Search

Frequently asked questions about mobile location Why do telecommunications companies process location data? Thanks to communications networks, users are available wherever they are. In order to create a connection between the caller and recipient ...

List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA) Updated 21.12.2018 Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in...

This section provides answers to common questions.

What is personal data? All data related to an identified or identifiable person are personal data. In other words, data that can be used to identify a person directly or indirectly, such as by combining an individual data item with some other piec...

Processing of personal data The processing of personal data refers to activities such as the collection, storage, use, transfer and disclosure of personal data. All activities involving personal data, from the planning of processing to the erasure...

Frequently asked questions about working life What personal data on employees and job applicants can an employer process? The employer may only process personal data that is directly necessary with regard to the employee's employment relationship,...

Automated decision-making and profiling What does profiling mean? Profiling means the automated processing of personal data for evaluating the personal aspects of an individual. In particular, profiling refers to the analysis or prediction of aspe...

Guidelines of the European Data Protection Board The European Data Protection Board (EDPB) is responsible for the uniform application of the EU's General Data Protection Regulation and the Data Protection Directive applying to police and criminal ...

Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...

Controller's record of processing activities The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if the personal data ...

Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...

Lifespan of personal data processing, data protection principles and the protection of data in scientific research If processing of personal data is necessary for the implementation of the study, the lifespan of the processing must be planned from...

Frequently asked questions on data protection and the coronavirus What does health data mean? Health data refers to information about an individual’s health, diseases, disability or treatment. Health data belongs to the special categories of perso...

22.4.2020 | The European Data Protection Board’s guidelines concern the processing of health data for purposes of scientific research related to the COVID-19 disease and the use of location data and contact tracing applications.

22.4.2020 | The European Data Protection Board’s guidelines concern the processing of health data for purposes of scientific research related to the COVID-19 disease and the use of location data and contact tracing applications.

Transfer of data abroad Research is an international activity, and a need to transfer personal data out of Finland may arise during a project. There is legislation to ensure that the level of data protection does not deteriorate even if a research...

Binding corporate rules Binding Corporate Rules (BCR) refer to common binding rules on the transfer of personal data to third countries within companies in the same group of undertakings or group of enterprises engaged in a joint economic activity...

Transfers on the basis of an adequacy decision Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy d...

Frequently asked questions regarding the adequacy decision concerning data protection in the United States For organisations What does the adequacy decision concerning the United States mean? The European Commission's decision on the adequacy of d...

25.6.2025 | ANNUAL REPORT OF THE OFFICE OF THE DATA PROTECTION OMBUDSMAN OF FINLAND 2024 ANNUAL REPORT OF THE OFFICE OF THE DATA PROTECTION OMBUDSMAN OF FINLAND 2024 3 Contents The Office of the Data Protection Ombudsman safeguards the rights and freedoms of ...