Annual report 2025
The annual report describes the year's most important data protection events, supervision measures in different sectors and presents the key figures for the Office's operations.
Annual report of the Office of the Data Protection Ombudsman 2025 (pdf)
On this page, you can read the key points of the annual report:
- Data Protection Ombudsman Anu Talus: Transformations are shaping the operating environment
- Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa: The data protection year was characterised by artificial intelligence and secure data processing
- Deputy Data Protection Ombudsman Annina Hautala: Comprehensive security requires strong data protection
- Office of the Data Protection Ombudsman’s year 2025 in figures
- Overview of statistics and the field
The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data
The Office of the Data Protection Ombudsman is an autonomous and independent authority that supervises compliance with data protection legislation and other laws governing the processing of personal data. In 2025, Anu Talus served as Data Protection Ombudsman and Heljä-Tuulia Pihamaa and Annina Hautala as Deputy Data Protection Ombudsmen. The Data Protection Ombudsman and the Deputy Data Protection Ombudsmen are independent in the performance of their duties.
Data Protection Ombudsman Anu Talus: Transformations are shaping the operating environment
The duties of the data protection authority are also expanding.
In 2025, the Office of the Data Protection Ombudsman was granted additional resources for the performance of statutory duties. A plan for a new organisational structure was finalised and a four-stage recruitment plan drawn up during the
year. It was decided to establish a total of five areas of responsibility based on the Office’s private and public sector guidance and enforcement units. An EU and international affairs team and IT-focused team were established in the Management Support and Core Services Unit. The new teams are led by team leaders. At the same time, we started creating structures for the new enforcement duties that the Office of the Data Protection Ombudsman will be assigned, especially under the EU AI Act.
In the public debate on data protection, events in world politics have brought digital sovereignty to the fore in a new way. It is a question of who ultimately controls and has access to data in the digital environment. These are also significant issues in
data protection regulation and international data transfers.
Transfers of personal data, particularly to China, became a subject of debate during the year. The Data Protection Ombudsman began an investigation into a university’s data transfers to a Chinese company. The Irish data protection authority also imposed an administrative fine of EUR 530 million on TikTok for the unlawful transfer of personal data to China. The decision was made in a cooperation procedure between the European data protection authorities, in which the Data Protection Ombudsman participated. This procedure involves the preparation of a joint decision that is binding on all supervisory authorities.
We participate in the processing of approximately 500 cross-border matters each year. A new EU regulation, which harmonises and expedites the activities of data protection authorities in matters involving several Member States, will affect the processing of complaints from April 2027 onwards. In addition to digital sovereignty, the EU’s competitiveness has taken centre stage in the public debate. The Draghi report published in 2024 identified difficult, multi-layered digital regulation as one of the factors undermining competitiveness. The European Commission has proposed a number of reforms aimed at streamlining regulation. The proposed amendments to the GDPR appear to be largely in line with the established interpretations of European data protection authorities. However, the definition of personal data proposed in the so-called Digital Omnibus proposal has raised concerns, as it would differ from the established practice of the European Court of Justice and create uncertainty about the interpretation of the concept of personal data.
The heads of the European data protection authorities met at a high-level meeting of the European Data Protection Board in Helsinki in July 2025. The Helsinki Declaration was issued at the meeting, in which we committed to providing concrete support to organisations and ensuring the most uniform application practice possible in the EU. The main objective is “GDPR made easy”. At the same time, closer cooperation with authorities and stakeholders in other fields was agreed upon.
Extending the powers of the authorities has been a strong trend in both national and European legislative projects, and several statements on the proposed changes to the authorities’ right of access to information were requested from the Data Protection Ombudsman in 2025. The legislative reforms have important aims, such as combating crime and the grey economy. However, the amendments must be proportionate and necessary and the powers of the authorities precisely defined. One of the legislative reforms would extend the Tax Administration’s right to receive information on the bank transactions of Finnish citizens. In its statement, the Constitutional Law Committee of Parliament required changes to the proposal.
Parliament also discussed the Government’s position on the EU CSAM Regulation, which combats online sexual violence against children. Finland and several other Member States opposed the mandatory decrypting of secure connections
in communications applications. Other major legislative projects included proposals for amendments to data protection legislation and the system of sanctions provided therein.
As the operating environment becomes more complex, there is an increasing need for cooperation between authorities at both national and European levels. The rapid development of technology and regulation will only increase the need to safeguard
the fundamental rights of people.
Anu Talus
Data Protection Ombudsman
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa: The data protection
year was characterised by artificial intelligence and secure data processing
national acts concerning the EU’s AI Act entered into force on 1 January 2026, and at the Office of the Data Protection Ombudsman we started preparations for our new authority tasks. As part of our preparations, we published guidelines on how
to take data protection into account in AI systems. This work will continue actively in 2026.
Developing sustainable and ethical AI requires close cooperation both at the national as well as the international level. AI was also the main theme in the annual Global Privacy Assembly, which emphasised the significance of data protection
regulations and especially data protection principles in the development of AI and the need for cooperation between authorities. In Finland, the cooperation building process started among 15 national authorities supervising AI under the coordination of the Finnish Transport and Communications Agency Traficom.
AI adoption was also reflected in data breach notifications. In several cases, the risks related to the processing of personal data were not sufficiently assessed before the introduction of new tools. This highlights the controller’s obligation to pay attention to data protection already at the planning phase.
Data breach notifications continue to be the largest case group at our Office. During the year, we continued with our project that aimed at the utilisation of automation in the processing of notifications. Our goal is to introduce automation during 2026.
In 2025, the Office of the Data Protection Ombudsman’s sanctions board imposed three administrative fines for data protection violations. These decisions shared a common theme of the secure processing of personal data in industries in which the processing of personal data is part of the organisations’ core operations and the processed data is sensitive. Careful management of change processes and pre-testing of information systems were emphasised in the decisions. After all, many
data protection risks are still associated with the deficiencies in operating methods and not solely with technical challenges. Planning, caution and proactive assessment regarding the processing of personal data cannot be overemphasised.
We also received several significant precedents from the Supreme Administrative Court, especially in the insurance sector. The Supreme Administrative Court set a precedent in the interpretation of the concept of an insured person as well as the prerequisites for a request for information which insurance companies submit for health care in order to settle claims. The precedents ruled against the Data Protection Ombudsman’s positions. At the same time, they highlighted that the insurance companies’ requests for information must be justified, specified and necessary. We have emphasised in various contexts that the processing must also be predictable and transparent for the customer.
In June, the Supreme Administrative Court issued a significant precedent in the access rights of user log data in the so-called S-Bank case. Customers had the right to access the purposes and dates of the processing, but not the identity of the employees who processed the data. Access rights regarding log data was also reflected in the advice requests received by the Office.
At the EU level, debate was sparked by the supervision of the Digital Services Act (DSA), age verification of online services and the protection of children on online platforms. The close supervisory cooperation of the DSA, led by Traficom, continues, and growth was also seen in the supervisory cases. At the end of the year, the first decisions concerning tech giants were issued by the European Commission, when the first-ever fine regarding non-compliance with the transparency obligations under the DSA was issued to the social media service X.
As in previous years, questions regarding the rights of data subjects were strongly present in guidance and supervision. The right to erasure of personal data was under review when the authorities of the EU and ETA countries clarified the practices and
challenges of organisations in the realisation of the right. It is even more critical to safeguard strong data protection rights now that data collection in the digital environment is changing and constantly increasing due to new technologies.
Heljä-Tuulia Pihamaa
Deputy Data Protection Ombudsman
Deputy Data Protection Ombudsman Annina Hautala: Comprehensive security requires strong data protection
continued to evolve and normalise.
Data protection plays a crucial role in democracy, social stability and enhancing security. After all, data protection is a significant part of comprehensive security. Society’s approach to privacy and data protection has a direct impact on how society remains democratic and secure. In this, public sector operators play a key role. The fundamental aspect of the Office of the Data Protection Ombudsman’s work is guidance and supervision of the processing of personal data by the state, municipalities and wellbeing services counties.
This year, we have taken a stand on, for example, whether children’s biometric data can be processed for a certain purpose in the education sector and launched an investigation into the transfer of genetic information to a Chinese company.
In the midst of all these changes, it is important that organisations and individuals are aware of which personal data is processed through technological means at a given time and for which purposes, as well as that the management and
decision-making power related to the data is not intentionally assigned elsewhere; for example, to large technology companies. It should not be forgotten that the framework created by the data protection legislation concerns the processing of personal data regardless of the technology used.
As in previous years, the majority of cases were initiated in the healthcare and social welfare sector. Approximately one quarter of the initiated cases concerned this sector. A large proportion of cases regarding the public administration were related to personal data breaches and to the exercise of individuals’ data protection rights. The general advice for data subjects is to first contact the organisation processing their personal data when they wish to exercise their data protection rights.
Many personal data breaches were typically caused by human error. It is also evident that in many cases the reason behind the personal data breach was old and out-of-date equipment and systems, as well as other deficiencies in information security. I want to emphasise that everyone should pay attention to good information management and the supervision of the processing of data, as well as delete unnecessary data in order to minimise any damage.
One important part of our work is to support legislative drafting. This year, we drew the legislator’s attention several times to the impacts of the expansion of the right of access to data by the authorities and their processing rights, deficiencies in the impact assessment of data protection, clarity of responsibilities and the balance related to the fulfilment of basic rights.
During the year, we provided statements regarding, for example, the government proposal on the Tax Administration’s right of access and a proposal which aims to expand the possibility to utilize the biometric data stored in the passport registers
of the police in criminal investigations. We also provided multiple statements concerning early childhood education and the education sector, as well as the healthcare and social welfare sector.
During the year, our Office delivered more than a hundred statements supporting the consideration of charges. It is worth noting that a significant proportion of these statements concerned suspicions of unauthorised access. We have also been handling exceptionally extensive unauthorised access cases.
Proactive guidance is the core task of the Data Protection Ombudsman. When the number of written guidance and advice requests is combined with telephone advice cases, the total number of requests handled amounts to nearly 4,000 during the year. In our everyday work, we try to find the balance in how detailed advice we, as the supervisory authority, can offer in advance. During the year, we carried out several audits among controllers, and during which we could provide assistance in the data protection work of organisations.
We engaged in stakeholder cooperation in various different ways. For example, we participated in project of the Association of Finnish Cities and Municipalities and also in the VAHTI activities promoting cyber and digital security.
Despite the changes taking place around us and our busy work schedule, it has been a pleasure to see how our personnel have again this year persistently worked with a high level of professionalism when it comes to data protection. In addition to our skilled employees, the independence of the supervisory authority, functional processes and sufficient resources are prerequisites for succeeding in this work.
Annina Hautala
Deputy Data Protection Ombudsman
Office of the Data Protection Ombudsman’s year 2025 in figures
Our year in figures:
- 15,408 cases instituted
- 15,033 cases processed
- 7,355 personal data breach notifications
- 2,579 calls answered by the telephone service
- 10 audits initiated or carried out
- 39 statements on legislative projects
- 100 statements to prosecutors and pre-trial investigation authorities
- 22 cross-border cases where the Office of the Data Protection ombudsman was designated as the lead supervisory authority
- 484 cross-border cases where the Office of the Data Protection ombudsman was designated as a concerned supervisory authority
In 2025, the Office of the Data Protection Ombudsman issued:
- 3 decisions imposing administrative fines for data protection violations
- 30 reprimands for processing measures that violated data protection legislation
- 8 orders to bring personal data processing measures into compliance with the GDPR
- 8 orders to fulfil the rights of the data subject
- 4 orders to notify data subjects about a personal data breach
Overview of statistics and the field
Number of cases grew significantly
The number of cases instituted with and processed by the Office of the Data Protection Ombudsman increased significantly compared to the previous year. A record number of 15,408 cases was instituted in 2025. This represented an increase of 2,100 from the previous year. A total of 15,033 cases were processed, which is over 1,700 more than in the previous year.
A significant part of the increase was explained by the exceptionally high number of Data Protection Officer declarations. One of the statutory duties of the Office of the Data Protection Ombudsman is to maintain a list of organisations’ data protection
officers. The list was updated in 2025, due to which more than 900 declarations were received, which is hundreds more than usual.
Personal data breach notifications are the largest category of cases at the Office of the Data Protection Ombudsman, and their number has been increasing each year. A total of 7,355 data breaches were reported during the year, constituting an increase of 200 notifications from the previous year. However, the relative share of notifications among instituted cases declined.
Other major case categories include tasks related to enforcement, guidance and counselling, EU cooperation, and complaints and requests from private individuals.
Transformations in the operating and regulatory environments
The transformations of the digital environment and global data economy shape the operating environment of the Data Protection Authority. New duties arising from digital and data regulation will broaden the enforcement responsibilities of the
data protection authority, and the duties are only expected to increase further. National legislation is also being reformed.
As part of the overall reform of data protection legislation, preparations for amendments to the legislation under the administrative branch of the Ministry of Justice were launched in spring 2025. The reform proposes amendments to the Data
Protection Act and ten other acts. In October, the Data Protection Ombudsman issued a statement on the draft government proposal. Among other things, the legislative amendments concern the mobility of information between authorities, the processing of sensitive personal data, and electronic data disclosure methods. Transferring the duty of accrediting the certification body from the Data Protection Ombudsman to the national accreditation body (FINAS) is also proposed.
The acts regulating violations of AI legislation and the powers of the national authorities enforcing the EU AI Act were adopted in December 2025 and entered into force on 1 January 2026. The enforcement of the AI Act has been decentralised
to 15 different authorities in Finland. The Finnish Transport and Communications Agency Traficom serves as the national contact point. During the year, preparations were made for the start of the application of the AI Act in close cooperation by
the authorities. The cooperation is coordinated by Traficom.
The Data Protection Ombudsman is one of the market surveillance authorities for high-risk AI systems, which monitor that the systems are lawful and there are no dangerous or unsafe products on the EU single market. The Data Protection Ombudsman also serves as a notified body for some high-risk AI systems. Upon request, the Ombudsman checks the compliance of AI systems designed for use by certain security authorities before their adoption. The Data Protection Ombudsman enforces the
prohibitions of the AI Act and serves as the data protection authority and supervisory authority for fundamental rights. The prohibitions of the most harmful AI use cases started to apply in February 2025.
The application of the EU Data Act (DA) largely began on 12 September 2025, and the relevant national legislation entered into force in December 2025. The DA provides for the sharing of data generated by devices and services connected to the network and for the user’s right to data. The Data Protection Ombudsman enforces compliance with the DA with regard to the protection of personal data. If an authority or other public actor requests data containing personal data from a company in a public emergency, the Data Protection Ombudsman must be notified of this.
The EU Digital Services Act (DSA) increases the security of online platforms and improves the position of digital service users. In Finland, the DSA is mainly enforced by Traficom. In 2025, the Data Protection Ombudsman was responsible for supervising the recognisability of political advertising, the transparency of online advertising and recommendation systems, and the protection of minors on online platforms. The supervisory role of the Data Protection Ombudsman was changed as of 2026, when
the amendment to the Act on the Supervision of Online Intermediation Services transferred supervisory tasks related to the transparency of social and political advertising to the National Audit Office. Going forward, the Data Protection Ombudsman will continue to supervise business-to-business advertising. Close cooperation in the enforcement of the Digital Services Act continued in 2025. The number of enforcement cases processed by the national supervisory authorities increased from the previous year. The Data Protection Ombudsman received seven complaints in total. In December, the European Commission adopted the first decisions on compliance with the Digital Services Act.
The application of Regulation (EU) 2024/900 on the transparency and targeting of political advertising began in October 2025. The Regulation increases the transparency of political advertising and combats disinformation and foreign interference in elections. At the same time, it ensures that the targeting of advertising does not violate the protection of personal data.
The Data Protection Ombudsman supervises the targeting and delivery of online political advertising when it involves the processing of personal data. National legislation supplementing the Regulation entered into force on 1 January 2026.
In December 2025, the EU adopted the new Regulation (EU) 2025/2518 laying down additional procedural rules on the enforcement of the GDPR. Application of the new Regulation will begin in April 2027. The Regulation enhances the functioning of data protection authorities in enforcement matters connected to more than one country in the European Economic Area.
It provides for, inter alia, time limits, stages of investigation, the exchange of information between authorities and the rights of parties. The Office of the Data Protection Ombudsman has begun preparing for these obligations.
The European Commission aims to simplify EU regulation by means of omnibus legislative proposals. The Digital Omnibus and AI Omnibus proposals were submitted in November 2025. The Commission aims to facilitate compliance with regulations, improve Europe’s ability to compete and reduce the administrative burden on businesses.