Corrective Powers

The Office of the Data Protection Ombudsman has the following corrective powers:

  • Warning controllers and processors of personal data if the planned processing activities will probably violate the General Data Protection Regulation.
  • Cautioning controllers and processors of personal data whose processing activities have violated the General Data Protection Regulation.
  • Giving orders to controllers and processors of personal data
    • if they do not comply with data subjects’ requests to exercise their data protection rights;
    • if the processing of personal data is not compliant with the GDPR; or
    • if a controller does not inform data subjects of a personal data breach that causes a high risk.
    • The Ombudsman can also order a controller or processor of personal data to rectify or erase personal data or restrict their processing (GDPR, Article 16, 17 and 18) and inform those to whom it has disclosed personal data of such measures (GDPR, Article 17, section 2; Article 19).
  • Restricting the processing of personal data or imposing a processing ban on a controller or processor of personal data. Such restrictions and bans can be either temporary or permanent.
  • Revoking a certificate or ordering a certification body to revoke or refuse to issue a certificate if the requirements for certification are not met.
  • Ordering the suspension of transfers of personal data to a third country or international organisation.
  • Imposing administrative fines in addition to or in place of other corrective measures.
    • The fine is imposed by the three-person Sanctions Board of the Office of the Data Protection Ombudsman.
    • The maximum amount of the administrative fine is 4% of turnover or EUR 20 million.
    • Administrative fines cannot be imposed on public organisations, such as the government or state-owned companies, municipalities and parishes.

Conditional fine

The supervisory authority may impose a conditional fine to enforce the above orders, restrictions of processing or suspensions of data transfer. Imposing conditional fines and ordering their payment is provided for in the Act on Conditional Fines (1113/1990).