Focus areas of data protection activities
Rights of the data subject
The rights of the data subject are defined in the third chapter of the General Data Protection Regulation and the fourth chapter of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security. The rights of data subjects include, for example, the right to access, rectify and erase data and the right to not to be subject to a decision based solely on automated processing. These rights are the data subjects’ toolbox, with which they can influence how their data are processed.
In the work of the Office of the Data Protection Ombudsman, the rights of the data subject are visible in two ways. The Office processes complaints and denunciations by data subjects in cases, in which it is suspected that the processing of personal data violates data protection regulations. In addition, the Office produces proactive guidance and educational material and responds to different kinds of queries from data subjects. The Office’s website and telephone guidance in particular are important channels in this work.
During 2019, the activities have also focused on strengthening the uniform processing and decision practice of the cases that are instituted, both within the Office and as a part of the harmonisation work of the European Data Protection Board.
Personal data refers to all data related to an identified or identifiable person.
The data subject is the person to whom the personal data relates.
A controller is a person, company, authority or community that defines the purposes and methods of processing personal data.
A processor is a third party processing personal data on behalf of a controller.
Data subjects have the right
- to obtain information on the processing of their personal data;
- of access to data;
- to rectification of data;
- to the erasure of their data and to be forgotten;
- to restrict the processing of data;
- to data portability;
- to object to the processing of their data;
- not to be subject to a decision based solely on automated processing
- receive help from the authority monitoring data protection.
Not all of these rights can be exercised in all situations, depending on factors such as the basis for the processing of personal data.
Supporting the work of Data Protection Officers as a goal
Data Protection Officers are internal experts, who monitor the processing of personal data in their organisation and provide advice on compliance with data protection regulations. They are also important contact persons for the supervisory authority as well as data subjects in data protection matters.
During 2019, Office of the Data Protection Ombudsman added answers to the most common questions concerning Data Protection Officers on its website. In March, the Office of the Data Protection Ombudsman sent a newsletter for the first time; the newsletter is targeted especially at those working as Data Protection Officers, but also other people interested in data protection issues. The newsletter of the Office of the Data Protection Ombudsman is published approximately six times per year. The aim is to increase the cooperation and communication targeted at Data Protection Officers further in the coming years.
An organisation is required to appoint a Data Protection Officer if it
- processes sensitive data on a large scale;
- monitors individuals regularly, systematically and on a large scale; or
- is a public authority other than a court of law.
The Office of the Data Protection Ombudsman had been notified about 1,828 Data Protection Officers by the end of 2019. Organisations have a statutory obligation to notify the Office of the Data Protection Ombudsman about their Data Protection Officer.
Personal data breaches formed the largest group of cases
Notifications of personal data breaches formed the largest individual group of cases instituted at the Office of the Data Protection Ombudsman in 2019. During the year, the processing of notifications has been developed and made more efficient by means such as implementing a standard response for those personal data breaches that are unlikely to lead to any further actions. Making requests for further information has also been developed with regard to Office 365 personal data breaches. Breaches of this type form a significant part of the serious personal data breaches reported to the Office of the Data Protection Ombudsman.
Certain common features can be identified in the personal data breaches. It is often difficult for the controllers to ascertain which personal data have ended up in the possession of external parties. There is also room for development in how fast controllers can detect personal data breaches. In addition, there may be deficiencies in the general information technology skills of small organisations in particular.
The Office of the Data Protection Ombudsman was notified of 3,839 personal data breaches in 2019.
If a personal data breach can cause a risk to the rights and freedoms of natural persons, the Office of the Data Protection Ombudsman must be notified. The notification obligation started in May 2018.
Processing cross-border matters
Cross-border processing means either
- processing of personal data which takes place in establishments in more than one EU Member State where the controller or processor is established in more than one Member State or
- processing of personal data which takes place in a single establishment of a controller or processor in the EU, but which substantially affects data subjects in more than one Member State.
When the processing of personal data crosses borders, the European supervisory authorities monitor the processing of personal data in cooperation.
During 2019, the Office of the Data Protection Ombudsman further developed the processes that had been created the previous year for processing cross-border matters. The internal process clinics of the Office of the Data Protection Ombudsman aimed to ensure that the processing of cross-border matters progresses smoothly and uniformly. Operating methods and the processing of matters were developed to correspond to the new instructions by the European Data Protection Board.
The EU supervisory authorities have resolved cross-border matters in cooperation ever since the application of the GDPR started in May 2018.
Of the cross-border matters that were instituted during 2019, the Office of the Data Protection Ombudsman was named as the leading supervisory authority in two matters and as a supervisory authority concerned in 107 matters.
Transferring personal data abroad
Transferring personal data out of the EEA always requires appropriate grounds for the transfer and compliance with the other requirements imposed by data protection legislation. The GDPR increased the number of grounds for transfer and updated some of the grounds that were already in place.
The Office of the Data Protection Ombudsman participated actively in the work of a subgroup of the European Data Protection Board on international transfers. The goal of the subgroup is to clarify the preconditions for transfer and give instructions on the grounds for transfer in accordance with the GDPR. The website of the Office of the Data Protection Ombudsman was also updated during the year with instructions on the requirements for transferring personal data outside the EEA.
Corrective powers in use
Due to the GDPR, the Office of the Data Protection Ombudsman can use corrective powers of different degrees. During 2019, the Office issued orders to controllers focused on implementing the rights of a data subject and changing processing measures as well as notifying data subjects about a personal data breach. In addition, reprimands were issued on deficiencies in the processing of personal data.
A sanctions board is responsible for imposing administrative financial sanctions; the board consists of the Data Protection Ombudsman and the two Deputy Data Protection Ombudsmen. No administrative financial sanctions were imposed during 2019, however.
One of the focus areas of the Office of the Data Protection Ombudsman was harmonising the processing of matters related to the corrective powers and the sanction practice. A working group was established in the Office for the purpose; it draws up internal instructions and supports the work of individual referendaries.
In 2019, the Office of the Data Protection Ombudsman issued
- three orders to ensure the compliance of personal data processing measures with the GDPR
- 39 orders to notify data subjects about a personal data breach
- 41 reprimands for processing measures that violate the GDPR.
Data Protection Ombudsman Reijo Aarnio: 2019, a year of reforms
Deputy Data Protection Ombudsman Anu Talus: The importance of international cooperation is growing
Deputy Data Protection Ombudsman Jari Råman: Issues related to internal security in focus
Personnel and finances
Annual Report of the Office of the Data Protection Ombudsman 2019