Haku

Euroopan tietosuojaneuvoston ohjeet Euroopan tietosuojaneuvosto vastaa EU:n yleisen tietosuoja-asetuksen ja poliisi- ja rikosoikeusviranomaisia koskevan tietosuojadirektiivin yhdenmukaisesta soveltamisesta Euroopan unionissa. Tietosuojaneuvosto ju...

Frequently asked questions about mobile location Why do telecommunications companies process location data? Thanks to communications networks, users are available wherever they are. In order to create a connection between the caller and recipient ...

22.4.2020 | Euroopan tietosuojaneuvoston ohjeet koskevat terveystietojen käsittelyä COVID-19-tautiin liittyvässä tieteellisessä tutkimuksessa sekä sijaintitietojen ja kontaktien jäljityssovellusten käyttöä.

List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA) Updated 21.12.2018 Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in...

What is personal data? All data related to an identified or identifiable person are personal data. In other words, data that can be used to identify a person directly or indirectly, such as by combining an individual data item with some other piec...

This section provides answers to common questions.

Frequently asked questions about working life What personal data on employees and job applicants can an employer process? The employer may only process personal data that is directly necessary with regard to the employee's employment relationship,...

Processing of personal data The processing of personal data refers to activities such as the collection, storage, use, transfer and disclosure of personal data. All activities involving personal data, from the planning of processing to the erasure...

Transfer of data abroad Research is an international activity, and a need to transfer personal data out of Finland may arise during a project. There is legislation to ensure that the level of data protection does not deteriorate even if a research...

Binding corporate rules Binding Corporate Rules (BCR) refer to common binding rules on the transfer of personal data to third countries within companies in the same group of undertakings or group of enterprises engaged in a joint economic activity...

Transfers on the basis of an adequacy decision Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy d...

Frequently asked questions regarding the adequacy decision concerning data protection in the United States For organisations What does the adequacy decision concerning the United States mean? The European Commission's decision on the adequacy of d...

Right to erasure In certain cases, the data subject has the right to have the controller erase data concerning him or her without undue delay. This right is also known as the right to be forgotten. The controller is obligated to erase the personal...

Automated decision-making and profiling What does profiling mean? Profiling means the automated processing of personal data for evaluating the personal aspects of an individual. In particular, profiling refers to the analysis or prediction of aspe...

Minimisation of personal data in scientific research The necessity of personal data for scientific research must be assessed at the earliest possible stage. Efforts must be made to minimise the processing of personal data. Both the amount and natu...

Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...

Guidelines of the European Data Protection Board The European Data Protection Board (EDPB) is responsible for the uniform application of the EU's General Data Protection Regulation and the Data Protection Directive applying to police and criminal ...

Controller's record of processing activities The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if the personal data ...

Anvisningar av Europeiska dataskyddsstyrelsen Europeiska dataskyddsstyrelsen ansvarar för en harmoniserad tillämpning inom Europeiska Unionen av EU:s allmänna dataskyddsförordning och dataskyddsdirektivet, som gäller för polis- och strafrättsmyndi...

Destruction, anonymisation or archiving of data at the conclusion of research When a study ends, the controller must ensure that data is appropriately destroyed, anonymised or archived. Data protection regulations specify a lifespan for personal d...