Back to Frameworks

Finland Data Protection Act (Tietosuojalaki, 1050/2018)

Finland
v2018 (GDPR implementation)
7 domains
11 controls

The Finland Data Protection Act (Tietosuojalaki, 1050/2018) is the Finnish national supplement to the EU General Data Protection Regulation (Regulation (EU) 2016/679). The Act entered into force on 1 January 2019 + repealed the prior Personal Data Act (523/1999). The Act covers the national-level derogations + supplements permitted by GDPR including: (a) lawful basis under public-interest task + official authority for public authorities and statutorily-tasked private entities (Section 4); (b) processing of PERSONAL IDENTITY CODES (Henkilotunnus) - the Finnish national identifier - with strict purpose limitation + need for identification (Section 29); (c) SPECIAL CATEGORIES of personal data with derogations for employment + social security + professional secrecy + research + statistics + archiving + health + occupational safety (Section 6); (d) PROCESSING OF CRIMINAL OFFENCES DATA per Section 7 + the Criminal Records Act; (e) DATA PROTECTION OMBUDSMAN (Tietosuojavaltuutettu) as the supervisory authority with Sanctions Collegium (Seuraamuskollegio) for administrative fines (Sections 8-13); (f) DEROGATIONS from the right of access + rights of data subjects for scientific or historical research purposes + statistical purposes + archiving purposes in the public interest (Section 31); (g) JOURNALISTIC + ACADEMIC + ARTISTIC + LITERARY EXEMPTIONS (Section 27 + Constitution Section 12 freedom of expression); (h) BILINGUAL TRANSPARENCY (Finnish + Swedish per Constitution Section 17 + Language Act 423/2003) for data subject information notices. SECTORAL COORDINATION: the Tietosuojalaki coordinates with the ACT ON PRIVACY IN WORKING LIFE (Laki yksityisyyden suojasta tyoelamassa, 759/2004) for employee data + workplace monitoring + email inspection; the INFORMATION SOCIETY CODE (Sahkoisen viestinnan palveluista annettu laki, SVTSL 917/2014) for cookies + ePrivacy + electronic-marketing (consent + technical-necessity exemption); the ACT ON ELECTRONIC COMMUNICATIONS SERVICES; the Public Information Disclosure Act; and the new Cybersecurity Act 2024 implementing EU NIS2. ENFORCEMENT: Data Protection Ombudsman + 3-member SANCTIONS COLLEGIUM may impose administrative fines up to 4% of global annual turnover or EUR 20 million (whichever higher) - PUBLIC authorities are exempt from administrative fines under Section 24. APPEALS: to the Administrative Court within 30 days. 2024-2025 PRIORITIES: AI Act interplay + cross-border enforcement under GDPR one-stop-shop + Nordic data-protection coordination (Nordic-Baltic Working Group on Data Protection).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

Finland DPA: Bilingual Transparency, Data Subject Rights Coordination with GDPR + Children

1 controls
Controls in the Finland DPA: Bilingual Transparency, Data Subject Rights Coordination with GDPR + Children domain of Finland Data Protection Act (Tietosuojalaki, 1050/2018)1 controls
CodeTitle
FiDPA-Bilingual-Rights-ChildrenBilingual Transparency, Data Subject Rights Coordination with GDPR + Children

Finland DPA: Data Protection Ombudsman (Tietosuojavaltuutettu) and Supervisory Authority

1 controls
Controls in the Finland DPA: Data Protection Ombudsman (Tietosuojavaltuutettu) and Supervisory Authority domain of Finland Data Protection Act (Tietosuojalaki, 1050/2018)1 controls
CodeTitle
FiDPA-TietosuojavaltuutettuData Protection Ombudsman (Tietosuojavaltuutettu) - Supervisory Authority

Finland DPA: Lawful Basis, Personal Identity Code (Henkilotunnus) and Special Categories

2 controls
Controls in the Finland DPA: Lawful Basis, Personal Identity Code (Henkilotunnus) and Special Categories domain of Finland Data Protection Act (Tietosuojalaki, 1050/2018)2 controls
CodeTitle
FiDPA-LawfulBasis-IdCodeLawful Basis Under Public Interest + Personal Identity Code (Henkilotunnus) (Section 4-5, 29)
FiDPA-SpecialCategories-CriminalDataSpecial Categories of Personal Data + Criminal Offences Data (Sections 6-7)

Finland DPA: Sanctions Collegium, Administrative Fines and Enforcement

1 controls
Controls in the Finland DPA: Sanctions Collegium, Administrative Fines and Enforcement domain of Finland Data Protection Act (Tietosuojalaki, 1050/2018)1 controls
CodeTitle
FiDPA-SanctionsCollegiumSanctions Collegium (Seuraamuskollegio) and Administrative Fines

Finland DPA: Scope, Application, Definitions and Sectoral Coordination

1 controls
Controls in the Finland DPA: Scope, Application, Definitions and Sectoral Coordination domain of Finland Data Protection Act (Tietosuojalaki, 1050/2018)1 controls
CodeTitle
FiDPA-Ch1-Scope-DefsChapter 1 - Scope, Application and Definitions (Tietosuojalaki Sections 1-3)

Finland DPA: Sectoral Acts (Working Life 759/2004, SVTSL 917/2014, Cybersecurity Act 2024)

3 controls
Controls in the Finland DPA: Sectoral Acts (Working Life 759/2004, SVTSL 917/2014, Cybersecurity Act 2024) domain of Finland Data Protection Act (Tietosuojalaki, 1050/2018)3 controls
CodeTitle
FiDPA-Coord-GDPR-NIS2-DSACoordination with GDPR, NIS2, DSA, DGA, eIDAS and EU Framework
FiDPA-Sectoral-SVTSL-Cyber2024Sectoral Acts - SVTSL (917/2014), Cybersecurity Act 2024, Information Society Code
FiDPA-Status-AIAct-NordicImplementation Status, EU AI Act Interplay, Nordic-Baltic Coordination

Finland DPA: Specific Processing Situations (Journalism, Research, Working Life, Public Sector)

2 controls
Controls in the Finland DPA: Specific Processing Situations (Journalism, Research, Working Life, Public Sector) domain of Finland Data Protection Act (Tietosuojalaki, 1050/2018)2 controls
CodeTitle
FiDPA-SpecificProcessingSpecific Processing Situations - Journalism, Research, Statistics, Public Sector (Sections 27, 31, 32, 33)
FiDPA-WorkingLifeActAct on Privacy in Working Life (759/2004) - Workplace Monitoring + Email Inspection

Frequently Asked Questions

What is Finland Data Protection Act (Tietosuojalaki, 1050/2018)?

Finland Data Protection Act (Tietosuojalaki, 1050/2018) is a compliance framework from Finland with 7 domains and 11 controls. The Finland Data Protection Act (Tietosuojalaki, 1050/2018) is the Finnish national supplement to the EU General Data Protection Regulation (Regulation (EU) 2016/679). The Act entered into force on 1 January 2019 + repealed the prior Personal Data Act (523/1999). The Act covers the national-level derogations + supplements permitted by GDPR including: (a) lawful basis under public-interest task + official authority for public authorities and statutorily-tasked private entities (Section 4); (b) processing of PERSONAL IDENTITY CODES (Henkilotunnus) - the Finnish national identifier - with strict purpose limitation + need for identification (Section 29); (c) SPECIAL CATEGORIES of personal data with derogations for employment + social security + professional secrecy + research + statistics + archiving + health + occupational safety (Section 6); (d) PROCESSING OF CRIMINAL OFFENCES DATA per Section 7 + the Criminal Records Act; (e) DATA PROTECTION OMBUDSMAN (Tietosuojavaltuutettu) as the supervisory authority with Sanctions Collegium (Seuraamuskollegio) for administrative fines (Sections 8-13); (f) DEROGATIONS from the right of access + rights of data subjects for scientific or historical research purposes + statistical purposes + archiving purposes in the public interest (Section 31); (g) JOURNALISTIC + ACADEMIC + ARTISTIC + LITERARY EXEMPTIONS (Section 27 + Constitution Section 12 freedom of expression); (h) BILINGUAL TRANSPARENCY (Finnish + Swedish per Constitution Section 17 + Language Act 423/2003) for data subject information notices. SECTORAL COORDINATION: the Tietosuojalaki coordinates with the ACT ON PRIVACY IN WORKING LIFE (Laki yksityisyyden suojasta tyoelamassa, 759/2004) for employee data + workplace monitoring + email inspection; the INFORMATION SOCIETY CODE (Sahkoisen viestinnan palveluista annettu laki, SVTSL 917/2014) for cookies + ePrivacy + electronic-marketing (consent + technical-necessity exemption); the ACT ON ELECTRONIC COMMUNICATIONS SERVICES; the Public Information Disclosure Act; and the new Cybersecurity Act 2024 implementing EU NIS2. ENFORCEMENT: Data Protection Ombudsman + 3-member SANCTIONS COLLEGIUM may impose administrative fines up to 4% of global annual turnover or EUR 20 million (whichever higher) - PUBLIC authorities are exempt from administrative fines under Section 24. APPEALS: to the Administrative Court within 30 days. 2024-2025 PRIORITIES: AI Act interplay + cross-border enforcement under GDPR one-stop-shop + Nordic data-protection coordination (Nordic-Baltic Working Group on Data Protection). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Finland Data Protection Act (Tietosuojalaki, 1050/2018) have?

Finland Data Protection Act (Tietosuojalaki, 1050/2018) has 11 controls organised across 7 domains. The largest domains are Finland DPA: Sectoral Acts (Working Life 759/2004, SVTSL 917/2014, Cybersecurity Act 2024) (3 controls), Finland DPA: Lawful Basis, Personal Identity Code (Henkilotunnus) and Special Categories (2 controls), Finland DPA: Specific Processing Situations (Journalism, Research, Working Life, Public Sector) (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Finland Data Protection Act (Tietosuojalaki, 1050/2018) map to?

Finland Data Protection Act (Tietosuojalaki, 1050/2018) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Finland Data Protection Act (Tietosuojalaki, 1050/2018) compliance?

Start your Finland Data Protection Act (Tietosuojalaki, 1050/2018) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Finland Data Protection Act (Tietosuojalaki, 1050/2018) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 11 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required