Data & Privacy · Finland
Data protection & privacy laws in Finland (2026)
Finland shaded by its data & privacy status
As an EU member state, Finland applies the GDPR directly, supplemented by the national Data Protection Act (1050/2018), in force since 1 January 2019, which repealed the former Personal Data Act (523/1999). The independent supervisory authority is the Office of the Data Protection Ombudsman in Helsinki, which monitors compliance, conducts investigations, and (via a collegial Sanctions Board) imposes administrative fines. Sector-specific rules such as the Act on the Protection of Privacy in Working Life and electronic-communications privacy rules layer on top of this comprehensive framework.
Key points
The Data Protection Act (1050/2018) specifies and supplements the GDPR for national application; it has applied since 1 January 2019 and repealed the old Personal Data Act (523/1999).
The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), based in Helsinki, is Finland's national data protection authority enforcing the GDPR. It is headed by the Data Protection Ombudsman (Anu Talus, reappointed for a five-year term from 1 November 2025) and two Deputy Ombudsmen.
Administrative fines under the GDPR may only be imposed in Finland by a collegial body (seuraamuskollegio / Sanctions Board) composed of the Ombudsman and Deputy Ombudsmen, chaired by the Ombudsman, with a quorum of at least three members.
Finland exercised the GDPR Article 8 derogation to lower the age at which children can consent to information society services to 13 years; below that age, parental consent or authorisation is required.
The Data Protection Act restricts processing of the national personal identity code (henkilötunnus), generally permitting it only with the data subject's consent or where required/authorised by law and necessary for an identified purpose.
Comprehensive protection is complemented by sectoral rules including the Act on the Protection of Privacy in Working Life (759/2004) governing employee data, and electronic-communications/ePrivacy provisions in the Act on Electronic Communications Services.
Timeline - major decisions & events
The court overturned the Data Protection Ombudsman's 2024 penalty, ruling Posti had a lawful basis to bundle its OmaPosti digital mailbox, while upholding a remark on insufficient transparency. The decision clarifies the line between service bundling and GDPR lawful-basis requirements.
Posti Group Oyj ↗The Ombudsman's Sanctions Board fined S-Pankki for a 2022 S-Mobiili authentication bug that let customers access other customers' accounts, breaching GDPR security obligations. It is one of Finland's largest data-protection penalties.
Data Protection Ombudsman's Office ↗The Sanctions Board penalised the pharmacy for cookies and tracking tools that sent prescription and OTC purchase data to Google and Meta. It signals tougher enforcement on ad-tech tracking of sensitive health data.
Data Protection Ombudsman's Office ↗The Sanctions Board found Posti unlawfully auto-created electronic mailboxes for OmaPosti users without clear information or consent, deeming the infringement intentional. It set a record for Finnish GDPR penalties (later partly reversed on appeal).
Data Protection Ombudsman's Office ↗Länsi-Uusimaa District Court sentenced Kivimäki to six years and three months for the aggravated data breach, ~21,000 counts of aggravated blackmail, and mass dissemination of private therapy records. It closed Finland's most notorious data-crime case.
The Record (Recorded Future News) ↗The Ombudsman penalised the online retailer for failing to define personal-data retention periods and for forcing account creation to make purchases. It was among Finland's largest fines at the time and stressed data-minimisation principles.
Bird & Bird ↗The Sanctions Board fined Vastaamo for neglecting secure processing of patient records (an unprotected, password-less database) and for failing to report the breach it learned of in 2019. The case drove national attention to health-data security.
Data Protection Ombudsman's Office ↗Psychotherapy provider Vastaamo revealed that records of roughly 33,000–36,000 patients were stolen, after which extortionists demanded ransoms directly from victims. It is Finland's largest and most damaging personal-data breach.
European Data Protection Board ↗The Sanctions Board issued its first GDPR penalties on three companies (including €100,000 on Posti and €16,000 on Kymen Vesi) for failures around data-subject information and impact assessments. It established the Ombudsman's enforcement posture under the GDPR.
European Data Protection Board ↗Finland's national act supplementing the GDPR took effect, repealing the 1999 Personal Data Act and setting out the powers and organisation of the Data Protection Ombudsman as supervisory authority. It is the backbone of Finland's current framework.
Finlex ↗As an EU regulation, the GDPR began applying directly in Finland, replacing the directive-based regime with harmonised, enforceable EU data-protection rules. It is the foundation of today's Finnish data-protection law.
EUR-Lex (EU) ↗Finland adopted the Personal Data Act to implement the 1995 EU Data Protection Directive, modernising the 1987 regime after EU accession. It governed Finnish data protection until the GDPR era.
Finlex ↗Finland's first comprehensive data-protection statute (in force 1988) created the office of the Data Protection Ombudsman to safeguard privacy amid growing use of computerised registries. It originated the supervisory institution that still enforces data protection today.
Council of Europe ↗Finland - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →