Focus areas of data protection activities

As part of preparing for the implementation of the EU’s General Data Protection Regulation, the Office of the Data Protection Ombudsman established process teams tasked with ensuring the uniform processing of cases in their area of responsibility and the development of processing.

Processing of personal data breaches launched

One of the most important tasks of the Personal Data Breaches process team is to ensure the smooth reception and uniform processing of personal data breach notifications. The process team consists of the Office of the Data Protection Ombudsman's legal experts and specialised IT experts specialising in personal data breaches.

The Personal Data Breaches process team helps the Office's other staff with the processing and evaluation of personal data breach notifications. To this end, the process team has drawn up internal guidelines for the assessment of risks and the processing of typical cases. In the case of atypical personal data breaches, the process team helps the referendary with the processing of the case.

The Office of the Data Protection Ombudsman was notified of 2,220 personal data breaches in 2018.

The tasks of the Personal Data Breaches process team have been developed as needed. The team has drawn up new guidelines and modified the personal data breach notification form on the basis of feedback.
The obligation to report personal data breaches entered into force with the adoption of the GDPR on 25 May 2018. The Office of the Data Protection Ombudsman must be notified of personal data breaches if the breach could cause a risk to the rights and freedoms of natural persons.

After notifying the Office of the Data Protection Ombudsman about the data breach, controllers can get advice relating to the protection of personal data and whether the people affected by the breach must be notified about the breach or not. If necessary, the Data Protection Ombudsman may order the organisation to comply with the obligations imposed by the GDPR.

Process team develops cooperation with Data Protection Officers

The Data Protection Officers process team supervises the reception and processing of Data Protection Officer notifications and improves the accessibility of Data Protection Officers and communications with them. In addition to legal experts employed by the Office of the Data Protection Ombudsman, the process team includes an information services secretary who maintains the register of Data Protection Officers.

The details of 1,227 Data Protection Officers had been communicated to the Office of the Data Protection Ombudsman by the end of 2018.

Organisations have been required to notify the Office of the Data Protection Ombudsman of their Data Protection Officers since the entry into force of the GDPR on 25 May 2018. The Data Protection Officer is the organisation's internal data protection expert who monitors the processing of personal data and assists the management and personnel with compliance with data protection legislation. The Data Protection Officer serves as the contact person for data subjects and the Office of the Data Protection Ombudsman in matters concerning the organisation's processing of personal data.

An organisation is required to appoint a Data Protection Officer if it

  • processes sensitive data on a large scale;
  • monitors individuals regularly, systematically and on a large scale; or
  • is a public authority other than a court of law.

People are aware of their data protection rights

Matters involving complaints and the rights of the data subject are some of the most important aspects of the duties of the Office of the Data Protection Ombudsman. They include reports of the infringement of data protection rights and suspected cases of an individual or organisation processing personal data in violation of data protection regulations, but also various requests for advice or additional information.

In 2018, there have been more registered cases involving the rights of the data subject than before.After the implementation of the GDPR, the Office established a process team for matters involving the rights of the data subject, with tasks such as creating uniform procedures for processing complaints filed by data subjects. In its first year of operations, the team sought to prioritise matters with the most extensive or serious impact on data subjects and matters that had been in processing for a long time.

The cases instituted by data subjects are typically unique in their circumstances, which affects their processing and the time required for it. Complaints and legal questions in particular tend to require additional information, the acquisition and processing of which takes time.

You can expedite the processing of your case in the Office of the Data Protection Ombudsman by describing the matter as precisely as possible from the start. Assistance in this is available from the instructions and forms on the website of the Office of the Data Protection Ombudsman. The site also contains a service path for determining the best way to proceed with your case.

Impact assessments help identify risks

The impact assessment is a self-assessment tool provided by the GDPR to controllers for identifying threats to the rights and freedoms of individuals posed by the planned processing, assessing the severity and probability of the risks constituted by these threats, and adopting adequate security measures for dealing with elevated risks. Among other things, the impact assessment can be used to implement the data protection by design and by default and the demonstration obligation, referred to in Article 25 of the GDPR.    

A prior consultation is required before the start of planned processing activities if the impact assessment indicates that the processing of personal data would cause a high risk to the rights and freedoms of the data subject and the controller is not able to decrease the level of risk through measures of its own.

In the prior consultation, the controller contacts the Office of the Data Protection Ombudsman, which then issues written instructions for reducing the level of risk.

The impact assessment and prior consultation procedures were launched in 2018, with few actual procedures carried out yet. In the autumn of 2018, the European Data Protection Board confirmed EU-wide criteria specifying when an impact assessment is required. On the basis of these criteria, the Office of the Data Protection Ombudsman drew up the national list of processing types requiring impact assessments required by the GDPR. The list was published in December 2018 and covered the processing of data categories such as biometric, genetic and geographic data. The first prior consultations in Finland are expected in early 2019.