Processing of the personal data of Data Protection Officers

Controllers and processors must declare the contact details of their Data Protection Officers to our Office. The notification can be made with the form on our website or by providing the contact details to our registry in another manner. The notifications are logged in our case management system. The organisation that made the notification will be sent an info package on the tasks of the Data Protection Officer, which it should forward to the Officer.

If the Data Protection Officer or his or her contact details change, the controller or processor is required to update the information by filing a change notification with the Office of the Data Protection Ombudsman. The change form on our website can be used to file the notification. We store the history data related to the Data Protection Officers designated by each organisation.

The storage times of personal data related to Data Protection Officer notifications are determined by the Archive Act (831/1994), the National Archives Service regulation (AL 16465/07.01.01.03.02/2016) and the Office’s archiving plan.

Purpose of processing

The purpose of processing the personal data of Data Protection Officers is to enable communication between the supervisory authority and the Data Protection Officers of controllers and processors. The Data Protection Officer serves as the point of contact with the supervisory authorities in questions related to the processing of personal data.

The personal data of Data Protection Officers can also be processed in the course of the Office of the Data Protection Ombudsman's supervisory duties, such as to determine whether all organisations obligated by the GDPR or special legislation to designate a Data Protection Officer have done so.

The data of Data Protection Officers is also used for the planning and implementation of our office's activities, and statistics can be generated from the data. The contact details submitted to us are used for official communications.

What data do we process on Data Protection Officers?                                                         

  • The name, contact details and business ID of the controller/processor. We also specify the company's sector for our case management system.
  • The name of the Data Protection Officer. Declaring the name is voluntary, but recommended for facilitating cooperation.
  • E-mail address of the Data Protection Officer
  • Telephone number of the Data Protection Officer
  • Address of the Data Protection Officer
  • Information on the basis on which the Data Protection Officer has been declared, that is, whether the notification was based on the GDPR or special legislation or whether it was made voluntarily.

Our processing is based on

We process the personal data for compliance with a legal obligation concerning the Data Protection Ombudsman

  • General Data Protection Regulation, Article 6(1), point c
  • General Data Protection Regulation, Article 37(7)

Disclosure of data

There are no regular disclosures of data.

Data is disclosed to authorities that request it in accordance with the Act on the Openness of Government Activities. The data concerning Data Protection Officers is public.

Your data protection rights with regard to the processing of personal data

Right to obtain information on the processing of personal data

  • You have the right to know for what purposes and by which methods we process your personal data.
  • The aim of this description of our data protection policies is to provide a comprehensive picture of the processing of personal data in our operations. If some aspect of our processing of personal data remains unclear, however, the description has failed in its purpose. In such cases, you are welcome to ask us for further details.
  • More information on the right to obtain information on the processing of personal data.

Right of access

  • You have the right to know whether or not we are processing personal data that concern you. If we are, you have the right to obtain a copy of this data unless we have a legal basis for refusing to fulfil this right.
  • More information on the right of access.

Right to rectification

  • If the personal data we are processing is inaccurate, you can request us to rectify such data that concerns you.
  • If we rectify data on the basis of your request, we are obligated to notify all parties to whom we have previously disclosed your data of the rectification where viable.
  • More information on the right to rectification.

Right to restriction of processing

  • If you consider the data that we are processing to be inaccurate or the processing to be unlawful, or you have objected to the processing of your data, you can request us to restrict the processing of your data.
  • In such cases, we are only allowed to process your data
    • with your consent
    • if we need the data for the establishment, exercise or defence of legal claims
    • for the public interest or
    • in order to safeguard the rights of another person.
  • If we restrict the processing of data on the basis of your request, we are obligated to notify all parties to whom we have previously disclosed your data of the restriction where viable.
  • More information on the right to restriction of processing.        

You can send requests concerning your data protection rights to the Office of the Data Protection Ombudsman by e-mail (tietosuoja@om.fi) or post (PL 800, 00521 HELSINKI).

The Office of the Data Protection Ombudsman does not make decisions based on automated processing. Neither does the Office create profiles on the basis of the personal data it processes.

The decisions of the Office of the Data Protection Ombudsman can be appealed in the competent Administrative Court according to the instructions for appeal provided by the Office of the Data Protection Ombudsman. The legality of the Office of the Data Protection Ombudsman's actions is supervised by the supreme guardians of the law, i.e. the Parliamentary Ombudsman and Chancellor of Justice.