Search

Supervision of codes of conduct The code of conduct must specify a mechanism for the effective monitoring of compliance with the code. Monitoring means ensuring that the controllers and processors committed to compliance with the code follow the p...

In the description of public access to documents, we describe what kind of information the Office of the Data Protection Ombudsman stores and how you can request information for yourself.

Processing involving several EU countries If your organisation operates in more than one EU country, you need to find out which country’s supervisory authority you are meant to deal with. This data protection authority is called the lead superviso...

The Digital Services Act and powers of the Data Protection Ombudsman in the monitoring of online platforms The EU Digital Services Act (DSA) imposes obligations on digital service providers, such as online platforms, to improve the transparency an...

Annual report 2024 The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data The Office of the Data Protection Ombudsman is an autonomous and independent authority ...

Codes of Conduct Codes of conduct are sector-specific guidelines on the application of data protection legislation. They are intended to help organisations comply with data protection requirements with concrete and practical instructions. By commi...

Accessibility statement of Tietosuoja.fi This accessibility statement applies to the website www.tietosuoja.fi and it was created on 22 September 2020. The statement has been updated on 20 January 2026. We are committed to providing accessibility ...

Processors A processor is an individual or an organisation that processes personal data on behalf of a controller. Processors operate according to the controller’s instructions and under its supervision. The controller determines the purposes and ...

List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA) Updated 21.12.2018 Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in...

Frequently asked questions about the Digital Services Act (DSA) What kinds of operators are subject to the DSA's obligations? The obligations imposed by the Digital Services Act (DSA) apply to all online services, referred to as 'intermediary serv...

Roles and responsibilities for processing personal data in scientific research A research project can involve a variety of parties in different roles. Personal data may be processed for research purposes by one or more research organizations, pers...

The review and approval of codes of conduct at the Office of the Data Protection Ombudsman The Office of the Data Protection Ombudsman reviews and approves national codes of conduct applied in Finland. The criteria for the content of codes of cond...

19.3.2026 | This year, European data protection authorities will investigate how well organisations comply with the transparency and information obligations related to personal data processing. Data protection authorities from 25 countries across Europe will take part in the action.

30.1.2026 | On Thursday 29 January 2026, the Government appointed Heljä-Tuulia Pihamaa, Master of Laws, to the post of Deputy Data Protection Ombudsman for the next five-year term of office, starting on 22 March. Pihamaa has been serving as Deputy Data Protection Ombudsman since March 2021.

Frequently asked questions about health care Rectifying patient records How can I rectify my patient records? If there are errors in your patient records, you can ask for their rectification. The rectification request is made to the health care un...

Frequently asked questions about working life What personal data on employees and job applicants can an employer process? The employer may only process personal data that is directly necessary with regard to the employee's employment relationship,...

Frequently asked questions on data protection and the coronavirus What does health data mean? Health data refers to information about an individual’s health, diseases, disability or treatment. Health data belongs to the special categories of perso...

Processors’ responsibilities Processors are governed by the General Data Protection Regulation if they are established in an EU Member State they are not established in an EU Member State but their personal data processing activities relate to the...

Data protection in the development and use of AI systems These pages have information on the requirements arising from data protection legislation that should be taken into account when artificial intelligence (AI) systems are developed and used. ...

5.3.2025 | This year, the European data protection authorities will examine how organisations are exercising the right of individuals to have their personal data erased. Thirty-two data protection supervisory authorities from across Europe are participating in the joint inquiry. The Office of the Data Protection Ombudsman will investigate the situation in Finland through an anonymous survey of data controllers.