Sök

Frequently asked questions about banking Are banks permitted to copy my ID? Yes. Banks have a statutory obligation to know and identify their customers. Among other things, this means that the bank must verify the customer’s identity in a reliable...

Frequently asked questions about direct marketing Electronic direct marketing includes direct marketing via automated calling systems, as well as direct marketing implemented using email, text, sound, voice or picture messages. Traditional direct ...

Frequently asked questions about personal identity code Is it permitted to ask for the personal identity code when a guest checks into a hotel? Yes. According to the Act on Accommodation and Food Service Activities (308/2006), an accommodation pro...

Frequently asked questions about information systems Can the customer of the company be entitled to log data by virtue of the right of access? Article 15 of the General Data Protection Regulation provides for the data subject's right of access to ...

Frequently asked questions on data protection and the coronavirus What does health data mean? Health data refers to information about an individual’s health, diseases, disability or treatment. Health data belongs to the special categories of perso...

Processors A processor is an individual or an organisation that processes personal data on behalf of a controller. Processors operate according to the controller’s instructions and under its supervision. The controller determines the purposes and ...

Right to inspect the data processed by a competent authority The competent authority is required to tell you whether it is processing personal data concerning you. You have the right to inspect which of your personal data different controllers are...

Contact information Office of the Data Protection Ombudsman Street address: Lintulahdenkuja 4, 00530 Helsinki Postal address: PL 800, 00531 Helsinki, Finland Switchboard : +358 29 566 6700 Registry: +358 29 566 6768 E-mail (registry): tietosuoja(a...

Storage limitation Personal data may only be stored for as long as necessary for the purposes of processing. The controller must plan and be able to justify the storage time of the personal data. The storage times of personal data must also be doc...

Impact assessment Impact assessments are designed to identify, evaluate and control risks involved in the processing of personal data. They are designed to be a continuous process for identifying and controlling risks. Impact assessments must be c...

Inform data subjects about processing The requirements of the notification practices for controllers the requirements are laid down in the GDPR. The Office of the Data Protection Ombudsman urges industries to create shared notification practices a...

Frequently asked questions about phone calls Are individuals allowed to record their own telephone conversations? Citizens have the right to record telephone calls in which they are the caller or receiver. Finland’s Constitution gives the right to...

Have you misplaced personal data? This page provides instructions on what to do if your personal data has been lost, stolen or acquired with a phishing message. Act fast especially if: you have lost payment card details or your online bank ID and ...

30.3.2026 | The Deputy Data Protection Ombudsman has determined that the credit information company Dun & Bradstreet Finland’s practice of allowing individuals to only check their credit information for free once per year is not compliant with data protection legislation. Several deficiencies were also found in the company’s practices for responding to personal data requests.

What is a competent authority? A competent authority refers to authorities whose competence includes preventing, detecting or investigating criminal offences or referring them for consideration of charges consideration of charges and other activit...

We promote responsibility in the digital environment The Office of the Data Protection Ombudsman safeguards the rights and freedoms of individuals with regard to the processing of personal data. We build awareness of the rights, duties and opportu...

25.3.2026 | The Sanctions Board of the Office of the Data Protection Ombudsman has imposed a fine of EUR 5,000 on Suomen Numerokeskus Oy, as the company systematically failed to comply with customers’ right to access recordings of customer calls. The company also deleted the call recordings despite requests from customers to review them.

Disclosures of data Personal data is disclosed to service providers that supply IT services to the Office of the Data Protection Ombudsman. These providers process personal data on behalf of the Office and are not permitted to process the data for...

Controller's record of processing activities The obligation to draw up a record of processing activities applies to all organisations with more than 250 employees. Smaller organisations are also required to draw up the record if the personal data ...

Automated decision-making and profiling What does profiling mean? Profiling means the automated processing of personal data for evaluating the personal aspects of an individual. In particular, profiling refers to the analysis or prediction of aspe...