Skip to content
World Watch/Finland/Data & Privacy

Data & Privacy · Finland

Data protection & GDPR compliance in Finland (2026)

Comprehensive lawEU General Data Protection Regulation (2016/679) as the directly applicable baseline, supplemented nationally by Finland's Data Protection Act (Tietosuojalaki 1050/2018), enforced by the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).Country index 93 · A+

Finland shaded by its data & privacy status

Data protection in Finland: comprehensive law, under EU General Data Protection Regulation (2016/679) as the directly applicable baseline, supplemented nationally by Finland's Data Protection Act (Tietosuojalaki 1050/2018), enforced by the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)..

As an EU member state, Finland applies the GDPR directly, supplemented by the national Data Protection Act (1050/2018), in force since 1 January 2019, which repealed the former Personal Data Act (523/1999). The independent supervisory authority is the Office of the Data Protection Ombudsman in Helsinki, which monitors compliance, conducts investigations, and (via a collegial Sanctions Board) imposes administrative fines. Sector-specific rules such as the Act on the Protection of Privacy in Working Life and electronic-communications privacy rules layer on top of this comprehensive framework.

GDPR & data protection in Finland

In Finland, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Office of the Data Protection Ombudsman.

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Office of the Data Protection Ombudsman
Applies to
any organisation processing the personal data of people in Finland, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Finland supplements it with a national data-protection act and its own supervisory authority.

GDPR in Finland: FAQ

Does the GDPR apply in Finland?

Yes. As an EU/EEA member, Finland applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Office of the Data Protection Ombudsman.

Who enforces data protection law in Finland?

The Office of the Data Protection Ombudsman.

What are the GDPR fines in Finland?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Finland?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Finland?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive national law

The Data Protection Act (1050/2018) specifies and supplements the GDPR for national application; it has applied since 1 January 2019 and repealed the old Personal Data Act (523/1999).

Supervisory authority

The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), based in Helsinki, is Finland's national data protection authority enforcing the GDPR. It is headed by the Data Protection Ombudsman (Anu Talus, reappointed for a five-year term from 1 November 2025) and two Deputy Ombudsmen.

Administrative fines via Sanctions Board

Administrative fines under the GDPR may only be imposed in Finland by a collegial body (seuraamuskollegio / Sanctions Board) composed of the Ombudsman and Deputy Ombudsmen, chaired by the Ombudsman, with a quorum of at least three members.

Age of digital consent set at 13

Finland exercised the GDPR Article 8 derogation to lower the age at which children can consent to information society services to 13 years; below that age, parental consent or authorisation is required.

Personal identity code restrictions

The Data Protection Act restricts processing of the national personal identity code (henkilötunnus), generally permitting it only with the data subject's consent or where required/authorised by law and necessary for an identified purpose.

Sector-specific overlays

Comprehensive protection is complemented by sectoral rules including the Act on the Protection of Privacy in Working Life (759/2004) governing employee data, and electronic-communications/ePrivacy provisions in the Act on Electronic Communications Services.

Timeline - major decisions & events

Nov 1, 2025decision
Helsinki Administrative Court annuls Posti's €2.4M fine

The court overturned the Data Protection Ombudsman's 2024 penalty, ruling Posti had a lawful basis to bundle its OmaPosti digital mailbox, while upholding a remark on insufficient transparency. The decision clarifies the line between service bundling and GDPR lawful-basis requirements.

Posti Group Oyj
Sep 10, 2025enforcementofficial
S-Bank fined €1.8 million for mobile-app security flaw

The Ombudsman's Sanctions Board fined S-Pankki for a 2022 S-Mobiili authentication bug that let customers access other customers' accounts, breaching GDPR security obligations. It is one of Finland's largest data-protection penalties.

Data Protection Ombudsman's Office
Jun 1, 2025enforcementofficial
Pharmacy chain Yliopiston Apteekki fined €1.1 million over web tracking

The Sanctions Board penalised the pharmacy for cookies and tracking tools that sent prescription and OTC purchase data to Google and Meta. It signals tougher enforcement on ad-tech tracking of sensitive health data.

Data Protection Ombudsman's Office
Nov 15, 2024enforcementofficial
Posti fined €2.4 million for OmaPosti service, Finland's largest GDPR fine

The Sanctions Board found Posti unlawfully auto-created electronic mailboxes for OmaPosti users without clear information or consent, deeming the infringement intentional. It set a record for Finnish GDPR penalties (later partly reversed on appeal).

Data Protection Ombudsman's Office
Apr 30, 2024incident
Hacker Aleksanteri Kivimäki sentenced for Vastaamo breach

Länsi-Uusimaa District Court sentenced Kivimäki to six years and three months for the aggravated data breach, ~21,000 counts of aggravated blackmail, and mass dissemination of private therapy records. It closed Finland's most notorious data-crime case.

The Record (Recorded Future News)
Mar 6, 2024enforcement
Verkkokauppa.com fined €856,000

The Ombudsman penalised the online retailer for failing to define personal-data retention periods and for forcing account creation to make purchases. It was among Finland's largest fines at the time and stressed data-minimisation principles.

Bird & Bird
Dec 7, 2021enforcementofficial
Vastaamo psychotherapy centre fined €608,000

The Sanctions Board fined Vastaamo for neglecting secure processing of patient records (an unprotected, password-less database) and for failing to report the breach it learned of in 2019. The case drove national attention to health-data security.

Data Protection Ombudsman's Office
Oct 21, 2020incidentofficial
Vastaamo data breach disclosed

Psychotherapy provider Vastaamo revealed that records of roughly 33,000-36,000 patients were stolen, after which extortionists demanded ransoms directly from victims. It is Finland's largest and most damaging personal-data breach.

European Data Protection Board
May 18, 2020enforcementofficial
Finland imposes its first GDPR administrative fines

The Sanctions Board issued its first GDPR penalties on three companies (including €100,000 on Posti and €16,000 on Kymen Vesi) for failures around data-subject information and impact assessments. It established the Ombudsman's enforcement posture under the GDPR.

European Data Protection Board
Jan 1, 2019lawofficial
Data Protection Act (1050/2018) enters into force

Finland's national act supplementing the GDPR took effect, repealing the 1999 Personal Data Act and setting out the powers and organisation of the Data Protection Ombudsman as supervisory authority. It is the backbone of Finland's current framework.

Finlex
May 25, 2018lawofficial
EU GDPR becomes directly applicable in Finland

As an EU regulation, the GDPR began applying directly in Finland, replacing the directive-based regime with harmonised, enforceable EU data-protection rules. It is the foundation of today's Finnish data-protection law.

EUR-Lex (EU)
Apr 22, 1999lawofficial
Personal Data Act (523/1999) enacted

Finland adopted the Personal Data Act to implement the 1995 EU Data Protection Directive, modernising the 1987 regime after EU accession. It governed Finnish data protection until the GDPR era.

Finlex
Jan 1, 1987lawofficial
Personal Data File Act and Data Protection Ombudsman established

Finland's first comprehensive data-protection statute (in force 1988) created the office of the Data Protection Ombudsman to safeguard privacy amid growing use of computerised registries. It originated the supervisory institution that still enforces data protection today.

Council of Europe

Finland - other topics

Data & Privacy in other countries

Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →