Search

Transfer bases for authorities and the public sector Authorities and public organisations can transfer personal data to international organisations or the public bodies of third countries based on a European Commission decision on the adequacy of ...

Binding corporate rules Binding Corporate Rules (BCR) refer to common binding rules on the transfer of personal data to third countries within companies in the same group of undertakings or group of enterprises engaged in a joint economic activity...

Children's data protection rights Every child and young person has the right to data protection. If you have questions about how your personal data are used, you can contact the Office of the Data Protection Ombudsman. Your personal data include f...

Demonstrate your compliance with data protection regulations Compliance with the provisions of the General Data Protection Regulation (GDPR) is required when processing personal data. Accountability means that the controller must be able to demons...

Telephone guidance Our telephone guidance service provides general guidance and support in matters involving data protection and lets you know if the case requires more detailed investigation and processing at our Office. In the first instance, tr...

Processing of special categories of personal data As a rule, the processing of personal data belonging to special categories is prohibited. Such data reveals the person’s ethnic origin political opinions religion or philosophical beliefs trade uni...

Roles and responsibilities for processing personal data in scientific research A research project can involve a variety of parties in different roles. Personal data may be processed for research purposes by one or more research organizations, pers...

Carrying out an impact assessment 1. Draw up a systematic description of the envisaged processing operations and the purposes of the processing Draw up a description of the nature, scope, context and purposes of the processing of personal data. Id...

Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...

Consent of the data subject Consent is one possible legal basis for processing personal data. Consent gives the data subjects the opportunity to monitor the processing of their personal data and influence it by withdrawing their consent. Requireme...

Frequently asked questions about working life What personal data on employees and job applicants can an employer process? The employer may only process personal data that is directly necessary with regard to the employee's employment relationship,...

Frequently asked questions about health care Rectifying patient records How can I rectify my patient records? If there are errors in your patient records, you can ask for their rectification. The rectification request is made to the health care un...

25.4.2025 | The Data Protection Ombudsman has approved two applications by Nokia for binding corporate rules (so-called BCRs). BCRs are legally binding rules for the transfer of personal data within a group of enterprises. They allow companies in the same group to transfer personal data between each other outside the EU and EEA countries.

Brexit and the transfer of personal data to the UK When the transition period for the withdrawal from the EU ended, the United Kingdom lost all its rights and obligations as a Member State. Due to the withdrawal from the EU, data protection regula...

Processors A processor is an individual or an organisation that processes personal data on behalf of a controller. Processors operate according to the controller’s instructions and under its supervision. The controller determines the purposes and ...

Safeguards to supplement transfer tools The level of protection for personal data must be essentially equivalent to that guaranteed within the EU when transferring data to international organisations and third countries outside the European Econom...

When is the processing of personal data permitted? Legal bases for processing personal data The processing of personal data always requires a legal basis, which must be determined before the start of processing. Once the processing of personal dat...

Registry You can enquire after matters concerning instituting and pending a case from the registry of the Office of the Data Protection Ombudsman. This kind of enquiries are for example how should a case be sent to the Office of the Data Protectio...

If you would like to have your personal data transferred to another controller In certain situations, you have the right to receive your data and transfer them to another service provider. The right to data portability makes it easier for you to c...

The right to rectification Data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed. How quickly is the controller required to reply to the data subject’s r...