Office of the Data Protection Ombudsman

The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data.

The Office of the Data Protection Ombudsman is an expert organisation with approximately 25 employees. The Office is an autonomous and independent authority.

The Office of the Data Protection Ombudsman was established in 1987. Reijo Aarnio has been serving as the Data Protection Ombudsman since 1 November 1997. The Data Protection Ombudsman is appointed by the government.

Duties of the Data Protection Ombudsman

The Office of the Data Protection Ombudsman supervises the legality of personal data processing and the implementation of the data protection rights of individuals.

The duties of the Office of the Data Protection Ombudsman include

  • supervising compliance with data protection legislation and other laws concerning the processing of personal data
  • promoting awareness of the risks, rules, safeguards, obligations and rights related to the processing of personal data
  • carrying out investigations and inspections
  • imposing administrative sanctions for violations of the General Data Protection Regulation
  • issuing statements on legislative and administrative changes that affect the protection of the rights and freedoms of individuals with regard to the processing of personal data
  • issuing statements on offences involving the processing of personal data
  • supervising the processing of credit status information and corporate credit ratings
  • processing requests for issuing orders with regard to the rights of data subjectsand notifications of other violations related to the processing of personal data
  • receiving declarations of Data Protection Officers
  • receiving reports of personal data breaches
  • drawing up a list of circumstances in which a data protection impact assessment is required
  • evaluating prior consultations concerning high-risk data processing
  • approving code of practice and standard clauses
  • encouraging the adoption of certificates, accrediting certification bodies and revoking issued certificates
  • cooperating with the EU's other data protection authorities within the scope of the one-stop-shop principle
  • participating in the operations and decision-making of the European Data Protection Boardand referring matters to it when required.