of another EEA state constitute a significant part of these older unresolved cases.
Development of services and system updates
The improvement of information management has been defined as the Office’s key goal for the next few years. In the autumn of 2023, the Office adopted a joint case management system for agencies in the judicial administration, made a comprehensive overhaul of the organisation’s information management guidelines, and developed the Office’s information management model. The new case management system makes the processing of cases more efficient and improves knowledge-based management.
At the end of the year, the Office of the Data Protection Ombudsman adopted a secure form service provided the Government ICT Centre Valtori. Organisations can use the forms to file personal data breach notifications, declare the contact details of their data protection officers, and request prior consultations. Private individuals can use the forms to request an order regarding the exercise of their data protection rights or report faults they have noticed in the processing or personal data. Sent forms can be saved as PDF files for the customer’s own use. With the adoption of the secure form service, the forms can now be used to send confidential and sensitive information to the Office of the Data Protection Ombudsman.
The Office’s internal procedures were also developed in order to improve the efficiency of case processing. Screening procedures in matters concerning the rights of the data subject and the processing of personal data breach notifications were established and refined.
The personal data breach notification screening procedure adopted in 2022 has made the processing of the notifications significantly more efficient. The screening looks at questions such as whether the case needs to be taken further with the controller and whether the breach requires official action.
The screening of cases concerning the rights of the data subject continued in matters related to the social welfare and healthcare sector. The Office is considering applying the model to other sectors as well.
In December 2023, Parliament passed amendments to the Data Protection Act and the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security to bring them into line with EU data protection legislation. From the beginning of 2024, the Office of the Data Protection Ombudsman is required to resolve a complaint or give the complainant an estimate of when a decision will be issued within three months of the matter’s institution. People can appeal to the Administrative Court if the Data Protection Ombudsman does not issue a decision or provide an estimate of the processing time within this time limit.