New national Data Protection Act spells out obligations related to the processing of personal data
December 14, 2018
Along with the General Data Protection Regulation (GDPR), the new Data Protection Act’s obligations on the processing of personal data must be taken into consideration.
The new national Data Protection Act has been enacted and it takes effect on 1.1.2019. The Data Protection Act supplements the European Union’s General Data Protection Regulation, which came into force in May 2018. The new Data Protection Act repeals the old Personal Data Act.
GDPR’s central regulations on processing personal data
The central obligations related to the processing of personal data, as such, come directly from the GDPR, and all parties processing personal data have had to comply with the regulation since 25 May 2018. However, EU member states have the right to adopt supplementary data protection legislation to the extent that the GDPR has a national degree of flexibility when it comes to certain subject matters. The national Data Protection Act supplements and specifies the GDPR. The Act doesn’t constitute an independent law; it is applied in parallel with the GDPR.
The Data Protection Act regulates certain special situations related to the processing of personal data, such as the processing of a personal identification number and sensitive data, and the processing of personal data related to, e.g. scientific research, statistics, archiving, and the use of freedom of expression. Additionally, the Data Protection Act regulates things like the imposing of administrative fines, the power of the data protection authority, and the age limit for information society services offered to children. Moreover, according to the new Act, all parties participating in the processing of personal data have a secrecy obligation in matters related to the processing of personal data.
Along with the GDPR, the new Data Protection Act supplements also other legislation related to the processing of personal data, including e.g. the Act on the Protection of Privacy in Working Life related to the processing of employee data, and the Act on the Openness of Government Activities and the Credit Information Act. In Finland there are hundreds of specific legislative regulations related to the processing of personal data. Because of the GDPR, sweeping amendments were made to Finnish legislation in order align the national laws with EU regulations. This renewal work is ongoing, so it’s worthwhile to monitor any legislative changes related to your own sector.
Key changes brought by the new Data Protection Act
The competent supervisory authority
The competent supervisory authority of the Data Protection Act in Finland continues to be the Data Protection Ombudsman. The Data Protection Act regulates the data protection authority’s functions and powers. A panel of experts works in conjunction with the Data Protection Ombudsman’s office and issues statements at the request of the Data Protection Ombudsman. The old data protection board will be discontinued with the new Act.
Every person has the right to notify the Data Protection Ombudsman if the person deems the processing of his/her personal data as unlawful. The Data Protection Ombudsman can also take the initiative to investigate the lawfulness of the processing of personal data. The Data Protection Ombudsman has wide access to obtain information.
Imposing administrative fines
Various consequences, such as administrative fines, can be imposed for violating the Data Protection Act. The new Data Protection Act regulates the process by which consequences are imposed, and how they can be appealed. The administrative fines are imposed by a three-member board consisting of the Data Protection Ombudsman and Deputy Data Protection Ombudsmen. State or municipality authorities as well as certain other public bodies are exempt from administrative fines. An administrative fine cannot be imposed if more than ten years has passed from the date of the violation or dereliction. The imposition of an administrative fine can be appealed to the Administrative Court.
Processing personal identity numbers
The regulations for processing personal identity numbers remain mostly the same as in the old Personal Data Act. The processing of a personal identity number is allowed with data subject’s consent or if the processing is provided for by law. Additionally, a personal identity number can still be processed in certain special situations, such as activities relating to the granting of credit, the collection of debt, insurance, credit, renting and lending businesses, credit data operations, health care, social welfare or other social services, and matters relating to civil service and employment relationships.
Additionally, the GDPR’s general requirements on the processing of personal data must be taken into consideration in the processing of personal identity numbers. Moreover, personal identity numbers must not be unnecessarily included on printed or drafted documents.
Age limit for information society services offered to children
An age limit for information society services, like social media, has sparked a lot of discussion. Member states have the right to specify an age limit for information society services. The age limit prescribed in the new Data Protection Act is 13 years, which is generally in line with the other Nordic countries.
If the person is younger than 13 years old, the processing of personal data for the offering of information society services is lawful only with the consent or authorization of the child’s parent. Services can be offered to individuals over 13 years old without the parental consent. The age limit varies among member states from 13 to 16 years of age. National differences must be taken into consideration if the offering of information society services extends to other EU countries.
Now is the time to get personal data processing practices in order
The national Data Protection Act mainly specifies the GDPR; from a business perspective, it doesn’t bring significant changes. However, the new Act has brought the supervisory authority’s monitoring power of the GDPR up to date. In fact, the biggest interest is now focused on the power of the Data Protection Ombudsman, and on how the Data Protection Ombudsman and other European data protection authorities will start monitoring compliance with the GDPR. In a few countries, the supervisory authority has already issued official decisions related to the GDPR. Now is the time to get the organization’s practices to the level required by the new regulations.
The new Data Protection Act (available in Finnish and Swedish) can be found here.