Skip to Content

Annual report 2024

The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data

The Office of the Data Protection Ombudsman is an autonomous and independent authority that supervises compliance with data protection legislation and other laws governing the processing of personal data.

In 2024, Anu Talus served as Data Protection Ombudsman and Heljä-Tuulia Pihamaa and Annina Hautala as Deputy Data Protection Ombudsmen. The Data Protection Ombudsman and the Deputy Data Protection Ombudsmen are independent in the performance of their duties.

Read the annual report here: Annual report of the Office of the Data Protection Ombudsman 2024 (pdf)

On this page, you can read the key points of the annual report:

Data Protection Ombudsman Anu Talus: Familiar themes in a changing environment

Tietosuojavaltuutettu Anu Talus ​​​​​​​The themes of 2024 largely continued the trends of previous years, although with minor differences in emphasis. The new European Commission began its work and new digital regulation entered into effect. As usual, several Data Protection Ombudsman decisions, court rulings and European Data Protection Board (EDPB) guidelines and opinions were issued during the year. Unfortunately, the year was also marked by a number of data breaches.

The topic of AI has dominated both data protection seminars and public discourse. The AI Act was adopted in the EU in spring, entering into force in August 2024. Artificial intelligence models are often based on the processing of personal data, or an AI solution processes personal data. In such cases, a data protection authority is always entitled to supervise the processing of personal data. National work for enforcing the AI Act was also launched. In the preparation process, it is essential to ensure that, to the extent that the new regulation overlaps with the GDPR, supervisory responsibility remains with the Data Protection Ombudsman, with appropriate resources. For its part, the EDPB issued an opinion on AI in which it considered, among other things, that the use of personal data to train AI models may in certain situations be based on a legitimate interest. The opinion ensures that the GDPR is interpreted in the same way when assessing AI solutions.

New rules on the transparency and targeting of political advertising were adopted in 2024. As a result, new areas of oversight will also fall under the purview of the Data Protection Ombudsman. Many other legislative projects were also completed and new projects were launched. The approaching midway point of the government term was reflected in an increase in the number of requests for opinions. During the year, the Office of the Data Protection Ombudsman issued 55 opinions on legislative projects to ministries and 35 written expert opinions to parliamentary committees.

One of the issues that had a major impact on the field of data protection was the European elections and the resulting new Commission. The new Commission stated that it will reduce regulation, partly on the basis of recommendations made in the Draghi report. The report proposes a range of measures to improve Europe's competitiveness. The goal is to improve the position of small and medium-sized enterprises and create better conditions for innovation.

The EDPB continued its work in developing guidance and promoting the harmonised implementation of regulation. The guide published by the EDPB for small and medium-sized enterprises was translated into 18 different languages, including Finnish and Swedish. The EDPB also started making short, one-page visual summaries of its long guidelines. In addition, the EDPB highlighted another key aspect: the harmonisation of enforcement, as the proper functioning of the internal market requires a uniform application of regulation throughout the EU.

At the moment, the regulatory framework of data protection forms a complex entity, in which national authorities and European Union bodies have their own roles. These functions need to work together. Special attention has been given to this in national legislative projects.

In closing, let’s take a brief look at the future. The Ministry of Justice has appointed a working group to work on the introduction of administrative penalties for the public sector in accordance with the Government Programme. This has been the objective of the Data Protection Ombudsman for several years. It is important to close the gap in the system of sanctions to ensure its consistency, effectiveness, fairness and deterrent capacity. Another project, which deals with a fundamental issue, concerns the use of dactyloscopic data from the passport register in criminal investigations.

At the beginning of his term, the President of the United States has already repealed a number of regulations enacted during the previous administration. However, the data protection framework negotiated by the European Commission remains in place. It allows personal data to be transferred from EU countries to the United States. In the summer, the Commission published its first annual assessment of the functioning of the data protection framework and the EDPB published its own report in November.

It is also interesting to see where the deregulation projects launched by the Commission will ultimately lead. Are the so-called omnibus projects planned by the Commission, in which slight adjustments are being made to a few provisions of the GDPR, sufficient or is there a need for more extensive examination? Omnibus projects are extensive legislative packages that consolidate several different initiatives into a single legislative package. The GDPR may also be simplified as part of these.

One thing is certain - data protection will never get boring.

Anu Talus

Data Protection Ombudsman

Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa: A varied year for data protection in the private sector

It was another busy and varied year for data protection in the private sector. Key decisions included the decision to prohibit the processing of personal data by a provider of loan comparison services and to issue three administrative fines. In particular, data breaches and contacts concerning data subjects’ rights were a major concern for the private sector guidance and supervision unit.

The year also included guidance for controllers, an audit of the biobank in cooperation with Fimea and the first accreditation of a supervisory body for a code of conduct. From the Administrative Court, we obtained important decisions on issues such as the processing of health data by insurance companies and consent for cookies.

Although AI issues were discussed in the operating environment, the topic was not yet very visible in private sector supervision. We expect this to change at the latest when the phased application of the EU's AI Act, which entered into force in August 2024, starts in 2025. This will also bring new tasks for the Office of the Data Protection Ombudsman.

As in previous years, the financial sector was the largest group in the private sector. In the financial sector, where information relating to individuals’ private lives is typically processed extensively, the obligation to handle personal data with care is heightened. In cybercrime, various vulnerabilities in information systems are constantly being identified and exploited, which is why regular assessment of the security and privacy of e-services is critical, especially in the financial sector.

As a cautionary example of inadequate security, a company providing loan comparison services was fined for breaching its obligation to protect personal data. In the same case, a hitherto rarely used power was used when the Deputy Data Protection Ombudsman prohibited the company from processing the data of loan applicants in the service after security flaws were discovered.

A major change in the financial sector took place with the introduction of the Positive credit register in spring 2024. This reform requires creditors to report information on all loans they grant to individuals to the Positive credit register, and to check the information stored in the register when assessing the creditworthiness of a consumer. The Data Protection Ombudsman has stressed the importance of data accuracy in the context of the preparation of legislation for the Positive credit register. These are important decisions that affect people's lives, so they must be based on correct and adequate information.

As data breach notifications are by far the largest group of issues for our office, we have wanted to pay special attention to the process of handling them. In order to speed up the processing of notifications and response to the ever-increasing number of them, we launched a development project focusing on data breaches. One of the key objectives is to explore how automation could be used in the processing of notifications. Work on this will continue intensively in 2025.

In the year under review, we took on new tasks when the EU Digital Services Act became fully applicable in February 2024. The Act imposes obligations on digital service providers to improve the transparency and security of services. The tasks of the Data Protection Ombudsman include monitoring the identifiability of non-profit and social advertising, the transparency of online advertising and recommender systems, and the protection of minors on online platforms. In Finland, enforcement of the Act is divided between the Finnish Transport and Communications Agency (Traficom), the Data Protection Ombudsman and the Consumer Ombudsman. This underlines the already smooth cooperation between the supervisory authorities, which I think has started very well.

The two-year EU-funded project GDPR4CHLDRN – Ensuring data protection in hobbies, a collaboration between the Office of the Data Protection Ombudsman and the TIEKE Finnish Information Society Development Centre, was completed at the end of the year. The outcome is the website tietosuojaharrastuksissa.fi, where associations involved in hobbies can find help on complying with data protection legislation in several languages. Although the materials focus specifically on hobbies, they are also useful for processing the personal data of children and young people in other situations.

The importance of Data Protection Officers and the adequacy of resources were also addressed when we supplemented the guidance on our website, based on the European Data Protection Board’s report on the role of Data Protection Officers published in January 2024. We reminded organisations of the independence and resource requirements of Data Protection Officers, and that a Data Protection Officer should not be dismissed or penalised for performing his or her duties. A smart organisation understands that the Data Protection Officer or his or her team will always be involved as early as possible in any data protection issues.   

Heljä-Tuulia Pihamaa

Deputy Data Protection Ombudsman

Deputy Data Protection Ombudsman Annina Hautala: 2024 – a year of major issues

​​​​​​​What personal data is really necessary for different purposes? How to ensure that data moves securely and appropriately? How to reconcile data protection and privacy with other fundamental rights? These issues have been central to the guidance and supervision of public sector data protection in 2024 due to, among other things, a number of legislative projects affecting public administration.

The list of issues could be extended to include many others, such as how to ensure the security of the processing of personal data at all times. Unfortunately, there were also challenges on the public sector side during the year. A significant case was the data breach in the City of Helsinki in the spring. In a changed security and operational environment, it is even more important to recognise that personal data can be misused in ways that seriously compromise the security of individuals and society as a whole. It is also necessary to consider how to ensure that the information held by an organisation can actually be used. The value of information is reduced if it is not sufficiently structured, reliable or up to date.

As in previous years, in 2024 social welfare and health care constituted the largest sector in the Office of the Data Protection Ombudsman in terms of the number of new cases. In 2024, around one quarter of new cases concerned this sector. The lion's share of the cases involving public administration related to personal data breaches and the exercise of individuals’ data protection rights, such as the access to, rectification or erasure of data. During the year, for example, a decision was adopted on the inclusion of personal data in text messages automatically sent to patients.

In addition to its supervisory and decision-making activities, the Office of the Data Protection Ombudsman supports both individuals and organisations by providing guidance through its website, in writing, by telephone and through participation in events and discussions. During 2024, around 2,300 guidance calls were answered, just over 1,200 written guidance responses were provided, and more than 180 speeches, media contacts and press releases were handled. As part of the guidance work, content targeted at the healthcare sector was revamped on the website. The website now takes into account the revised Act on the Electronic Processing of Client Data in Healthcare and Social Welfare, the most recent decisions and case law.

In 2024, we also made use of audits targeted at organisations in our supervisory activities. These audits aim to identify areas for improvement before the risks to personal data have materialised. During the year, audit activity focused in particular on how organisations manage access rights and control the processing of personal data. During the year, the first joint inspection between the Office of the Data Protection Ombudsman and the Intelligence Ombudsman was carried out, and inspection activities were extended to the healthcare sector. Based on the audit findings, guidance and recommendations were given to the organisations.

A noteworthy feature of the year is the significant increase in the number of statements issued to prosecutors or pre-trial investigation authorities, from 54 in the previous year to 111 in 2024. Most of the statements concerned data protection offences, data breaches and violations of the confidentiality of communications. The overall picture of the so-called criminal case statements and security breach notifications is worrying in terms of the number of hacking cases, bearing in mind that many such cases remain hidden.

The use of artificial intelligence and digital tools was a key theme during the year, including in the public sector. In the early childhood education and education sector, for example, this was reflected in the number of statements requested. For example, the Office of the Data Protection Ombudsman issued a statement on a draft guide on the use of AI applications in the processing of learners’ personal data. The above-mentioned statement also highlighted the importance of teaching learners, as a civic duty, to understand how their personal data is typically processed in web-based AI services and what their rights are.

I began my text with the big issues that were considered in 2024. One key pair of issues not mentioned at the beginning is how AI will affect the future and how data protection can be ensured when using it. This pair of issues was already raised in 2024, but both this and the issues stated at the beginning will remain relevant in the years to come.

Annina Hautala

Deputy Data Protection Ombudsman

Office of the Data Protection Ombudsman’s year 2024 in figures

Our year in figures:

  • 13 284 cases instituted
  • 13 291 cases processed
  • 7 152 personal data breach notifications
  • 2 289 calls answered by the telephone service
  • 9 audits initiated or carried out
  • 55 statements on legislative projects
  • 110 statements to prosecutors and pre-trial investigation authorities
  • 7 cross-border cases where the Office of the Data Protection ombudsman was designated as the lead supervisory authority
  • 252 cross-border cases where the Office of the Data Protection ombudsman was designated as a concerned supervisory authority

In 2024, the Office of the Data Protection Ombudsman issued​​​​​​​:

  • 3 decisions imposing administrative fines for data protection violations
  • 18 reprimands for processing measures that violated data protection legislation
  • 9 orders to bring personal data processing measures into compliance with the GDPR
  • 5 orders to fulfil the rights of the data subject
  • 42 orders to notify data subjects about a personal data breach
  • 2 warnings concerning planned activities that would probably violate the GDPR

Case volumes, development measures and new tasks

The number of pending cases continues to rise

The number of cases pending at the Office of the Data Protection Ombudsman remained at the high level of the previous year and continued to increase. In 2024, a total of 13,284 new cases were instituted. A total of 13,291 cases were closed, which is some 200 cases more than in the previous year.

Reports of personal data breaches have been the largest category of cases for several years now. A total of 7,152 personal data breaches were reported to the Office in 2024.

The Office has worked to reduce the number of pending cases since 2020. At the end of 2024, there were around 1,200 pending cases that were instituted more than two years ago, between 2018 and 2022. Most of these are related to issues that must be processed in cross-border cooperation and where the process is headed by a data protection authority of another EEA country. Despite the increase in the number of cases, the work to reduce the number of pending cases has produced results.

Case processing improved with development measures

The key development targets of the Office include making the preparatory work of case resolution and matters brought to the Sanctions Board more effective. The amendments to the Data Protection Act that entered into force at the start of 2024 enable the Data Protection Ombudsman to delegate decision-making power in certain strictly defined cases as laid down in the Office’s rules of procedure. Two presenting officers that may decide cases were appointed in autumn 2024. During the year, development of the activities of the Sanctions Board was started and a position for a senior officer specialising in preparing cases for the Sanctions Board was created. The Sanctions Board is responsible for processing cases that may require imposing an administrative fine or a ban on processing personal data.

In 2024, the Office started a development project for the purpose of developing the case flow management of personal data breach notifications. Since the application of the GDPR started, more than 30,000 personal data breaches have been reported to the Office of the Data Protection Ombudsman. The development project involves investigating the use of automation in the processing of personal data breach notifications, among other matters.

The personal data breach notification screening procedure introduced in 2022 has been found to have made the processing of the notifications significantly more efficient. Among other tasks, the screening involves assessing whether a case requires more detailed investigation with the controller and whether a case requires action from authorities. The process was further improved in 2024.

The screening of cases pertaining to data subject’s rights was also continued. The procedure has been applied to cases related to social welfare and healthcare services since 2022, and the practices were updated with changes that support the case flow management for this sector. In September 2024, the screening procedure was extended to cover cases related to the financial sector. The procedure allows investigating matters related to the rights of data subjects’ soon after they are instituted, for example. The aim is to extend the screening to cover all other sectors as well.

Improving information management has been set as a key objective for the near future. The joint case management system for agencies in the judicial administration introduced in 2023 has made case and information management at the Office of the Data Protection Ombudsman more effective. The system has better reporting and monitoring functions and provides better statistical information than the previous system. The information can be made use of in resource planning and other operational management.

Legislative amendments introduce new tasks

Several new tasks have been introduced for the Office of the Data Protection Ombudsman in the recent past because of legislative amendments, and the number of tasks is expected to increase.   

The amendments to the Data Protection Act (1050/2018) and the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018) entered into force at the start of 2024. The amendments require the Office to resolve all complaints or give the complainant an estimate of when a decision will be issued within three months of the case being instituted. Data subjects can lodge a complaint with the Administrative Court if the Data Protection Ombudsman does not issue a decision or give an estimate of the processing time within this deadline. The amendments apply to cases that are instituted after the start of 2024 and it does not apply retroactively. In 2024, around 3,130 cases were instituted at the Office to which the provisions on appeals against inactivity are applied. The cases are mainly notifications, complaints, requests for advice and matters related to data subjects’ rights. Most of the cases were resolved before the three-month deadline was passed.

After the Finnish whistleblower act (1171/2022) entered into force at the start of 2023, the Office of the Data Protection Ombudsman became the competent supervisory authority in terms privacy and personal data protection and notifications related to the security of information systems. Competent authorities must annually report to the Office of the Chancellor of Justice on notifications made under the Finnish whistleblower act. During the year, the Data Protection Ombudsman received six notifications falling under the Ombudsman’s authority. Six notifications were also investigated and resolved. One of the resolved notifications was made in 2023. The notifications were deemed to not give cause to take measures.   

The EU’s renewed digital and data regulations also introduce new tasks for the Office of the Data Protection Ombudsman. The digital and data regulations include the AI Act (AIA), the Digital Services Act (DSA), the Digital Markets Act (DMA), the Data Act (DA) and the Data Governance Act (DGA).

The DSA became fully applicable on 17 February 2024. It lays down responsibilities for providers of digital services such as online platforms on improving the transparency and security of services. In Finland, supervision under the DSA is divided between the Finnish Transport and Communications Agency Traficom, the Office of the Data Protection Ombudsman and the Consumer Ombudsman. Traficom has the primary responsibility. The Data Protection Ombudsman supervises the identifiability of non-commercial and societal advertising, the transparency of online advertising and recommender systems, and the protection of minors on online platforms. The DSA forbids targeting advertising on online platforms based on special categories of personal data, such as political opinion, religion or ethnic origin, and targeting advertising to minors based on personal data. Finnish authorities received 78 complaints under the DSA in 2024. Three of them were lodged with the Data Protection Ombudsman.

Matters related to AI were strongly present in the operational environment. The EU AI Act entered into force in August 2024 and its application will be started in stages. EU countries must designate the national authorities responsible for the supervision under the AI Act by 2 August 2025. During the year, the European Data Protection Board issued statements on the development of AI models and the role of data protection authorities in the supervision of high-risk AI systems. In October, the data protection authorities of the G7 countries issued a statement in their meeting in which they highlighted the vital role of data protection authorities in the supervision of AI.

Back to top