Search

25.3.2026 | The Sanctions Board of the Office of the Data Protection Ombudsman has imposed a fine of EUR 5,000 on Suomen Numerokeskus Oy, as the company systematically failed to comply with customers’ right to access recordings of customer calls. The company also deleted the call recordings despite requests from customers to review them.

Frequently asked questions about phone calls Are individuals allowed to record their own telephone conversations? Citizens have the right to record telephone calls in which they are the caller or receiver. Finland’s Constitution gives the right to...

Frequently asked questions about camera surveillance EDPB guidelines on processing of personal data through video devices (pdf) Is camera surveillance processing of personal data? The operator of recording camera surveillance (e.g. a company or au...

Current issues Deputy Data Protection Ombudsman: individuals must be able to access their credit information for free Publication date: 30.3.2026 Suomen Numerokeskus fined for failing to provide call recordings Publication date: 25.3.2026 The Offi...

Data protection Data protection safeguards your rights when your personal data is processed Everyone has the right to the protection of personal data concerning him or her. Data protection is a fundamental right that safeguards the rights and free...

Right of access Data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. The data subjects thus have the opportunity to evaluate and ensure the legali...

Record of processing activities Record of processing activities is a written description of organisations personal data processing. The obligation to draw up a record of processing activities applies to all organisations with more than 250 employe...

Controller's record of processing activities The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if the personal data ...

Processor's record of processing activities Organisations are obligated to draw up a written description of their personal data processing. This description is called a record of processing activities. The obligation to draw up a record of process...

13.8.2024 | ANNUAL REPORT OF THE OFFICE OF THE DATA PROTECTION OMBUDSMAN 2023 ANNUAL REPORT OF THE OFFICE OF THE DATA PROTECTION OMBUDSMAN 2023 3 Contents The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regar...

Frequently asked questions about health care Rectifying patient records How can I rectify my patient records? If there are errors in your patient records, you can ask for their rectification. The rectification request is made to the health care un...

Processors’ responsibilities Processors are governed by the General Data Protection Regulation if they are established in an EU Member State they are not established in an EU Member State but their personal data processing activities relate to the...

Demonstrate your compliance with data protection regulations Compliance with the provisions of the General Data Protection Regulation (GDPR) is required when processing personal data. Accountability means that the controller must be able to demons...

Accuracy of data The personal data being processed must be accurate and up to date. Inaccurate personal data must be rectified or erased without delay. The controller must confirm the accuracy of the personal data being kept by it. The verificatio...

What is personal data? All data related to an identified or identifiable person are personal data. In other words, data that can be used to identify a person directly or indirectly, such as by combining an individual data item with some other piec...

Frequently asked questions about personal identity code Is it permitted to ask for the personal identity code when a guest checks into a hotel? Yes. According to the Act on Accommodation and Food Service Activities (308/2006), an accommodation pro...

Scientific research FAQ Learn more about scientific research on our website Scientific research and data protection . Does scientific research always require consent for the processing of personal data? No. Personal data can be processed for resea...

Pseudonymised and anonymised data Pseudonymised personal data Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information...

Claiming damages for violations of the GDPR Data subjects are entitled to damages if a controller or processor of personal data violates the EU General Data Protection Regulation and the violation causes material or immaterial damage to the data s...

Telephone services at the Office of the Data Protection Ombudsman Data processed in connection with the use of telephone services Switchboard The switchboard of the Office of the Data Protection Ombudsman connects calls to the public officials wor...