Haku
-
Controller's record of processing activities The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if the personal data ...https://tietosuoja.fi/en/controller-s-record-of-processing-activities
-
List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA) Updated 21.12.2018 Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in...https://tietosuoja.fi/en/list-of-processing-operations-which-require-dpia
-
Frequently asked questions about mobile location Why do telecommunications companies process location data? Thanks to communications networks, users are available wherever they are. In order to create a connection between the caller and recipient ...https://tietosuoja.fi/en/faq-mobile-location
-
Data protection in the development and use of AI systems These pages have information on the requirements arising from data protection legislation that should be taken into account when artificial intelligence (AI) systems are developed and used. ...https://tietosuoja.fi/en/ai-systems-and-data-protection
-
Roles and responsibilities for processing personal data in scientific research A research project can involve a variety of parties in different roles. Personal data may be processed for research purposes by one or more research organizations, pers...https://tietosuoja.fi/en/roles-and-responsibilities-for-processing-personal-data
-
Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...https://tietosuoja.fi/en/impact-assessments
-
Processor's record of processing activities Organisations are obligated to draw up a written description of their personal data processing. This description is called a record of processing activities. The obligation to draw up a record of process...https://tietosuoja.fi/en/processor-s-record-of-processing-activities
-
Derogations for specific situations Article 49 of the General Data Protection Regulation provides for derogations for specific situations. They are a last-resort basis for data transfer, only applicable in exceptional cases . The transfer of data ...https://tietosuoja.fi/en/derogations-for-specific-situations
-
Telephone guidance Our telephone guidance service provides general guidance and support in matters involving data protection and lets you know if the case requires more detailed investigation and processing at our Office. In the first instance, tr...https://tietosuoja.fi/en/telephone-guidance
-
Personal data breaches What is a personal data breach? A personal data breach means an event leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. Examples of personal data breaches include lost d...https://tietosuoja.fi/en/personal-data-breaches
-
Carrying out an impact assessment 1. Draw up a systematic description of the envisaged processing operations and the purposes of the processing Draw up a description of the nature, scope, context and purposes of the processing of personal data. Id...https://tietosuoja.fi/en/carrying-out-an-impact-assessment
-
Notification to the Data Protection Ombudsman Concerning your rights Data protection rights help you manage your data. If you would like to exercise your rights, first contact the company or organisation that is processing your data, i.e. the cont...https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman
-
When is the processing of personal data permitted? Legal bases for processing personal data The processing of personal data always requires a legal basis, which must be determined before the start of processing. Once the processing of personal dat...https://tietosuoja.fi/en/when-is-the-processing-of-personal-data-permitted
-
Controller's legitimate interests The processing of personal data can sometimes be justified due to the legitimate interests of the controller or a third party. The use of legitimate interests as a basis for processing requires particularly carefu...https://tietosuoja.fi/en/controller-s-legitimate-interests
-
Automated decision-making and profiling What does profiling mean? Profiling means the automated processing of personal data for evaluating the personal aspects of an individual. In particular, profiling refers to the analysis or prediction of aspe...https://tietosuoja.fi/en/automated-decision-making-and-profiling
-
Lifespan of personal data processing, data protection principles and the protection of data in scientific research If processing of personal data is necessary for the implementation of the study, the lifespan of the processing must be planned from...https://tietosuoja.fi/en/lifespan-of-personal-data-processing-data-protection-principles-and-the-protection-of-data
-
Right to restriction of processing The data subject can request the controller to restrict the processing of personal data concerning him or her. The restriction of processing means that, in addition to storage, the personal data subject to the re...https://tietosuoja.fi/en/right-to-restriction-of-processing
-
Data protection Data protection safeguards your rights when your personal data is processed Everyone has the right to the protection of personal data concerning him or her. Data protection is a fundamental right that safeguards the rights and free...https://tietosuoja.fi/en/data-protection
-
Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...https://tietosuoja.fi/en/data-act
-
Right to object In certain situations, the data subject has the right to object to the processing of his or her personal data, that is, request the controller not to process it at all. If the data is processed for the performance of a task carried...https://tietosuoja.fi/en/right-to-object