Search

Frequently asked questions about banking Are banks permitted to copy my ID? Yes. Banks have a statutory obligation to know and identify their customers. Among other things, this means that the bank must verify the customer’s identity in a reliable...

Frequently asked questions on data protection and the coronavirus What does health data mean? Health data refers to information about an individual’s health, diseases, disability or treatment. Health data belongs to the special categories of perso...

Frequently asked questions about direct marketing Electronic direct marketing includes direct marketing via automated calling systems, as well as direct marketing implemented using email, text, sound, voice or picture messages. Traditional direct ...

Frequently asked questions about personal identity code Is it permitted to ask for the personal identity code when a guest checks into a hotel? Yes. According to the Act on Accommodation and Food Service Activities (308/2006), an accommodation pro...

Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...

Contact information Office of the Data Protection Ombudsman Street address: Lintulahdenkuja 4, 00530 Helsinki Postal address: PL 800, 00531 Helsinki, Finland Switchboard : +358 29 566 6700 Registry: +358 29 566 6768 E-mail (registry): tietosuoja(a...

30.3.2026 | The Deputy Data Protection Ombudsman has determined that the credit information company Dun & Bradstreet Finland’s practice of allowing individuals to only check their credit information for free once per year is not compliant with data protection legislation. Several deficiencies were also found in the company’s practices for responding to personal data requests.

Disclosures of data Personal data is disclosed to service providers that supply IT services to the Office of the Data Protection Ombudsman. These providers process personal data on behalf of the Office and are not permitted to process the data for...

Codes of Conduct Codes of conduct are sector-specific guidelines on the application of data protection legislation. They are intended to help organisations comply with data protection requirements with concrete and practical instructions. By commi...

Automated decision-making and profiling What does profiling mean? Profiling means the automated processing of personal data for evaluating the personal aspects of an individual. In particular, profiling refers to the analysis or prediction of aspe...

25.3.2026 | The Sanctions Board of the Office of the Data Protection Ombudsman has imposed a fine of EUR 5,000 on Suomen Numerokeskus Oy, as the company systematically failed to comply with customers’ right to access recordings of customer calls. The company also deleted the call recordings despite requests from customers to review them.

Processors A processor is an individual or an organisation that processes personal data on behalf of a controller. Processors operate according to the controller’s instructions and under its supervision. The controller determines the purposes and ...

Frequently asked questions about phone calls Are individuals allowed to record their own telephone conversations? Citizens have the right to record telephone calls in which they are the caller or receiver. Finland’s Constitution gives the right to...

Roles and responsibilities for processing personal data in scientific research A research project can involve a variety of parties in different roles. Personal data may be processed for research purposes by one or more research organizations, pers...

Controller's record of processing activities The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if the personal data ...

In the description of public access to documents, we describe what kind of information the Office of the Data Protection Ombudsman stores and how you can request information for yourself.

Frequently asked questions about working life What personal data on employees and job applicants can an employer process? The employer may only process personal data that is directly necessary with regard to the employee's employment relationship,...

25.6.2025 | ANNUAL REPORT OF THE OFFICE OF THE DATA PROTECTION OMBUDSMAN OF FINLAND 2024 ANNUAL REPORT OF THE OFFICE OF THE DATA PROTECTION OMBUDSMAN OF FINLAND 2024 3 Contents The Office of the Data Protection Ombudsman safeguards the rights and freedoms of ...

7.7.2022 | The Office of the Data Protection Ombudsman has investigated the procedures used by insurance companies when they request health information from insurance applicants and the insured from healthcare providers in order to determine the liability of the insurance company. Deficiencies were found especially in the appropriate limitation of information requested from healthcare services and the legality of processing the health information of insurance applicants.

Frequently asked questions about information systems Can the customer of the company be entitled to log data by virtue of the right of access? Article 15 of the General Data Protection Regulation provides for the data subject's right of access to ...