Search

In the description of public access to documents, we describe what kind of information the Office of the Data Protection Ombudsman stores and how you can request information for yourself.

25.2.2025 | The EU's Digital Services Act imposes obligations on digital service providers to improve the transparency and security of their services. Last year, authorities in Finland received nearly 80 complaints about suspected breaches of the Digital Services Act, and the EU Commission has launched several investigations into digital waste. The act, which improves users' rights, has been fully in force for one year as of February 2025.

Transfer bases for authorities and the public sector Authorities and public organisations can transfer personal data to international organisations or the public bodies of third countries based on a European Commission decision on the adequacy of ...

16.2.2024 | The Digital Services Act (DSA), which will be applied in mid-February, aims to secure the position of users of digital services, such as various online communities and marketplaces. If you report suspected illegal content in the future, the service provider must deal with the matter and inform you of its solution. If you produce content or act as a seller through an online platform, you have the right to receive information and justifications about any kind of restriction of the use of service.

Destruction, anonymisation or archiving of data at the conclusion of research When a study ends, the controller must ensure that data is appropriately destroyed, anonymised or archived. Data protection regulations specify a lifespan for personal d...

When is the processing of personal data permitted? Legal bases for processing personal data The processing of personal data always requires a legal basis, which must be determined before the start of processing. Once the processing of personal dat...

Current issues Deputy Data Protection Ombudsman: individuals must be able to access their credit information for free Publication date: 30.3.2026 Suomen Numerokeskus fined for failing to provide call recordings Publication date: 25.3.2026 The Offi...

Transfers on the basis of an adequacy decision Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy d...

Telephone services at the Office of the Data Protection Ombudsman Data processed in connection with the use of telephone services Switchboard The switchboard of the Office of the Data Protection Ombudsman connects calls to the public officials wor...

Frequently asked questions regarding the adequacy decision concerning data protection in the United States For organisations What does the adequacy decision concerning the United States mean? The European Commission's decision on the adequacy of d...

Processing of special categories of personal data As a rule, the processing of personal data belonging to special categories is prohibited. Such data reveals the person’s ethnic origin political opinions religion or philosophical beliefs trade uni...

Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...

Transfers of personal data out of the European Economic Area Transferring personal data out of the EEA requires an appropriate basis for the transfer and compliance with the other requirements imposed by data protection legislation. This page desc...

Electronic services at the Office of the Data Protection Ombudsman Instituting a case electronically The Office of the Data Protection Ombudsman uses electronic forms implemented with the Government ICT Centre's (Valtori) Turvalomake (Secure Form)...

The right to obtain information on the processing of personal data Data subjects have the right to be informed of the collection and processing of their personal data. The processing of personal data shall be done in a transparent manner. Data sub...

Derogations for specific situations Article 49 of the General Data Protection Regulation provides for derogations for specific situations. They are a last-resort basis for data transfer, only applicable in exceptional cases . The transfer of data ...

Guidelines of the European Data Protection Board The European Data Protection Board (EDPB) is responsible for the uniform application of the EU's General Data Protection Regulation and the Data Protection Directive applying to police and criminal ...

Disclosures of data Personal data is disclosed to service providers that supply IT services to the Office of the Data Protection Ombudsman. These providers process personal data on behalf of the Office and are not permitted to process the data for...

For the media Interview requests Media representatives may contact the Office of the Data Protection Ombudsman’s communications to arrange a suitable interview time. Communications can be reached by media representatives during office hours. Commu...

Processing of matters within our competence Processing of personal data in connection with the processing of cases falling within our competence Cases instituted with the Office of the Data Protection Ombudsman are logged in the Office's case mana...