Search
- Fess search
-
Transfer bases for authorities and the public sector Authorities and public organisations can transfer personal data to international organisations or the public bodies of third countries based on a European Commission decision on the adequacy of ...https://tietosuoja.fi/en/transfer-bases-for-authorities-and-the-public-sector
-
In the description of public access to documents, we describe what kind of information the Office of the Data Protection Ombudsman stores and how you can request information for yourself.https://tietosuoja.fi/en/description-of-public-access-to-documents
-
Visiting the Office of the Data Protection Ombudsman Instituting a case Our website contains electronic forms for instituting cases falling within the competence of the data protection authorities ( read more on our office’s electronic services )....https://tietosuoja.fi/en/visiting-the-office
-
30.1.2026 | On Thursday 29 January 2026, the Government appointed Heljä-Tuulia Pihamaa, Master of Laws, to the post of Deputy Data Protection Ombudsman for the next five-year term of office, starting on 22 March. Pihamaa has been serving as Deputy Data Protection Ombudsman since March 2021.https://tietosuoja.fi/en/-/helja-tuulia-pihamaa-continues-as-deputy-data-protection-ombudsman
-
Electronic services at the Office of the Data Protection Ombudsman Instituting a case electronically The Office of the Data Protection Ombudsman uses electronic forms implemented with the Government ICT Centre's (Valtori) Turvalomake (Secure Form)...https://tietosuoja.fi/en/electronic-services-at-our-office
-
Telephone services at the Office of the Data Protection Ombudsman Data processed in connection with the use of telephone services Switchboard The switchboard of the Office of the Data Protection Ombudsman connects calls to the public officials wor...https://tietosuoja.fi/en/telephone-services
-
Designating a data protection officer A data protection officer must be designated if your organisation processes sensitive data on a large scale monitors individuals regularly, systematically and on a large scale or your organisation is a public ...https://tietosuoja.fi/en/designating-a-data-protection-officer
-
Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...https://tietosuoja.fi/en/data-act
-
Frequently asked questions regarding the adequacy decision concerning data protection in the United States For organisations What does the adequacy decision concerning the United States mean? The European Commission's decision on the adequacy of d...https://tietosuoja.fi/en/faq-adequacy-decision-concerning-data-protection-in-the-united-states
-
Processing of the personal data of Data Protection Officers Controllers and processors must declare the contact details of their Data Protection Officers to our Office. The notification can be made with the form on our website or by providing the ...https://tietosuoja.fi/en/processing-of-the-personal-data-of-data-protection-officers
-
Destruction, anonymisation or archiving of data at the conclusion of research When a study ends, the controller must ensure that data is appropriately destroyed, anonymised or archived. Data protection regulations specify a lifespan for personal d...https://tietosuoja.fi/en/destruction-anonymisation-or-archiving-of-data
-
Frequently asked questions about Data Protection Officers More information about data protection officers and instructions for organisations and managers that have designated a data protection officer Do the Data Protection Officer's name and cont...https://tietosuoja.fi/en/faq-dpos
-
Disclosures of data Personal data is disclosed to service providers that supply IT services to the Office of the Data Protection Ombudsman. These providers process personal data on behalf of the Office and are not permitted to process the data for...https://tietosuoja.fi/en/disclosure-of-data
-
When is the processing of personal data permitted? Legal bases for processing personal data The processing of personal data always requires a legal basis, which must be determined before the start of processing. Once the processing of personal dat...https://tietosuoja.fi/en/when-is-the-processing-of-personal-data-permitted
-
Transfers on the basis of an adequacy decision Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy d...https://tietosuoja.fi/en/transfers-on-the-basis-of-an-adequacy-decision
-
Guidelines of the European Data Protection Board The European Data Protection Board (EDPB) is responsible for the uniform application of the EU's General Data Protection Regulation and the Data Protection Directive applying to police and criminal ...https://tietosuoja.fi/en/guidelines-of-the-european-data-protection-board
-
Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...https://tietosuoja.fi/en/impact-assessments
-
Processing of matters within our competence Processing of personal data in connection with the processing of cases falling within our competence Cases instituted with the Office of the Data Protection Ombudsman are logged in the Office's case mana...https://tietosuoja.fi/en/processing-of-matters-within-our-competence
-
Processing of special categories of personal data As a rule, the processing of personal data belonging to special categories is prohibited. Such data reveals the person’s ethnic origin political opinions religion or philosophical beliefs trade uni...https://tietosuoja.fi/en/processing-of-special-categories-of-personal-data
-
Right to erasure In certain cases, the data subject has the right to have the controller erase data concerning him or her without undue delay. This right is also known as the right to be forgotten. The controller is obligated to erase the personal...https://tietosuoja.fi/en/right-to-erasure