Search

Transfer bases for authorities and the public sector Authorities and public organisations can transfer personal data to international organisations or the public bodies of third countries based on a European Commission decision on the adequacy of ...

Transfers on the basis of an adequacy decision Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy d...

Frequently asked questions regarding the adequacy decision concerning data protection in the United States For organisations What does the adequacy decision concerning the United States mean? The European Commission's decision on the adequacy of d...

Transfers of personal data out of the European Economic Area Transferring personal data out of the EEA requires an appropriate basis for the transfer and compliance with the other requirements imposed by data protection legislation. This page desc...

Annual report 2024 The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data The Office of the Data Protection Ombudsman is an autonomous and independent authority ...

For the media Interview requests Media representatives may contact the Office of the Data Protection Ombudsman’s communications to arrange a suitable interview time. Communications can be reached by media representatives during office hours. Commu...

Supervision of codes of conduct The code of conduct must specify a mechanism for the effective monitoring of compliance with the code. Monitoring means ensuring that the controllers and processors committed to compliance with the code follow the p...

The review and approval of codes of conduct at the Office of the Data Protection Ombudsman The Office of the Data Protection Ombudsman reviews and approves national codes of conduct applied in Finland. The criteria for the content of codes of cond...

We promote responsibility in the digital environment The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data. We build awareness of the rights, duties and opportu...

Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...

Electronic services at the Office of the Data Protection Ombudsman Instituting a case electronically The Office of the Data Protection Ombudsman uses electronic forms implemented with the Government ICT Centre's (Valtori) Turvalomake (Secure Form)...

Telephone guidance Our telephone guidance service provides general guidance and support in matters involving data protection and lets you know if the case requires more detailed investigation and processing at our Office. In the first instance, tr...

EU digital and data regulation The EU's digital and data regulation facilitate the movement of data within the EU, create clear and fair rules for data use and promote compliance with privacy, data protection and competition rules. Digital and dat...

Processing of the personal data of Data Protection Officers Controllers and processors must declare the contact details of their Data Protection Officers to our Office. The notification can be made with the form on our website or by providing the ...

Controller's record of processing activities The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if the personal data ...

19.3.2026 | This year, European data protection authorities will investigate how well organisations comply with the transparency and information obligations related to personal data processing. Data protection authorities from 25 countries across Europe will take part in the action.

When is the processing of personal data permitted? Legal bases for processing personal data The processing of personal data always requires a legal basis, which must be determined before the start of processing. Once the processing of personal dat...

30.1.2026 | On Thursday 29 January 2026, the Government appointed Heljä-Tuulia Pihamaa, Master of Laws, to the post of Deputy Data Protection Ombudsman for the next five-year term of office, starting on 22 March. Pihamaa has been serving as Deputy Data Protection Ombudsman since March 2021.

Personal data breaches What is a personal data breach? A personal data breach means an event leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. Examples of personal data breaches include lost d...

Right of access Data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. The data subjects thus have the opportunity to evaluate and ensure the legali...