Search

Frequently asked questions about health care Rectifying patient records How can I rectify my patient records? If there are errors in your patient records, you can ask for their rectification. The rectification request is made to the health care un...

Telephone guidance Our telephone guidance service provides general guidance and support in matters involving data protection and lets you know if the case requires more detailed investigation and processing at our Office. In the first instance, tr...

Frequently asked questions on data protection and the coronavirus What does health data mean? Health data refers to information about an individual’s health, diseases, disability or treatment. Health data belongs to the special categories of perso...

Frequently asked questions about working life What personal data on employees and job applicants can an employer process? The employer may only process personal data that is directly necessary with regard to the employee's employment relationship,...

The Digital Services Act and powers of the Data Protection Ombudsman in the monitoring of online platforms The EU Digital Services Act (DSA) imposes obligations on digital service providers, such as online platforms, to improve the transparency an...

Frequently asked questions about personal identity code Is it permitted to ask for the personal identity code when a guest checks into a hotel? Yes. According to the Act on Accommodation and Food Service Activities (308/2006), an accommodation pro...

Processors A processor is an individual or an organisation that processes personal data on behalf of a controller. Processors operate according to the controller’s instructions and under its supervision. The controller determines the purposes and ...

Electronic services at the Office of the Data Protection Ombudsman Instituting a case electronically The Office of the Data Protection Ombudsman uses electronic forms implemented with the Government ICT Centre's (Valtori) Turvalomake (Secure Form)...

Frequently asked questions about genealogy What personal data can I process for purposes of genealogical research? The General Data Protection Regulation (GDPR) does not specify what personal data may be processed for genealogical purposes. The es...

Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...

EU digital and data regulation The EU's digital and data regulation facilitate the movement of data within the EU, create clear and fair rules for data use and promote compliance with privacy, data protection and competition rules. Digital and dat...

Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...

Consent of the data subject Consent is one possible legal basis for processing personal data. Consent gives the data subjects the opportunity to monitor the processing of their personal data and influence it by withdrawing their consent. Requireme...

This section provides answers to common questions.

Right to data portability The data subject has the right to receive the personal data that he or she has provided to a controller in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller....

Processing of special categories of personal data As a rule, the processing of personal data belonging to special categories is prohibited. Such data reveals the person’s ethnic origin political opinions religion or philosophical beliefs trade uni...

Annual report 2024 The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data The Office of the Data Protection Ombudsman is an autonomous and independent authority ...

Right to erasure In certain cases, the data subject has the right to have the controller erase data concerning him or her without undue delay. This right is also known as the right to be forgotten. The controller is obligated to erase the personal...

Find out whether the Data Protection Ombudsman can help you Is the violation you have noticed related to The processing of personal data The publicity or confidentiality of a document The actions of authorities in your case The confidentiality of ...

Choosing the processing basis and ensuring its lawfulness in scientific research As a rule, the controller is free to choose the basis for processing that is most applicable to the implementation of the study. The processing of special categories ...