Search

Have you been affected by a personal data breach? This page contains instructions for people who have been affected by a personal data breach. If you have been affected by a personal data breach, first check what data about you could have been dis...

Right to inspect the data processed by a competent authority The competent authority is required to tell you whether it is processing personal data concerning you. You have the right to inspect which of your personal data different controllers are...

Telephone services at the Office of the Data Protection Ombudsman Data processed in connection with the use of telephone services Switchboard The switchboard of the Office of the Data Protection Ombudsman connects calls to the public officials wor...

Have you been subjected to a decision based solely on automated processing? You have the right to demand human involvement in decisions that concern you. Some decisions concerning you can be made automatically. This means that humans are not invol...

Electronic services at the Office of the Data Protection Ombudsman Instituting a case electronically The Office of the Data Protection Ombudsman uses electronic forms implemented with the Government ICT Centre's (Valtori) Turvalomake (Secure Form)...

The Digital Services Act and powers of the Data Protection Ombudsman in the monitoring of online platforms The EU Digital Services Act (DSA) imposes obligations on digital service providers, such as online platforms, to improve the transparency an...

Frequently asked questions about the Digital Services Act (DSA) What kinds of operators are subject to the DSA's obligations? The obligations imposed by the Digital Services Act (DSA) apply to all online services, referred to as 'intermediary serv...

Data protection in the development and use of AI systems These pages have information on the requirements arising from data protection legislation that should be taken into account when artificial intelligence (AI) systems are developed and used. ...

25.2.2025 | The EU's Digital Services Act imposes obligations on digital service providers to improve the transparency and security of their services. Last year, authorities in Finland received nearly 80 complaints about suspected breaches of the Digital Services Act, and the EU Commission has launched several investigations into digital waste. The act, which improves users' rights, has been fully in force for one year as of February 2025.

List compiled by the Office of the Data Protection Ombudsman of processing operations which require data protection impact assessment (DPIA) Updated 21.12.2018 Article 35 (1) GDPR requires a DPIA when the processing activity is likely to result in...

Frequently asked questions about personal identity code Is it permitted to ask for the personal identity code when a guest checks into a hotel? Yes. According to the Act on Accommodation and Food Service Activities (308/2006), an accommodation pro...

Accessibility statement of Tietosuoja.fi This accessibility statement applies to the website www.tietosuoja.fi and it was created on 22 September 2020. The statement has been updated on 20 January 2026. We are committed to providing accessibility ...

15.2.2022 | The Office of the Data Protection Ombudsman will participate in a coordinated enforcement action of the European Data Protection Board along with 22 other supervisory authorities. The purpose of the action is to investigate use of cloud-based services in the public sector. The action of the EDPB was launched on 15 February.

Contact information Office of the Data Protection Ombudsman Street address: Lintulahdenkuja 4, 00530 Helsinki Postal address: PL 800, 00531 Helsinki, Finland Switchboard : +358 29 566 6700 Registry: +358 29 566 6768 E-mail (registry): tietosuoja(a...

Standard clauses adopted by the Commission Personal data can also be transferred out of the EU and EEA under the standard contractual clauses (SCC) adopted by the Commission. A transition period set for the adoption of the updated standard clauses...

Frequently asked questions about direct marketing Electronic direct marketing includes direct marketing via automated calling systems, as well as direct marketing implemented using email, text, sound, voice or picture messages. Traditional direct ...

Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...

Data Act and powers of the Data Protection Ombudsman The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman m...

Frequently asked questions about genealogy What personal data can I process for purposes of genealogical research? The General Data Protection Regulation (GDPR) does not specify what personal data may be processed for genealogical purposes. The es...

Frequently asked questions about working life What personal data on employees and job applicants can an employer process? The employer may only process personal data that is directly necessary with regard to the employee's employment relationship,...