The General Data Protection Regulation (GDPR) does not specify what personal data may be processed for genealogical purposes. The essential requirement is that the author follows the principle of purpose limitation. According to the principle, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The necessity of each collected item of personal data must be assessed individually. You must also be able to justify why the collected personal data is necessary for your genealogical research. Personal data should not be collected “just in case”, but only in a planned manner and for a specific need.

As a rule, the name, date and place of birth, date of marriage, time and place of death, and title, degree, rank or profession of the related person and their spouse can be considered necessary data for the purposes of genealogical research. It is not possible to give an exhaustive list of necessary personal data. Rather, necessity is determined by the purposes of the genealogical study in question. Processing personal data such as information on an individual's health or cause of death is not necessary or justified in most genealogical research, however.

Personal data concerning religious beliefs, health and political opinions belong to the special categories of personal data referred to in the GDPR. As a rule, processing these special categories of personal data is prohibited.

Regardless of this general prohibition, special categories of personal data can be processed if an exception to the prohibition is provided for in the GDPR or other legislation. In practice, the processing of special categories of personal data for genealogical purposes is only permitted with the data subject’s consent. Article 9(2)(j) of the GDPR also permits the processing of special categories of personal data when it is necessary for purposes of historical research, but this requirement is generally not met by genealogical studies.

Genealogists must keep in mind that genealogical research may not violate the privacy of its subjects. This means, among other things, that information on adoptions or other subjects generally considered personal should remain in the archives unless the specific consent of the individual in question can be obtained. Personal identity codes may never be included in a genealogy, if only because copies of the genealogy are usually distributed to everyone who participated in the study. Processing personal identity codes in this manner would not be in compliance with data protection regulations.

The genetic data of living or dead individuals should not be processed in genealogical research. Such data cannot be anonymised and usually concerns not just the individual themselves, but also their relatives and even future generations. Since an individual cannot give consent on behalf of another, genome data should never be processed on the basis of consent.

The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (the “household exemption”). In other words, if you are drawing up the genealogy “into your desk drawer” simply out of personal curiosity, and the materials will not be published online, for example, the processing of personal data in connection with the genealogy will fall outside the scope of the GDPR. You should nevertheless keep in mind that other legislation, such as the Criminal Code, may nevertheless apply if the genealogist’s activities meet the definition of offences such as defamation or dissemination of information violating personal privacy.

The GDPR does not apply to the data of deceased individuals, nor have any supplementary national provisions on the processing of the personal data of the deceased been enacted in Finland. In other words, if the genealogy only concerns dead people and no personal data that would also apply to the living is processed, the GDPR does not apply. Neither can the relatives of a deceased individual exercise the rights of the data subject on the deceased's behalf, for example.
 
You should nevertheless note that data pertaining to a dead individual can sometimes reveal information on living persons as well. For example, a genealogy can include information on relationships that primarily concern a deceased individual but also reveal something about their living relatives. Such living relatives thus have the right to exercise their rights under the GDPR with regard to such data, even though the data only concerns them indirectly.

If no exemptions apply to the genealogical research, i.e. it is not being conducted in the course of a purely personal or household activity (the “household exemption”), for example, the GDPR will apply to it. In such cases, the individual processing personal data for the purposes of genealogical research is a controller. The subjects of the genealogy, whose personal data the genealogist processes, are data subjects. It follows that the genealogist must be able to fulfil the rights of the data subject, among other things. The genealogist must also determine in advance what the basis for processing under Article 6 of the GDPR will be.

In practice, the legal bases for processing applicable to genealogical research are limited to the consent and legitimate interest provided for in Article 6 of the GDPR. If the basis for processing is legitimate interest, the balance test and conclusions drawn from it must be documented before the start of processing in order to comply with the controller's accountability. Personal data cannot be processed on the basis of legitimate interest if such interests are overridden by the interests or fundamental rights and freedoms of individuals which require protection of personal data, in particular where the data subject is a child.

With regard to consent, the genealogist is required to pay attention to Article 7 of the GDPR, setting out the requirements for valid consent. For example, consent must be freely given and unambiguous. You may not bundle various purposes of processing into a single request for consent, but must give the data subject the choice to give or refuse their consent for each different purpose of processing. Consent must cover all processing activities and must be as easy to withdraw as to give.

Consent is not a valid basis for processing if it cannot be withdrawn, for example due to technical reasons, or withdrawing the consent would be more difficult than giving it. In such cases, the genealogist must specify a different basis of processing provided for in Article 6 of the GDPR. A real chance to withdraw consent also requires that the data subject, whose personal data is being processed, is able to conveniently contact the controller, i.e. the genealogist. For this reason, data subjects must be provided with the genealogist’s up-to-date contact details. If contacting the controller would require effort, the consent is not valid and the processing is illegal. As a rule, the personal data being processed on the basis of consent must also be erased if the data subject withdraws their consent. Silence or inactivity cannot be considered to constitute valid consent.
 
Even if the genealogical research would be permitted on other bases than consent, i.e. legitimate interest, such other bases do not apply to publishing personal data online. Uploading data to a public network requires consent that meets the conditions provided for in Article 7 of the GDPR.

According to recital 160 of the GDPR, the processing of personal data for purposes of historical research includes research for genealogical purposes. Genealogical research can fall within the scope of the GDPR's provisions concerning historical research even if it would not fall under the “household exemption”, under which research is conducted in the course of a purely personal or household activity. However, not all genealogical research can be considered to meet the definition of historical research.

If the genealogical research can be deemed to meet the definition of historical research, it is not considered incompatible with the original purposes of processing the personal data (GDPR, Article 5(1)(b)). However, it is part of the definition of historical research that data concerning a specific individual will not be disclosed to third parties.

Read more about purpose limitation

The rights of the data subject are listed in Chapter III of the GDPR. As a rule, the controller, i.e. the genealogist, must also be able to fulfil these rights in practice. The data subjects are the individuals whose personal data the genealogist processes in the course of research.

If the genealogical research constitutes processing of personal data for purposes of historical research, the data subject's rights of access to data (Article 15), rectification (Article 16), restriction of processing (Article 18) and objecting to processing (Article 21) can be derogated from if necessary, i.e. the researcher can refuse to fulfil these rights. The right to refuse to fulfil the data subject's rights is not automatic, however, but must be based on necessity. Rights can only be refused insofar as they prevent or significantly hinder the achievement of the purposes of the research. Therefore, simply ignoring the rights of the data subject is not legal.
 
For example, access to data can only be refused if implementing the access would actually be difficult. As an example of such cases, the legislator cites a scenario in which the entire body of research data has been pseudonymised and the controller is not in possession of the code key for breaking the encryption. Such challenges in implementing access to the personal data being processed are unlikely to be present in genealogical research.

It should also be noted that, according to section 31 of the Data Protection Act, refusing to fulfil the data subject’s rights provided for in Articles 15, 16, 18 and 21 of the GDPR in processing related to historical research also requires an appropriate research plan, appointing a person or team responsible for the research, and not disclosing data concerning specific individuals to third parties. In other words, if the data will be uploaded to the internet, for example, the rights of the data subject cannot be refused on the grounds of historical research.
 
The data subject’s right to be forgotten can also be derogated from when personal data is being processed for the purposes of historical research. However, the genealogist serving as controller must be able to justify why the erasure of the data subject’s data would probably prevent or significantly hinder the genealogical research. The controller must be able to present such justifications to both the data subject that requested the erasure of the data and to the supervisory authority.

In practice, the requirement of accountability provided for in the GDPR requires the controller to document the assessment process and justifications for continuing the processing regardless of the data subject’s objections. The fulfilment of the duty to inform the data subject must also be adequately documented. If such documentation has not been drawn up, the controller has neglected its obligations under the GDPR and the processing is illegal.

If the genealogical research is being conducted in the course of a purely personal or household activity, i.e. for the genealogist’s own edification or into the “desk drawer” (the “household exemption”), or if exemptions regarding freedom of speech apply, the data subject’s rights do not apply. Exemptions concerning freedom of speech are addressed below under the question ”What should the author of a genealogy take into account when processing personal data?”

Great care must be taken about publishing personal data on the internet. Publishing personal data on the internet is equivalent to disclosing the data. If the genealogist publishes the genealogy online, they cannot be certain of the uses to which the personal data will be put. In a public network, data is within easy reach of everyone. It can benefit the data subjects themselves and others, but can just as easily be accessed by those seeking to misuse them. The public net is worldwide, and it is impossible to control the use of data uploaded there. For this reason, genealogists functioning as controllers must exercise discretion and take the legislation into account before publishing data on the internet.
 
As a rule, personal data should not be disclosed over the public net without the data subject’s consent in any activities. Certain acts contain specific provisions on the disclosure of personal data online. However, the scope of such acts is intentionally narrow.
 
The requirements for valid consent are provided for in Article 7 of the GDPR. No specific format has been defined for consent, but it should be acquired in writing so that the controller can prove that it has been given and fulfil the accountability requirement in this regard.
 
The genealogist must take the principle of purpose limitation into account also when uploading personal data to the net. The principle states that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In other words, the genealogist must consider in advance which personal data they intend to collect for the genealogical file and how such data will be processed for the purposes of genealogical research. Because the data may only be used for the purposes of genealogical research, it may not be uploaded to a public website, at least without the data subject’s consent. In other words, it is a question of complying with the principle of purpose limitation: on a public website, anyone can use the data for purposes other than genealogical research, so the processing of the personal data would no longer be limited to the purpose for which it was collected (genealogical research). Neither should the genealogist upload materials such as another person's photograph or any other personal data to the public net for the purposes of requesting further information on the person in question.
 
According to recital 160 of the GDPR, the processing of personal data for purposes of historical research includes research for genealogical purposes. However, genealogical research involves the problem that the right to process personal data for the purposes of scientific research does not equate to a right to publish the personal data processed for the purposes of the research on the web or make it otherwise available to an unspecified group of people. For example, the legislative materials for the Personal Data Act explicitly state the legislator's assumption that, even in historical research, personal data will be processed in a manner that does not disclose data related to a specific individual to outsiders. This principle has now been reiterated in section 31 of the Data Protection Act. Accordingly, the processing of personal data collected for the purposes of genealogical research should not be considered to fall under the exemptions made for historical research if the data is uploaded to a public network.
 
The genealogist should also be aware of the problems posed by third-party platforms, such as various genealogical websites and the social media. In practice, personal data discussed in, for example, private social media groups end up in the possession of the social media services, which is not necessarily the wish of the data subject. Genealogical websites are discussed in more detail under the next question.

In maintaining the genealogical file in an online database service, the genealogist is disclosing personal data to a party whose processing activities the genealogist is not able to control in any way. Therefore, the genealogist must inform the data subjects of the intention to disclose the personal data of living people to such services and request their consent for such disclosure when informing the data subjects of the processing.

If the genealogist wishes to use such services for conducting genealogical research, they must read the service's privacy policy and terms of use carefully before using the service. For example, MyHeritage's privacy policy requires the user to have obtained the consent of their living relatives for disclosing data to the service.

You should also note that the terms of use of such services may impose responsibilities and obligations on their users. Uploading the data to, for example, a third-party genealogy service does not release the genealogist from the controller’s obligations. The person who collected the data for the genealogical research remains the controller. If the genealogist uploads personal data to a third-party platform, the site's administrator could be considered to be a joint controller together with the person who uploaded the data. It is also important to keep in mind that these roles cannot be agreed on, but are always determined by actual activities.

If you discover personal data concerning yourself in such services on the internet, you should first request the person who uploaded the data to the service to erase the data. After that, you can also contact the Office of the Data Protection Ombudsman if necessary, but the matter can usually (and always when it concerns exercising the data subject’s rights) only be taken forward if you have contacted the controller personally.

As the controller, the genealogist is required to ensure that the data subjects, i.e. the persons included in the genealogy, are able to contact the genealogist without undue effort. The service's privacy policy may also provide the opportunity to contact the service’s administrator to have your data erased. You should read the site’s privacy policy carefully also in this regard.

The genealogist must make sure that data can be effortlessly removed from the site, for example if a data subject withdraws their consent, before uploading data to the site. If personal data has been uploaded to the internet without appropriate consent, the genealogist may be liable for sanctions under the criminal code and GDPR both.

After the data has been removed from the website that published it, it will eventually also disappear from search engines as they update their data stores. This process can be expedited by completing the form provided by the search engine. Several search engines also provide instructions for quickly erasing data from their data stores. Read more about erasing information from search engines from the Frequently asked questions about search engines page. 

Where the genealogical data will be published is the essential consideration here. If you are compiling the genealogy purely for your own pleasure without uploading any data to the internet, for example, the GDPR does not apply. But if you do intend to publish the data in a genealogy, the processing of personal data could be subject to exemptions under the freedom of speech, which are addressed in more detail under the question ”What should the author of a genealogy take into account when processing personal data?”  

If none of the aforementioned exemptions apply, the genealogist must take into account that individuals can be identified from entries such as ”woman, born 1 January 2000” in the context of a genealogy. In such cases, you will need the data subject’s consent for the processing or, alternatively, the conditions for processing on the basis of legitimate interest have to be met.

The fact that data has been published somewhere in the past does not give you the right to process the data for other purposes. Data protection regulations also apply to the processing of published personal data.

As a rule, the GDPR applies to all processing of personal data. Therefore, the author of a genealogy must also take the legislation applying to the processing of personal data into account when drawing up the genealogy.

Freedom of speech, which is a universal fundamental right enshrined in section 12 of the Constitution of Finland, is also a significant consideration in the processing of personal data by the author of a genealogy. Writing a book usually involves the exercise of free speech. The freedom of speech includes the right to express, disseminate and receive information, opinions and other communications without prior prevention by anyone. It is traditionally a feature of free speech that the authorities do not restrict its exercise beforehand. The freedom of speech can only be restricted by virtue of a specific legal provision.

Freedom of speech has also been taken into account in the GDPR. According to Article 85 of the Regulation, Member States must by law reconcile the right to the protection of personal data pursuant to the General Data Protection Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.

In Finland, freedom of speech and the protection of personal data have been reconciled in section 27 of the national Data Protection Act. According to the Data Protection Act, the restrictions on processing personal data for journalistic, academic, artistic or literary purposes are mostly limited to the obligation to protect personal data. For example, the rights of the data subject or the requirement of a basis for processing do not apply in full when someone is exercising their freedom of speech.

As a rule, personal data may only be stored in a form from which the data subject can be identified for as long as is necessary for achieving the purposes of the processing. Longer storage periods are possible for the purposes of historical research, provided that the appropriate technical and organisational safeguards have been implemented to secure the rights and freedoms of the data subject. Storing personal data indefinitely is not possible on any basis, however.

Yes. The genealogist is the controller with regard to the personal data processed for the purposes of genealogical research. The controller must inform the Data Protection Ombudsman of any data breaches involving the personal data. In addition, the data subjects must also be notified of the personal data breach in certain cases. Such notifications are provided for in Articles 33 and 34 of the GDPR. 

More information on when you are required to make a notification is available on our website: More information about personal data breaches